Cisco Umbrella - URI contains IP address

Back


Id	ee1818ec-5f65-4991-b711-bcf2ab7e36c3
Rulename	Cisco Umbrella - URI contains IP address
Description	Malware can use IP address to communicate with C2.
Severity	Medium
Tactics	CommandAndControl
Required data connectors	CiscoUmbrellaDataConnector
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Version	1.1.1
Arm template	ee1818ec-5f65-4991-b711-bcf2ab7e36c3.json

KQL

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities

YAML

name: Cisco Umbrella - URI contains IP address
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
requiredDataConnectors:
- dataTypes:
  - Cisco_Umbrella_proxy_CL
  connectorId: CiscoUmbrellaDataConnector
version: 1.1.1
severity: Medium
triggerThreshold: 0
queryPeriod: 10m
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Identities
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
queryFrequency: 10m
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
  | project TimeGenerated, SrcIpAddr, Identities  
tactics:
- CommandAndControl
kind: Scheduled
description: |
    'Malware can use IP address to communicate with C2.'
triggerOperator: gt

ARM