Cisco Umbrella - URI contains IP address

Back


Id	ee1818ec-5f65-4991-b711-bcf2ab7e36c3
Rulename	Cisco Umbrella - URI contains IP address
Description	Malware can use IP address to communicate with C2.
Severity	Medium
Tactics	CommandAndControl
Required data connectors	CiscoUmbrellaDataConnector
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Version	1.1.1
Arm template	ee1818ec-5f65-4991-b711-bcf2ab7e36c3.json

KQL

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities

YAML

severity: Medium
queryPeriod: 10m
name: Cisco Umbrella - URI contains IP address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
entityMappings:
- fieldMappings:
  - columnName: Identities
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
version: 1.1.1
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
queryFrequency: 10m
triggerThreshold: 0
triggerOperator: gt
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
  | project TimeGenerated, SrcIpAddr, Identities  
description: |
    'Malware can use IP address to communicate with C2.'
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
tactics:
- CommandAndControl
kind: Scheduled

ARM