Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Hack Tool User-Agent Detected

Back
Id8d537f3c-094f-430c-a588-8a87da36ee3a
RulenameCisco Umbrella - Hack Tool User-Agent Detected
DescriptionDetects suspicious user agent strings used by known hack tools
SeverityMedium
TacticsCommandAndControl
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
Version1.1.2
Arm template8d537f3c-094f-430c-a588-8a87da36ee3a.json
Deploy To Azure
let timeframe = 15m;
let user_agents=dynamic([
                          '(hydra)',
                          ' arachni/',
                          ' BFAC ',
                          ' brutus ',
                          ' cgichk ',
                          'core-project/1.0',
                          ' crimscanner/',
                          'datacha0s',
                          'dirbuster',
                          'domino hunter',
                          'dotdotpwn',
                          'FHScan Core',
                          'floodgate',
                          'get-minimal',
                          'gootkit auto-rooter scanner',
                          'grendel-scan',
                          ' inspath ',
                          'internet ninja',
                          'jaascois',
                          ' zmeu ',
                          'masscan',
                          ' metis ',
                          'morfeus fucking scanner',
                          'n-stealth',
                          'nsauditor',
                          'pmafind',
                          'security scan',
                          'springenwerk',
                          'teh forest lobster',
                          'toata dragostea',
                          ' vega/',
                          'voideye',
                          'webshag',
                          'webvulnscan',
                          ' whcc/',
                          ' Havij',
                          'absinthe',
                          'bsqlbf',
                          'mysqloit',
                          'pangolin',
                          'sql power injector',
                          'sqlmap',
                          'sqlninja',
                          'uil2pn',
                          'ruler',
                          'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
                          ]);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal has_any (user_agents)
| extend Message = "Hack Tool User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
queryPeriod: 15m
tactics:
- CommandAndControl
severity: Medium
triggerOperator: gt
description: |
    'Detects suspicious user agent strings used by known hack tools'
query: |
  let timeframe = 15m;
  let user_agents=dynamic([
                            '(hydra)',
                            ' arachni/',
                            ' BFAC ',
                            ' brutus ',
                            ' cgichk ',
                            'core-project/1.0',
                            ' crimscanner/',
                            'datacha0s',
                            'dirbuster',
                            'domino hunter',
                            'dotdotpwn',
                            'FHScan Core',
                            'floodgate',
                            'get-minimal',
                            'gootkit auto-rooter scanner',
                            'grendel-scan',
                            ' inspath ',
                            'internet ninja',
                            'jaascois',
                            ' zmeu ',
                            'masscan',
                            ' metis ',
                            'morfeus fucking scanner',
                            'n-stealth',
                            'nsauditor',
                            'pmafind',
                            'security scan',
                            'springenwerk',
                            'teh forest lobster',
                            'toata dragostea',
                            ' vega/',
                            'voideye',
                            'webshag',
                            'webvulnscan',
                            ' whcc/',
                            ' Havij',
                            'absinthe',
                            'bsqlbf',
                            'mysqloit',
                            'pangolin',
                            'sql power injector',
                            'sqlmap',
                            'sqlninja',
                            'uil2pn',
                            'ruler',
                            'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
                            ]);
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | where HttpUserAgentOriginal has_any (user_agents)
  | extend Message = "Hack Tool User Agent"
  | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal  
name: Cisco Umbrella - Hack Tool User-Agent Detected
version: 1.1.2
id: 8d537f3c-094f-430c-a588-8a87da36ee3a
queryFrequency: 15m
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: UrlOriginal
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d537f3c-094f-430c-a588-8a87da36ee3a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d537f3c-094f-430c-a588-8a87da36ee3a')]",
      "properties": {
        "alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a",
        "customDetails": null,
        "description": "'Detects suspicious user agent strings used by known hack tools'\n",
        "displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlOriginal",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml",
        "query": "let timeframe = 15m;\nlet user_agents=dynamic([\n                          '(hydra)',\n                          ' arachni/',\n                          ' BFAC ',\n                          ' brutus ',\n                          ' cgichk ',\n                          'core-project/1.0',\n                          ' crimscanner/',\n                          'datacha0s',\n                          'dirbuster',\n                          'domino hunter',\n                          'dotdotpwn',\n                          'FHScan Core',\n                          'floodgate',\n                          'get-minimal',\n                          'gootkit auto-rooter scanner',\n                          'grendel-scan',\n                          ' inspath ',\n                          'internet ninja',\n                          'jaascois',\n                          ' zmeu ',\n                          'masscan',\n                          ' metis ',\n                          'morfeus fucking scanner',\n                          'n-stealth',\n                          'nsauditor',\n                          'pmafind',\n                          'security scan',\n                          'springenwerk',\n                          'teh forest lobster',\n                          'toata dragostea',\n                          ' vega/',\n                          'voideye',\n                          'webshag',\n                          'webvulnscan',\n                          ' whcc/',\n                          ' Havij',\n                          'absinthe',\n                          'bsqlbf',\n                          'mysqloit',\n                          'pangolin',\n                          'sql power injector',\n                          'sqlmap',\n                          'sqlninja',\n                          'uil2pn',\n                          'ruler',\n                          'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n                          ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}