Cisco WSA - Multiple infected files

Back


Id	93186e3d-5dc2-4a00-a993-fa1448db8734
Rulename	Cisco WSA - Multiple infected files
Description	Detects multiple infected files on same source.
Severity	High
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
Version	1.0.3
Arm template	93186e3d-5dc2-4a00-a993-fa1448db8734.json

KQL

CiscoWSAEvent
| where isnotempty(AmpFileName)
| where isnotempty(ThreatName)
| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
| where count_ > 1
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName

YAML

requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
query: |
  CiscoWSAEvent
  | where isnotempty(AmpFileName)
  | where isnotempty(ThreatName)
  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName  
triggerOperator: gt
severity: High
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
name: Cisco WSA - Multiple infected files
tactics:
- InitialAccess
relevantTechniques:
- T1189
kind: Scheduled
status: Available
queryFrequency: 1h
id: 93186e3d-5dc2-4a00-a993-fa1448db8734
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
version: 1.0.3
triggerThreshold: 0
description: |
    'Detects multiple infected files on same source.'

ARM