Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple errors to resource from risky category

Back
Idebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
RulenameCisco WSA - Multiple errors to resource from risky category
DescriptionDetects multiple connection errors to resource from risky category.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1189
T1102
Required data connectorsCiscoWSA
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
Version1.0.0
Arm templateebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9.json
Deploy To Azure
let threshold = 10;
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where DvcAction startswith 'BLOCK_'
| where UrlCategory in~ (risky_sites)
| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
| where count_ >= threshold
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1189
- T1102
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml
requiredDataConnectors:
- dataTypes:
  - CiscoWSAEvent
  connectorId: CiscoWSA
queryPeriod: 1h
tactics:
- InitialAccess
- CommandAndControl
severity: Medium
triggerOperator: gt
description: |
    'Detects multiple connection errors to resource from risky category.'
query: |
  let threshold = 10;
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where DvcAction startswith 'BLOCK_'
  | where UrlCategory in~ (risky_sites)
  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
  | where count_ >= threshold
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
name: Cisco WSA - Multiple errors to resource from risky category
version: 1.0.0
id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
queryFrequency: 1h
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9')]",
      "properties": {
        "alertRuleTemplateName": "ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9",
        "customDetails": null,
        "description": "'Detects multiple connection errors to resource from risky category.'\n",
        "displayName": "Cisco WSA - Multiple errors to resource from risky category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
        "query": "let threshold = 10;\nlet risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| where UrlCategory in~ (risky_sites)\n| summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)\n| where count_ >= threshold\n| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1102",
          "T1189"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}