Cisco Umbrella - URI contains IP address

Back


Id	ee1818ec-5f65-4991-b711-bcf2ab7e36c3
Rulename	Cisco Umbrella - URI contains IP address
Description	Malware can use IP address to communicate with C2.
Severity	Medium
Tactics	CommandAndControl
Required data connectors	CiscoUmbrellaDataConnector
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Version	1.1.1
Arm template	ee1818ec-5f65-4991-b711-bcf2ab7e36c3.json

KQL

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities

YAML

description: |
    'Malware can use IP address to communicate with C2.'
kind: Scheduled
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
severity: Medium
name: Cisco Umbrella - URI contains IP address
triggerThreshold: 0
queryPeriod: 10m
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
  | project TimeGenerated, SrcIpAddr, Identities  
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
queryFrequency: 10m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Identities
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
triggerOperator: gt
version: 1.1.1

ARM