Cisco Umbrella - Hack Tool User-Agent Detected
| Id | 8d537f3c-094f-430c-a588-8a87da36ee3a |
| Rulename | Cisco Umbrella - Hack Tool User-Agent Detected |
| Description | Detects suspicious user agent strings used by known hack tools |
| Severity | Medium |
| Tactics | CommandAndControl |
| Required data connectors | CiscoUmbrellaDataConnector |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml |
| Version | 1.1.2 |
| Arm template | 8d537f3c-094f-430c-a588-8a87da36ee3a.json |
let timeframe = 15m;
let user_agents=dynamic([
'(hydra)',
' arachni/',
' BFAC ',
' brutus ',
' cgichk ',
'core-project/1.0',
' crimscanner/',
'datacha0s',
'dirbuster',
'domino hunter',
'dotdotpwn',
'FHScan Core',
'floodgate',
'get-minimal',
'gootkit auto-rooter scanner',
'grendel-scan',
' inspath ',
'internet ninja',
'jaascois',
' zmeu ',
'masscan',
' metis ',
'morfeus fucking scanner',
'n-stealth',
'nsauditor',
'pmafind',
'security scan',
'springenwerk',
'teh forest lobster',
'toata dragostea',
' vega/',
'voideye',
'webshag',
'webvulnscan',
' whcc/',
' Havij',
'absinthe',
'bsqlbf',
'mysqloit',
'pangolin',
'sql power injector',
'sqlmap',
'sqlninja',
'uil2pn',
'ruler',
'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
]);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal has_any (user_agents)
| extend Message = "Hack Tool User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
name: Cisco Umbrella - Hack Tool User-Agent Detected
requiredDataConnectors:
- dataTypes:
- Cisco_Umbrella_proxy_CL
connectorId: CiscoUmbrellaDataConnector
entityMappings:
- fieldMappings:
- identifier: Url
columnName: UrlOriginal
entityType: URL
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
triggerThreshold: 0
id: 8d537f3c-094f-430c-a588-8a87da36ee3a
tactics:
- CommandAndControl
version: 1.1.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
queryPeriod: 15m
kind: Scheduled
queryFrequency: 15m
severity: Medium
description: |
'Detects suspicious user agent strings used by known hack tools'
query: |
let timeframe = 15m;
let user_agents=dynamic([
'(hydra)',
' arachni/',
' BFAC ',
' brutus ',
' cgichk ',
'core-project/1.0',
' crimscanner/',
'datacha0s',
'dirbuster',
'domino hunter',
'dotdotpwn',
'FHScan Core',
'floodgate',
'get-minimal',
'gootkit auto-rooter scanner',
'grendel-scan',
' inspath ',
'internet ninja',
'jaascois',
' zmeu ',
'masscan',
' metis ',
'morfeus fucking scanner',
'n-stealth',
'nsauditor',
'pmafind',
'security scan',
'springenwerk',
'teh forest lobster',
'toata dragostea',
' vega/',
'voideye',
'webshag',
'webvulnscan',
' whcc/',
' Havij',
'absinthe',
'bsqlbf',
'mysqloit',
'pangolin',
'sql power injector',
'sqlmap',
'sqlninja',
'uil2pn',
'ruler',
'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
]);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal has_any (user_agents)
| extend Message = "Hack Tool User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d537f3c-094f-430c-a588-8a87da36ee3a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d537f3c-094f-430c-a588-8a87da36ee3a')]",
"properties": {
"alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a",
"customDetails": null,
"description": "'Detects suspicious user agent strings used by known hack tools'\n",
"displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "UrlOriginal",
"identifier": "Url"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml",
"query": "let timeframe = 15m;\nlet user_agents=dynamic([\n '(hydra)',\n ' arachni/',\n ' BFAC ',\n ' brutus ',\n ' cgichk ',\n 'core-project/1.0',\n ' crimscanner/',\n 'datacha0s',\n 'dirbuster',\n 'domino hunter',\n 'dotdotpwn',\n 'FHScan Core',\n 'floodgate',\n 'get-minimal',\n 'gootkit auto-rooter scanner',\n 'grendel-scan',\n ' inspath ',\n 'internet ninja',\n 'jaascois',\n ' zmeu ',\n 'masscan',\n ' metis ',\n 'morfeus fucking scanner',\n 'n-stealth',\n 'nsauditor',\n 'pmafind',\n 'security scan',\n 'springenwerk',\n 'teh forest lobster',\n 'toata dragostea',\n ' vega/',\n 'voideye',\n 'webshag',\n 'webvulnscan',\n ' whcc/',\n ' Havij',\n 'absinthe',\n 'bsqlbf',\n 'mysqloit',\n 'pangolin',\n 'sql power injector',\n 'sqlmap',\n 'sqlninja',\n 'uil2pn',\n 'ruler',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT15M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"templateVersion": "1.1.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}