Cisco WSA - Multiple attempts to download unwanted file

Back


Id	46b6c6fc-2c1a-4270-be10-9d444d83f027
Rulename	Cisco WSA - Multiple attempts to download unwanted file
Description	Detects when multiple attempts to download unwanted file occur.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version	1.0.2
Arm template	46b6c6fc-2c1a-4270-be10-9d444d83f027.json

KQL

let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

YAML

description: |
    'Detects when multiple attempts to download unwanted file occur.'
queryFrequency: 1h
status: Available
kind: Scheduled
relevantTechniques:
- T1189
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
severity: Medium
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
tactics:
- InitialAccess
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
triggerThreshold: 0
queryPeriod: 1h
name: Cisco WSA - Multiple attempts to download unwanted file
triggerOperator: gt
version: 1.0.2

ARM