Cisco Umbrella - Request Allowed to harmfulmalicious URI category
| Id | d6bf1931-b1eb-448d-90b2-de118559c7ce |
| Rulename | Cisco Umbrella - Request Allowed to harmful/malicious URI category |
| Description | It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content.. |
| Severity | Medium |
| Tactics | CommandAndControl InitialAccess |
| Required data connectors | CiscoUmbrellaDataConnector |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml |
| Version | 1.1.1 |
| Arm template | d6bf1931-b1eb-448d-90b2-de118559c7ce.json |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
requiredDataConnectors:
- dataTypes:
- Cisco_Umbrella_proxy_CL
connectorId: CiscoUmbrellaDataConnector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
tactics:
- CommandAndControl
- InitialAccess
description: |
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
entityMappings:
- fieldMappings:
- columnName: Identities
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
queryFrequency: 10m
triggerOperator: gt
version: 1.1.1
queryPeriod: 10m
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
"properties": {
"alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce",
"customDetails": null,
"description": "'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'\n",
"displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Identities",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
"query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n UrlCategory contains 'Adware' or\n UrlCategory contains 'Alcohol' or\n UrlCategory contains 'Illegal Downloads' or\n UrlCategory contains 'Drugs' or\n UrlCategory contains 'Child Abuse Content' or\n UrlCategory contains 'Hate/Discrimination' or\n UrlCategory contains 'Nudity' or\n UrlCategory contains 'Pornography' or\n UrlCategory contains 'Proxy/Anonymizer' or\n UrlCategory contains 'Sexuality' or\n UrlCategory contains 'Tasteless' or\n UrlCategory contains 'Terrorism' or\n UrlCategory contains 'Web Spam' or\n UrlCategory contains 'German Youth Protection' or\n UrlCategory contains 'Illegal Activities' or\n UrlCategory contains 'Lingerie/Bikini' or\n UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}