Box - Forbidden file type downloaded

Back


Id	8889e69c-2161-412a-94a6-76c1b2d9daa7
Rulename	Box - Forbidden file type downloaded
Description	Detects when new user downloads forbidden file types.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	BoxDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxDownloadForbiddenFiles.yaml
Version	1.0.0
Arm template	8889e69c-2161-412a-94a6-76c1b2d9daa7.json

KQL

let forbidden_files = dynamic(['ps1', 'bat', 'scr', 'sh']);
BoxEvents
| where EventType =~ 'DOWNLOAD'
| extend file_type = extract(@'\.(\w+)$', 1, SourceItemName)
| where file_type in (forbidden_files)
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

YAML

name: Box - Forbidden file type downloaded
relevantTechniques:
- T1189
id: 8889e69c-2161-412a-94a6-76c1b2d9daa7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxDownloadForbiddenFiles.yaml
requiredDataConnectors:
- dataTypes:
  - BoxEvents_CL
  connectorId: BoxDataConnector
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
queryFrequency: 1h
status: Available
query: |
  let forbidden_files = dynamic(['ps1', 'bat', 'scr', 'sh']);
  BoxEvents
  | where EventType =~ 'DOWNLOAD'
  | extend file_type = extract(@'\.(\w+)$', 1, SourceItemName)
  | where file_type in (forbidden_files)
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
tactics:
- InitialAccess
kind: Scheduled
description: |
    'Detects when new user downloads forbidden file types.'
triggerOperator: gt

ARM