Merge pull request #1803 from Azure/cisccoumbrella-missingconnectors

update missing connectors and missing techniques for CiscoUmbrella
2021-03-17 19:53:39 -07:00 · 2021-03-17 19:53:39 -07:00 · f681d42dfb
--- a/Queries/CiscoUmbrella/CiscoUmbrellaAnomalousFQDNsforDomain.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaAnomalousFQDNsforDomain.yaml
@ -2,8 +2,11 @@ id: c92741e6-8454-40bb-8830-069cb86946c6
 name: Cisco Umbrella - Anomalous FQDNs for domain
 description: |
  'Large number of FQDNs for domain may be indicator of suspicious domain.'
+requiredDataConnectors: []
 tactics:
  - CommandandControl
+relevantTechniques:
+  - T1071
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)
--- a/Queries/CiscoUmbrella/CiscoUmbrellaBlockedUserAgents.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaBlockedUserAgents.yaml
@ -2,8 +2,11 @@ id: 497d7250-87e1-49b1-a096-94f61c7ade9c
 name: Cisco Umbrella - 'Blocked' User-Agents.
 description: |
  'Shows User-Agent values which requests were blocked'
+requiredDataConnectors: []
 tactics:
  - Exfiltration
+relevantTechniques:
+  - T1020
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)
--- a/Queries/CiscoUmbrella/CiscoUmbrellaDNSErrors.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaDNSErrors.yaml
@ -2,8 +2,11 @@ id: 26aebe0d-9a4f-456d-bbb9-9f4c9c5d28ca
 name: Cisco Umbrella - DNS Errors.
 description: |
  'Shows error DNS requests.'
+requiredDataConnectors: []
 tactics:
  - InitialAccess
+relevantTechniques:
+  - T1189
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)
--- a/Queries/CiscoUmbrella/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml
@ -2,8 +2,11 @@ id: bd1457df-3e81-4218-a079-0963200c8d67
 name: Cisco Umbrella - DNS requests to unreliable categories.
 description: |
  'Shows requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.'
+requiredDataConnectors: []
 tactics:
  - InitialAccess
+relevantTechniques:
+  - T1189
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)
--- a/Queries/CiscoUmbrella/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml
@ -2,8 +2,11 @@ id: 173f8699-6af5-484a-8b06-8c47ba89b380
 name: Cisco Umbrella - Higher values of count of the Same BytesIn size 
 description: |
  'Calculate the count of BytesIn per Source-Destination pair over 24 hours. Higher values may indicate beaconing.'
+requiredDataConnectors: []
 tactics:
  - CommandandControl
+relevantTechniques:
+  - T1071
 query: |
  let timeframe = 1d;
  Cisco_Umbrella 
--- a/Queries/CiscoUmbrella/CiscoUmbrellaHighValuesOfUploadedData.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaHighValuesOfUploadedData.yaml
@ -2,8 +2,11 @@ id: 975419eb-7041-419c-b8f0-c4bf513cf2b2
 name: Cisco Umbrella - High values of Uploaded Data
 description: |
  'A normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair over 12/24 hours.'
+requiredDataConnectors: []
 tactics:
  - Exfiltration
+relevantTechniques:
+  - T1020
 query: |
  let timeframe = 1d;
  Cisco_Umbrella 
--- a/Queries/CiscoUmbrella/CiscoUmbrellaPossibleConnectionC2.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaPossibleConnectionC2.yaml
@ -2,8 +2,11 @@ id: 85421f18-2de4-42ff-9ef4-058924dcb1bf
 name: Cisco Umbrella - Possible connection to C2.
 description: |
  'Calculate the count of BytesIn per Source-Destination pair over 12/24 hours. Higher values may indicate beaconing. C2 servers reply with the same data, making BytesIn value the same.'
+requiredDataConnectors: []
 tactics:
  - CommandandControl
+relevantTechniques:
+  - T1071
 query: |
  let timeframe = 1d;
  Cisco_Umbrella 
--- a/Queries/CiscoUmbrella/CiscoUmbrellaPossibleDataExfiltration.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaPossibleDataExfiltration.yaml
@ -2,8 +2,11 @@ id: 497d7250-87e1-49b1-a096-94f61c7ade9c
 name: Cisco Umbrella - Possible data exfiltration
 description: |
  'A normal user activity consists mostly of downloading data. Uploaded data is usually small unless there is a file/data upload to a website. Calculate the sum of BytesOut per Source-Destination pair over 12/24 hours.'
+requiredDataConnectors: []
 tactics:
  - Exfiltration
+relevantTechniques:
+  - T1020
 query: |
  let timeframe = 1d;
  Cisco_Umbrella 
--- a/Queries/CiscoUmbrella/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml
@ -2,8 +2,11 @@ id: daf2f3cf-0f0d-45c1-b428-3c23d643859b
 name: Cisco Umbrella - Proxy 'Allowed' to unreliable categories.
 description: |
  'Shows allowed requests to URI categories which heavily are used in Initial Access stage by threat actiors and may contain malicious content.'
+requiredDataConnectors: []
 tactics:
  - InitialAccess
+relevantTechniques:
+  - T1189
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)
--- a/Queries/CiscoUmbrella/CiscoUmbrellaRequestsUncategorizedURI.yaml
+++ b/Queries/CiscoUmbrella/CiscoUmbrellaRequestsUncategorizedURI.yaml
@ -2,8 +2,11 @@ id: de2ec986-ee24-465f-adf2-b718997074c1
 name: Cisco Umbrella - Requests to uncategorized resources
 description: |
  'Shows requests to URL where UrlCategory is not set.'
+requiredDataConnectors: []
 tactics:
  - InitialAccess
+relevantTechniques:
+  - T1071
 query: |
  Cisco_Umbrella
  | where TimeGenerated > ago(24h)