let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
name: Cisco Umbrella - Request to blocklisted file type
id: de58ee9e-b229-4252-8537-41a4c2f4045e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
requiredDataConnectors:
- dataTypes:
- Cisco_Umbrella_proxy_CL
connectorId: CiscoUmbrellaDataConnector
version: 1.0.1
severity: Medium
triggerThreshold: 0
queryPeriod: 10m
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: Identities
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
queryFrequency: 10m
query: |
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
tactics:
- InitialAccess
kind: Scheduled
description: |
'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
triggerOperator: gt
