Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella - Connection to Unpopular Website Detected

Back
Id75297f62-10a8-4fc1-9b2a-12f25c6f05a7
RulenameCisco Umbrella - Connection to Unpopular Website Detected
DescriptionDetects first connection to an unpopular website (possible malicious payload delivery).
SeverityMedium
TacticsCommandAndControl
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
Version1.1.2
Arm template75297f62-10a8-4fc1-9b2a-12f25c6f05a7.json
Deploy To Azure
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated

query: |
  let domain_lookBack= 14d;
  let timeframe = 1d;
  let top_million_list = Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | summarize count() by tostring(Hostname)
  | top 1000000 by count_
  | summarize make_list(Hostname);
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | where Hostname !in (top_million_list)
  | extend Message = "Connect to unpopular website (possible malicious payload delivery)"
  | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated  
description: |
    'Detects first connection to an unpopular website (possible malicious payload delivery).'
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 14d
queryFrequency: 1d
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: UrlOriginal
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
name: Cisco Umbrella - Connection to Unpopular Website Detected
id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
tactics:
- CommandAndControl
kind: Scheduled
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
version: 1.1.2
severity: Medium