Cisco Umbrella - Connection to non-corporate private network

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
| project TimeGenerated, SrcIpAddr, Identities

queryPeriod: 10m
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')
  | project TimeGenerated, SrcIpAddr, Identities  
name: Cisco Umbrella - Connection to non-corporate private network
entityMappings:
- fieldMappings:
  - columnName: Identities
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml
description: |
    'IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.'
kind: Scheduled
version: 1.1.1
queryFrequency: 10m
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- Exfiltration
id: c9b6d281-b96b-4763-b728-9a04b9fe1246