Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request Allowed to harmfulmalicious URI category

Back
Idd6bf1931-b1eb-448d-90b2-de118559c7ce
RulenameCisco Umbrella - Request Allowed to harmful/malicious URI category
DescriptionIt is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..
SeverityMedium
TacticsCommandAndControl
InitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
Version1.1.1
Arm templated6bf1931-b1eb-448d-90b2-de118559c7ce.json
Deploy To Azure
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
      UrlCategory contains 'Adware' or
      UrlCategory contains 'Alcohol' or
      UrlCategory contains 'Illegal Downloads' or
      UrlCategory contains 'Drugs' or
      UrlCategory contains 'Child Abuse Content' or
      UrlCategory contains 'Hate/Discrimination' or
      UrlCategory contains 'Nudity' or
      UrlCategory contains 'Pornography' or
      UrlCategory contains 'Proxy/Anonymizer' or
      UrlCategory contains 'Sexuality' or
      UrlCategory contains 'Tasteless' or
      UrlCategory contains 'Terrorism' or
      UrlCategory contains 'Web Spam' or
      UrlCategory contains 'German Youth Protection' or
      UrlCategory contains 'Illegal Activities' or
      UrlCategory contains 'Lingerie/Bikini' or
      UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
queryPeriod: 10m
kind: Scheduled
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlCategory contains 'Adult Themes' or
        UrlCategory contains 'Adware' or
        UrlCategory contains 'Alcohol' or
        UrlCategory contains 'Illegal Downloads' or
        UrlCategory contains 'Drugs' or
        UrlCategory contains 'Child Abuse Content' or
        UrlCategory contains 'Hate/Discrimination' or
        UrlCategory contains 'Nudity' or
        UrlCategory contains 'Pornography' or
        UrlCategory contains 'Proxy/Anonymizer' or
        UrlCategory contains 'Sexuality' or
        UrlCategory contains 'Tasteless' or
        UrlCategory contains 'Terrorism' or
        UrlCategory contains 'Web Spam' or
        UrlCategory contains 'German Youth Protection' or
        UrlCategory contains 'Illegal Activities' or
        UrlCategory contains 'Lingerie/Bikini' or
        UrlCategory contains 'Weapons'
  | project TimeGenerated, SrcIpAddr, Identities  
description: |
    'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml
severity: Medium
triggerThreshold: 0
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
tactics:
- CommandAndControl
- InitialAccess
version: 1.1.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Identities
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
queryFrequency: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6bf1931-b1eb-448d-90b2-de118559c7ce')]",
      "properties": {
        "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce",
        "customDetails": null,
        "description": "'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'\n",
        "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
        "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n      UrlCategory contains 'Adware' or\n      UrlCategory contains 'Alcohol' or\n      UrlCategory contains 'Illegal Downloads' or\n      UrlCategory contains 'Drugs' or\n      UrlCategory contains 'Child Abuse Content' or\n      UrlCategory contains 'Hate/Discrimination' or\n      UrlCategory contains 'Nudity' or\n      UrlCategory contains 'Pornography' or\n      UrlCategory contains 'Proxy/Anonymizer' or\n      UrlCategory contains 'Sexuality' or\n      UrlCategory contains 'Tasteless' or\n      UrlCategory contains 'Terrorism' or\n      UrlCategory contains 'Web Spam' or\n      UrlCategory contains 'German Youth Protection' or\n      UrlCategory contains 'Illegal Activities' or\n      UrlCategory contains 'Lingerie/Bikini' or\n      UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}