Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella - Connection to Unpopular Website Detected

Back
Id75297f62-10a8-4fc1-9b2a-12f25c6f05a7
RulenameCisco Umbrella - Connection to Unpopular Website Detected
DescriptionDetects first connection to an unpopular website (possible malicious payload delivery).
SeverityMedium
TacticsCommandAndControl
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
Version1.1.2
Arm template75297f62-10a8-4fc1-9b2a-12f25c6f05a7.json
Deploy To Azure
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated

id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
kind: Scheduled
name: Cisco Umbrella - Connection to Unpopular Website Detected
queryFrequency: 1d
severity: Medium
query: |
  let domain_lookBack= 14d;
  let timeframe = 1d;
  let top_million_list = Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | summarize count() by tostring(Hostname)
  | top 1000000 by count_
  | summarize make_list(Hostname);
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | where Hostname !in (top_million_list)
  | extend Message = "Connect to unpopular website (possible malicious payload delivery)"
  | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated  
triggerThreshold: 0
tactics:
- CommandAndControl
entityMappings:
- fieldMappings:
  - columnName: UrlOriginal
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
version: 1.1.2
queryPeriod: 14d
description: |
    'Detects first connection to an unpopular website (possible malicious payload delivery).'

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "properties": {
        "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7",
        "customDetails": null,
        "description": "'Detects first connection to an unpopular website (possible malicious payload delivery).'\n",
        "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlOriginal",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml",
        "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}