Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request to blocklisted file type

Back
Idde58ee9e-b229-4252-8537-41a4c2f4045e
RulenameCisco Umbrella - Request to blocklisted file type
DescriptionDetects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).
SeverityMedium
TacticsInitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
Version1.0.1
Arm templatede58ee9e-b229-4252-8537-41a4c2f4045e.json
Deploy To Azure
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
entityMappings:
- fieldMappings:
  - columnName: Identities
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
tactics:
- InitialAccess
queryPeriod: 10m
triggerThreshold: 0
name: Cisco Umbrella - Request to blocklisted file type
query: |
  let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
  | extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
  | where file_ext in (file_ext_blocklist)
  | project TimeGenerated, SrcIpAddr, Identities, Filename  
severity: Medium
triggerOperator: gt
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
queryFrequency: 10m
id: de58ee9e-b229-4252-8537-41a4c2f4045e
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
description: |
    'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "properties": {
        "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e",
        "customDetails": null,
        "description": "'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'\n",
        "displayName": "Cisco Umbrella - Request to blocklisted file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml",
        "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}