Cisco WSA - Multiple infected files

Back


Id	93186e3d-5dc2-4a00-a993-fa1448db8734
Rulename	Cisco WSA - Multiple infected files
Description	Detects multiple infected files on same source.
Severity	High
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
Version	1.0.3
Arm template	93186e3d-5dc2-4a00-a993-fa1448db8734.json

KQL

CiscoWSAEvent
| where isnotempty(AmpFileName)
| where isnotempty(ThreatName)
| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
| where count_ > 1
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName

YAML

name: Cisco WSA - Multiple infected files
id: 93186e3d-5dc2-4a00-a993-fa1448db8734
description: |
    'Detects multiple infected files on same source.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
version: 1.0.3
triggerOperator: gt
query: |
  CiscoWSAEvent
  | where isnotempty(AmpFileName)
  | where isnotempty(ThreatName)
  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName  
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 1h
severity: High
queryPeriod: 1h
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
relevantTechniques:
- T1189

ARM