Cisco WSA - Multiple errors to resource from risky category

let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
name: Cisco WSA - Multiple errors to resource from risky category
relevantTechniques:
- T1189
- T1102
status: Available
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
kind: Scheduled
version: 1.0.2
triggerOperator: gt
description: |
    'Detects multiple connection errors to resource from risky category.'
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
severity: Medium
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9