Cisco Umbrella - URI contains IP address

Back


Id	ee1818ec-5f65-4991-b711-bcf2ab7e36c3
Rulename	Cisco Umbrella - URI contains IP address
Description	Malware can use IP address to communicate with C2.
Severity	Medium
Tactics	CommandAndControl
Required data connectors	CiscoUmbrellaDataConnector
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
Version	1.1.1
Arm template	ee1818ec-5f65-4991-b711-bcf2ab7e36c3.json

KQL

let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities

YAML

requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_proxy_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml
triggerThreshold: 0
description: |
    'Malware can use IP address to communicate with C2.'
queryPeriod: 10m
name: Cisco Umbrella - URI contains IP address
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Identities
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
queryFrequency: 10m
triggerOperator: gt
kind: Scheduled
tactics:
- CommandAndControl
severity: Medium
version: 1.1.1
query: |
  let lbtime = 10m;
  Cisco_Umbrella
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'proxylogs'
  | where DvcAction =~ 'Allowed'
  | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
  | project TimeGenerated, SrcIpAddr, Identities  
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3

ARM