let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
description: |
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
version: 1.0.1
queryFrequency: 10m
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
query: |
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
id: de58ee9e-b229-4252-8537-41a4c2f4045e
name: Cisco Umbrella - Request to blocklisted file type
triggerOperator: gt
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: Identities
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
requiredDataConnectors:
- dataTypes:
- Cisco_Umbrella_proxy_CL
connectorId: CiscoUmbrellaDataConnector
