Cisco Umbrella - Windows PowerShell User-Agent Detected

let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal contains "WindowsPowerShell"
| extend Message = "Windows PowerShell User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal

description: |
    'Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.'
kind: Scheduled
tactics:
- CommandAndControl
- DefenseEvasion
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml
severity: Medium
name: Cisco Umbrella - Windows PowerShell User-Agent Detected
triggerThreshold: 0
queryPeriod: 15m
query: |
  let timeframe = 15m;
  Cisco_Umbrella
  | where EventType == "proxylogs"
  | where TimeGenerated > ago(timeframe)
  | where HttpUserAgentOriginal contains "WindowsPowerShell"
  | extend Message = "Windows PowerShell User Agent"
  | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal  
id: b12b3dab-d973-45af-b07e-e29bb34d8db9
queryFrequency: 15m
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: UrlOriginal
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
triggerOperator: gt
version: 1.1.2