Cisco WSA - Multiple infected files

Back


Id	93186e3d-5dc2-4a00-a993-fa1448db8734
Rulename	Cisco WSA - Multiple infected files
Description	Detects multiple infected files on same source.
Severity	High
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
Version	1.0.3
Arm template	93186e3d-5dc2-4a00-a993-fa1448db8734.json

KQL

CiscoWSAEvent
| where isnotempty(AmpFileName)
| where isnotempty(ThreatName)
| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
| where count_ > 1
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
queryPeriod: 1h
kind: Scheduled
name: Cisco WSA - Multiple infected files
status: Available
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
tactics:
- InitialAccess
description: |
    'Detects multiple infected files on same source.'
severity: High
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
queryFrequency: 1h
triggerThreshold: 0
version: 1.0.3
query: |
  CiscoWSAEvent
  | where isnotempty(AmpFileName)
  | where isnotempty(ThreatName)
  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName  
relevantTechniques:
- T1189
id: 93186e3d-5dc2-4a00-a993-fa1448db8734
triggerOperator: gt

ARM