Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple errors to resource from risky category

Back
Idebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
RulenameCisco WSA - Multiple errors to resource from risky category
DescriptionDetects multiple connection errors to resource from risky category.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1189
T1102
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
Version1.0.2
Arm templateebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9.json
Deploy To Azure
let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
triggerThreshold: 0
relevantTechniques:
- T1189
- T1102
queryPeriod: 1h
version: 1.0.2
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
status: Available
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- InitialAccess
- CommandAndControl
severity: Medium
name: Cisco WSA - Multiple errors to resource from risky category
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
    'Detects multiple connection errors to resource from risky category.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "properties": {
        "alertRuleTemplateName": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9",
        "customDetails": null,
        "description": "'Detects multiple connection errors to resource from risky category.'\n",
        "displayName": "Cisco WSA - Multiple errors to resource from risky category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
        "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1102",
          "T1189"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}