Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella - Connection to Unpopular Website Detected

Back
Id75297f62-10a8-4fc1-9b2a-12f25c6f05a7
RulenameCisco Umbrella - Connection to Unpopular Website Detected
DescriptionDetects first connection to an unpopular website (possible malicious payload delivery).
SeverityMedium
TacticsCommandAndControl
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
Version1.1.2
Arm template75297f62-10a8-4fc1-9b2a-12f25c6f05a7.json
Deploy To Azure
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated

queryPeriod: 14d
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: UrlOriginal
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
triggerOperator: gt
kind: Scheduled
query: |
  let domain_lookBack= 14d;
  let timeframe = 1d;
  let top_million_list = Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | summarize count() by tostring(Hostname)
  | top 1000000 by count_
  | summarize make_list(Hostname);
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | where Hostname !in (top_million_list)
  | extend Message = "Connect to unpopular website (possible malicious payload delivery)"
  | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated  
tactics:
- CommandAndControl
triggerThreshold: 0
queryFrequency: 1d
description: |
    'Detects first connection to an unpopular website (possible malicious payload delivery).'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
name: Cisco Umbrella - Connection to Unpopular Website Detected
version: 1.1.2

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "properties": {
        "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7",
        "customDetails": null,
        "description": "'Detects first connection to an unpopular website (possible malicious payload delivery).'\n",
        "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlOriginal",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml",
        "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}