Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco WSA - Multiple errors to resource from risky category

Cisco WSA - Multiple errors to resource from risky category

Back
Idebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
RulenameCisco WSA - Multiple errors to resource from risky category
DescriptionDetects multiple connection errors to resource from risky category.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1189
T1102
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
Version1.0.2
Arm templateebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9.json
Deploy To Azure
let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

name: Cisco WSA - Multiple errors to resource from risky category
relevantTechniques:
- T1189
- T1102
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
tactics:
- InitialAccess
- CommandAndControl
description: |
    'Detects multiple connection errors to resource from risky category.'
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
queryFrequency: 1h
triggerOperator: gt
version: 1.0.2
queryPeriod: 1h
status: Available
kind: Scheduled
severity: Medium
triggerThreshold: 0
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "properties": {
        "alertRuleTemplateName": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9",
        "customDetails": null,
        "description": "'Detects multiple connection errors to resource from risky category.'\n",
        "displayName": "Cisco WSA - Multiple errors to resource from risky category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
        "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1102",
          "T1189"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}