Cisco Umbrella - URI contains IP address

Back


Id	ee1818ec-5f65-4991-b711-bcf2ab7e36c3
Rulename	Cisco Umbrella - URI contains IP address
Description	Malware can use IP address to communicate with C2.
Severity	Medium
Tactics	CommandAndControl
Required data connectors	CiscoUmbrellaDataConnector
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Version	1.1.1
Arm template	ee1818ec-5f65-4991-b711-bcf2ab7e36c3.json

KQL

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities

YAML

name: Cisco Umbrella - URI contains IP address
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
  | project TimeGenerated, SrcIpAddr, Identities  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Identities
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
description: |
    'Malware can use IP address to communicate with C2.'
queryPeriod: 10m
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
kind: Scheduled
triggerOperator: gt
severity: Medium
version: 1.1.1
queryFrequency: 10m
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL

ARM