Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Back
Idd6bf1931-b1eb-448d-90b2-de118559c7ce
RulenameCisco Umbrella - Request Allowed to harmful/malicious URI category
DescriptionIt is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..
SeverityMedium
TacticsCommandAndControl
InitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
Version1.1.1
Arm templated6bf1931-b1eb-448d-90b2-de118559c7ce.json
Deploy To Azure
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
      UrlCategory contains 'Adware' or
      UrlCategory contains 'Alcohol' or
      UrlCategory contains 'Illegal Downloads' or
      UrlCategory contains 'Drugs' or
      UrlCategory contains 'Child Abuse Content' or
      UrlCategory contains 'Hate/Discrimination' or
      UrlCategory contains 'Nudity' or
      UrlCategory contains 'Pornography' or
      UrlCategory contains 'Proxy/Anonymizer' or
      UrlCategory contains 'Sexuality' or
      UrlCategory contains 'Tasteless' or
      UrlCategory contains 'Terrorism' or
      UrlCategory contains 'Web Spam' or
      UrlCategory contains 'German Youth Protection' or
      UrlCategory contains 'Illegal Activities' or
      UrlCategory contains 'Lingerie/Bikini' or
      UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
queryPeriod: 10m
version: 1.1.1
tactics:
- CommandAndControl
- InitialAccess
queryFrequency: 10m
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
severity: Medium
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Identities
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
triggerThreshold: 0
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlCategory contains 'Adult Themes' or
        UrlCategory contains 'Adware' or
        UrlCategory contains 'Alcohol' or
        UrlCategory contains 'Illegal Downloads' or
        UrlCategory contains 'Drugs' or
        UrlCategory contains 'Child Abuse Content' or
        UrlCategory contains 'Hate/Discrimination' or
        UrlCategory contains 'Nudity' or
        UrlCategory contains 'Pornography' or
        UrlCategory contains 'Proxy/Anonymizer' or
        UrlCategory contains 'Sexuality' or
        UrlCategory contains 'Tasteless' or
        UrlCategory contains 'Terrorism' or
        UrlCategory contains 'Web Spam' or
        UrlCategory contains 'German Youth Protection' or
        UrlCategory contains 'Illegal Activities' or
        UrlCategory contains 'Lingerie/Bikini' or
        UrlCategory contains 'Weapons'
  | project TimeGenerated, SrcIpAddr, Identities  
kind: Scheduled
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
description: |
    'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "properties": {
        "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce",
        "customDetails": null,
        "description": "'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'\n",
        "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
        "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n      UrlCategory contains 'Adware' or\n      UrlCategory contains 'Alcohol' or\n      UrlCategory contains 'Illegal Downloads' or\n      UrlCategory contains 'Drugs' or\n      UrlCategory contains 'Child Abuse Content' or\n      UrlCategory contains 'Hate/Discrimination' or\n      UrlCategory contains 'Nudity' or\n      UrlCategory contains 'Pornography' or\n      UrlCategory contains 'Proxy/Anonymizer' or\n      UrlCategory contains 'Sexuality' or\n      UrlCategory contains 'Tasteless' or\n      UrlCategory contains 'Terrorism' or\n      UrlCategory contains 'Web Spam' or\n      UrlCategory contains 'German Youth Protection' or\n      UrlCategory contains 'Illegal Activities' or\n      UrlCategory contains 'Lingerie/Bikini' or\n      UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}