Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco Umbrella - Request to blocklisted file type

Back
Idde58ee9e-b229-4252-8537-41a4c2f4045e
RulenameCisco Umbrella - Request to blocklisted file type
DescriptionDetects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).
SeverityMedium
TacticsInitialAccess
Required data connectorsCiscoUmbrellaDataConnector
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
Version1.0.1
Arm templatede58ee9e-b229-4252-8537-41a4c2f4045e.json
Deploy To Azure
let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
| extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
| where file_ext in (file_ext_blocklist)
| project TimeGenerated, SrcIpAddr, Identities, Filename
id: de58ee9e-b229-4252-8537-41a4c2f4045e
query: |
  let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | extend file_ext = extract(@'.*(\.\w+)$', 1, UrlOriginal)
  | extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal)
  | where file_ext in (file_ext_blocklist)
  | project TimeGenerated, SrcIpAddr, Identities, Filename  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
description: |
    'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'
name: Cisco Umbrella - Request to blocklisted file type
triggerOperator: gt
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
queryFrequency: 10m
queryPeriod: 10m
version: 1.0.1
kind: Scheduled
tactics:
- InitialAccess
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Identities
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de58ee9e-b229-4252-8537-41a4c2f4045e')]",
      "properties": {
        "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e",
        "customDetails": null,
        "description": "'Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).'\n",
        "displayName": "Cisco Umbrella - Request to blocklisted file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Identities",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml",
        "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}