Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Back
Idd6bf1931-b1eb-448d-90b2-de118559c7ce
RulenameCisco Umbrella - Request Allowed to harmful/malicious URI category
DescriptionIt is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..
SeverityMedium
TacticsCommandAndControl
InitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
Version1.1.1
Arm templated6bf1931-b1eb-448d-90b2-de118559c7ce.json
Deploy To Azure
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
      UrlCategory contains 'Adware' or
      UrlCategory contains 'Alcohol' or
      UrlCategory contains 'Illegal Downloads' or
      UrlCategory contains 'Drugs' or
      UrlCategory contains 'Child Abuse Content' or
      UrlCategory contains 'Hate/Discrimination' or
      UrlCategory contains 'Nudity' or
      UrlCategory contains 'Pornography' or
      UrlCategory contains 'Proxy/Anonymizer' or
      UrlCategory contains 'Sexuality' or
      UrlCategory contains 'Tasteless' or
      UrlCategory contains 'Terrorism' or
      UrlCategory contains 'Web Spam' or
      UrlCategory contains 'German Youth Protection' or
      UrlCategory contains 'Illegal Activities' or
      UrlCategory contains 'Lingerie/Bikini' or
      UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
triggerOperator: gt
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlCategory contains 'Adult Themes' or
        UrlCategory contains 'Adware' or
        UrlCategory contains 'Alcohol' or
        UrlCategory contains 'Illegal Downloads' or
        UrlCategory contains 'Drugs' or
        UrlCategory contains 'Child Abuse Content' or
        UrlCategory contains 'Hate/Discrimination' or
        UrlCategory contains 'Nudity' or
        UrlCategory contains 'Pornography' or
        UrlCategory contains 'Proxy/Anonymizer' or
        UrlCategory contains 'Sexuality' or
        UrlCategory contains 'Tasteless' or
        UrlCategory contains 'Terrorism' or
        UrlCategory contains 'Web Spam' or
        UrlCategory contains 'German Youth Protection' or
        UrlCategory contains 'Illegal Activities' or
        UrlCategory contains 'Lingerie/Bikini' or
        UrlCategory contains 'Weapons'
  | project TimeGenerated, SrcIpAddr, Identities  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
description: |
    'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
triggerThreshold: 0
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
kind: Scheduled
severity: Medium
version: 1.1.1
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Identities
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
queryFrequency: 10m
queryPeriod: 10m
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
tactics:
- CommandAndControl
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "properties": {
        "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce",
        "customDetails": null,
        "description": "'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'\n",
        "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
        "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n      UrlCategory contains 'Adware' or\n      UrlCategory contains 'Alcohol' or\n      UrlCategory contains 'Illegal Downloads' or\n      UrlCategory contains 'Drugs' or\n      UrlCategory contains 'Child Abuse Content' or\n      UrlCategory contains 'Hate/Discrimination' or\n      UrlCategory contains 'Nudity' or\n      UrlCategory contains 'Pornography' or\n      UrlCategory contains 'Proxy/Anonymizer' or\n      UrlCategory contains 'Sexuality' or\n      UrlCategory contains 'Tasteless' or\n      UrlCategory contains 'Terrorism' or\n      UrlCategory contains 'Web Spam' or\n      UrlCategory contains 'German Youth Protection' or\n      UrlCategory contains 'Illegal Activities' or\n      UrlCategory contains 'Lingerie/Bikini' or\n      UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}