Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple errors to resource from risky category

Back
Idebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
RulenameCisco WSA - Multiple errors to resource from risky category
DescriptionDetects multiple connection errors to resource from risky category.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1189
T1102
Required data connectorsCiscoWSA
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
Version1.0.1
Arm templateebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9.json
Deploy To Azure
let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
kind: Scheduled
relevantTechniques:
- T1189
- T1102
description: |
    'Detects multiple connection errors to resource from risky category.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- InitialAccess
- CommandAndControl
name: Cisco WSA - Multiple errors to resource from risky category
requiredDataConnectors:
- connectorId: CiscoWSA
  dataTypes:
  - CiscoWSAEvent
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
version: 1.0.1
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "properties": {
        "alertRuleTemplateName": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9",
        "customDetails": null,
        "description": "'Detects multiple connection errors to resource from risky category.'\n",
        "displayName": "Cisco WSA - Multiple errors to resource from risky category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
        "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1102",
          "T1189"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}