Cisco WSA - Multiple infected files

Back


Id	93186e3d-5dc2-4a00-a993-fa1448db8734
Rulename	Cisco WSA - Multiple infected files
Description	Detects multiple infected files on same source.
Severity	High
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
Version	1.0.3
Arm template	93186e3d-5dc2-4a00-a993-fa1448db8734.json

KQL

CiscoWSAEvent
| where isnotempty(AmpFileName)
| where isnotempty(ThreatName)
| summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
| where count_ > 1
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName

YAML

relevantTechniques:
- T1189
version: 1.0.3
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml
name: Cisco WSA - Multiple infected files
description: |
    'Detects multiple infected files on same source.'
queryFrequency: 1h
tactics:
- InitialAccess
triggerThreshold: 0
queryPeriod: 1h
id: 93186e3d-5dc2-4a00-a993-fa1448db8734
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerOperator: gt
status: Available
query: |
  CiscoWSAEvent
  | where isnotempty(AmpFileName)
  | where isnotempty(ThreatName)
  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName  
kind: Scheduled

ARM