Cisco WSA - Multiple attempts to download unwanted file

Back


Id	46b6c6fc-2c1a-4270-be10-9d444d83f027
Rulename	Cisco WSA - Multiple attempts to download unwanted file
Description	Detects when multiple attempts to download unwanted file occur.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version	1.0.2
Arm template	46b6c6fc-2c1a-4270-be10-9d444d83f027.json

KQL

let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

YAML

requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryPeriod: 1h
triggerThreshold: 0
queryFrequency: 1h
version: 1.0.2
status: Available
severity: Medium
description: |
    'Detects when multiple attempts to download unwanted file occur.'
name: Cisco WSA - Multiple attempts to download unwanted file
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
  entityType: URL
triggerOperator: gt
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
tactics:
- InitialAccess
relevantTechniques:
- T1189
kind: Scheduled
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

ARM