Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco WSA - Multiple errors to resource from risky category

Cisco WSA - Multiple errors to resource from risky category

Back
Idebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
RulenameCisco WSA - Multiple errors to resource from risky category
DescriptionDetects multiple connection errors to resource from risky category.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1189
T1102
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
Version1.0.2
Arm templateebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9.json
Deploy To Azure
let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1h
triggerThreshold: 0
name: Cisco WSA - Multiple errors to resource from risky category
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1189
- T1102
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Detects multiple connection errors to resource from risky category.'
status: Available
version: 1.0.2
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "properties": {
        "alertRuleTemplateName": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9",
        "customDetails": null,
        "description": "'Detects multiple connection errors to resource from risky category.'\n",
        "displayName": "Cisco WSA - Multiple errors to resource from risky category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
        "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1102",
          "T1189"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}