Cisco WSA - Multiple errors to resource from risky category

let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
queryPeriod: 1h
kind: Scheduled
name: Cisco WSA - Multiple errors to resource from risky category
status: Available
entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
tactics:
- InitialAccess
- CommandAndControl
description: |
    'Detects multiple connection errors to resource from risky category.'
severity: Medium
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
queryFrequency: 1h
triggerThreshold: 0
version: 1.0.2
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
relevantTechniques:
- T1189
- T1102
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
triggerOperator: gt