Cisco WSA - Multiple attempts to download unwanted file

Back


Id	46b6c6fc-2c1a-4270-be10-9d444d83f027
Rulename	Cisco WSA - Multiple attempts to download unwanted file
Description	Detects when multiple attempts to download unwanted file occur.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version	1.0.2
Arm template	46b6c6fc-2c1a-4270-be10-9d444d83f027.json

KQL

let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

YAML

entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
triggerOperator: gt
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
version: 1.0.2
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
triggerThreshold: 0
relevantTechniques:
- T1189
queryPeriod: 1h
status: Available
severity: Medium
kind: Scheduled
name: Cisco WSA - Multiple attempts to download unwanted file
queryFrequency: 1h
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
description: |
    'Detects when multiple attempts to download unwanted file occur.'
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma

ARM