Cisco WSA - Multiple errors to resource from risky category

let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

name: Cisco WSA - Multiple errors to resource from risky category
relevantTechniques:
- T1189
- T1102
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
version: 1.0.2
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
queryFrequency: 1h
status: Available
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
tactics:
- InitialAccess
- CommandAndControl
kind: Scheduled
description: |
    'Detects multiple connection errors to resource from risky category.'
triggerOperator: gt