Cisco WSA - Multiple attempts to download unwanted file

Back


Id	46b6c6fc-2c1a-4270-be10-9d444d83f027
Rulename	Cisco WSA - Multiple attempts to download unwanted file
Description	Detects when multiple attempts to download unwanted file occur.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version	1.0.2
Arm template	46b6c6fc-2c1a-4270-be10-9d444d83f027.json

KQL

let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

YAML

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
version: 1.0.2
status: Available
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
severity: Medium
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
triggerOperator: gt
queryPeriod: 1h
relevantTechniques:
- T1189
triggerThreshold: 0
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
name: Cisco WSA - Multiple attempts to download unwanted file
description: |
    'Detects when multiple attempts to download unwanted file occur.'
queryFrequency: 1h
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
kind: Scheduled

ARM