Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco Umbrella - Connection to Unpopular Website Detected

Cisco Umbrella - Connection to Unpopular Website Detected

Back
Id75297f62-10a8-4fc1-9b2a-12f25c6f05a7
RulenameCisco Umbrella - Connection to Unpopular Website Detected
DescriptionDetects first connection to an unpopular website (possible malicious payload delivery).
SeverityMedium
TacticsCommandAndControl
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
Version1.1.2
Arm template75297f62-10a8-4fc1-9b2a-12f25c6f05a7.json
Deploy To Azure
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated

entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlOriginal
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
name: Cisco Umbrella - Connection to Unpopular Website Detected
tactics:
- CommandAndControl
severity: Medium
triggerThreshold: 0
id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
version: 1.1.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml
queryFrequency: 1d
triggerOperator: gt
query: |
  let domain_lookBack= 14d;
  let timeframe = 1d;
  let top_million_list = Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | summarize count() by tostring(Hostname)
  | top 1000000 by count_
  | summarize make_list(Hostname);
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | extend Hostname = parse_url(UrlOriginal)["Host"]
  | where Hostname !in (top_million_list)
  | extend Message = "Connect to unpopular website (possible malicious payload delivery)"
  | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated  
description: |
    'Detects first connection to an unpopular website (possible malicious payload delivery).'
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
queryPeriod: 14d
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75297f62-10a8-4fc1-9b2a-12f25c6f05a7')]",
      "properties": {
        "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7",
        "customDetails": null,
        "description": "'Detects first connection to an unpopular website (possible malicious payload delivery).'\n",
        "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlOriginal",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml",
        "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}