Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request to blocklisted file type

Back
Idde58ee9e-b229-4252-8537-41a4c2f4045e
RulenameCisco Umbrella - Request to blocklisted file type
DescriptionDetects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).
SeverityMedium
TacticsInitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
Version1.0.1
Arm templatede58ee9e-b229-4252-8537-41a4c2f4045e.json
Deploy To Azure
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
query: |
  let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
  | extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
  | where file_ext in (file_ext_blocklist)
  | project TimeGenerated, SrcIpAddr, Identities, Filename  
description: |
    'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
name: Cisco Umbrella - Request to blocklisted file type
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.1
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Identities
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
id: de58ee9e-b229-4252-8537-41a4c2f4045e
kind: Scheduled
queryFrequency: 10m
queryPeriod: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "properties": {
        "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e",
        "customDetails": null,
        "description": "'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'\n",
        "displayName": "Cisco Umbrella - Request to blocklisted file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml",
        "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}