Box - Forbidden file type downloaded

Back


Id	8889e69c-2161-412a-94a6-76c1b2d9daa7
Rulename	Box - Forbidden file type downloaded
Description	Detects when new user downloads forbidden file types.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	BoxDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxDownloadForbiddenFiles.yaml
Version	1.0.0
Arm template	8889e69c-2161-412a-94a6-76c1b2d9daa7.json

KQL

let forbidden_files = dynamic(['ps1', 'bat', 'scr', 'sh']);
BoxEvents
| where EventType =~ 'DOWNLOAD'
| extend file_type = extract(@'\.(\w+)$', 1, SourceItemName)
| where file_type in (forbidden_files)
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  let forbidden_files = dynamic(['ps1', 'bat', 'scr', 'sh']);
  BoxEvents
  | where EventType =~ 'DOWNLOAD'
  | extend file_type = extract(@'\.(\w+)$', 1, SourceItemName)
  | where file_type in (forbidden_files)
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxDownloadForbiddenFiles.yaml
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
requiredDataConnectors:
- connectorId: BoxDataConnector
  dataTypes:
  - BoxEvents_CL
kind: Scheduled
relevantTechniques:
- T1189
description: |
    'Detects when new user downloads forbidden file types.'
name: Box - Forbidden file type downloaded
version: 1.0.0
id: 8889e69c-2161-412a-94a6-76c1b2d9daa7
severity: Medium

ARM