Cisco WSA - Multiple infected files

Back


Id	93186e3d-5dc2-4a00-a993-fa1448db8734
Rulename	Cisco WSA - Multiple infected files
Description	Detects multiple infected files on same source.
Severity	High
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
Version	1.0.3
Arm template	93186e3d-5dc2-4a00-a993-fa1448db8734.json

KQL

CiscoWSAEvent
| where isnotempty(AmpFileName)
| where isnotempty(ThreatName)
| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
| where count_ > 1
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
severity: High
queryPeriod: 1h
name: Cisco WSA - Multiple infected files
kind: Scheduled
query: |
  CiscoWSAEvent
  | where isnotempty(AmpFileName)
  | where isnotempty(ThreatName)
  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName  
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Detects multiple infected files on same source.'
relevantTechniques:
- T1189
tactics:
- InitialAccess
queryFrequency: 1h
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
status: Available
version: 1.0.3
triggerOperator: gt
id: 93186e3d-5dc2-4a00-a993-fa1448db8734

ARM