Merge pull request #3555 from socprime/cisco_wsa_content

add cisco wsa content

.script/tests/KqlvalidationsTests/CustomTables/CiscoWSAEvent.json

@@ -0,0 +1,385 @@
+{
+    "Name": "CiscoWSAEvent",
+    "Properties": [
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "AmpFileHashSha256",
+            "Type": "String"
+        },
+        {
+            "Name": "AmpFileName",
+            "Type": "String"
+        },
+        {
+            "Name": "AmpReputationScore",
+            "Type": "String"
+        },
+        {
+            "Name": "AmpScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "AmpThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "AmpUploadIndicator",
+            "Type": "String"
+        },
+        {
+            "Name": "ArchiveScannerFileVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "ArchiveScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "ArchiveScanningVerdictDetail",
+            "Type": "String"
+        },
+        {
+            "Name": "AvcApplicationBehavior",
+            "Type": "String"
+        },
+        {
+            "Name": "AvcApplicationName",
+            "Type": "String"
+        },
+        {
+            "Name": "AvcApplicationType",
+            "Type": "String"
+        },
+        {
+            "Name": "AvgBandwidth(Kb/sec)",
+            "Type": "Double"
+        },
+        {
+            "Name": "BlockedFileTypeDetail",
+            "Type": "String"
+        },
+        {
+            "Name": "CiscoDataSecurityScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "ClientRequestThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "ContactedServerCode",
+            "Type": "String"
+        },
+        {
+            "Name": "DataSecurityPolicyGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "DcaUrlCategoryVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "DstBytes",
+            "Type": "String"
+        },
+        {
+            "Name": "DstHostname",
+            "Type": "Int"
+        },
+        {
+            "Name": "DstIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "DstPortNumber",
+            "Type": "String"
+        },
+        {
+            "Name": "DvcAction",
+            "Type": "String"
+        },
+        {
+            "Name": "EventProduct",
+            "Type": "String"
+        },
+        {
+            "Name": "EventResultDetails",
+            "Type": "String"
+        },
+        {
+            "Name": "EventStartTime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "EventTime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "EventVendor",
+            "Type": "String"
+        },
+        {
+            "Name": "ExternalDlpScannningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "ExternalDplPolicyGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "GteEncapsulatedUrl",
+            "Type": "String"
+        },
+        {
+            "Name": "HostIP",
+            "Type": "String"
+        },
+        {
+            "Name": "HostName",
+            "Type": "String"
+        },
+        {
+            "Name": "HttpReferrerOriginal",
+            "Type": "String"
+        },
+        {
+            "Name": "HttpRequestMethod",
+            "Type": "String"
+        },
+        {
+            "Name": "HttpRequestXff",
+            "Type": "String"
+        },
+        {
+            "Name": "HttpStatusCode",
+            "Type": "String"
+        },
+        {
+            "Name": "IdentityPolicyGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "Latency",
+            "Type": "Integer"
+        },
+        {
+            "Name": "MalwareScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeDetectionType",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeMalwareScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeScanError",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeScannedFileName",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeThreatCategory",
+            "Type": "String"
+        },
+        {
+            "Name": "McAfeeThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "NetworkApplicationProtocol",
+            "Type": "String"
+        },
+        {
+            "Name": "NetworkBytes",
+            "Type": "String"
+        },
+        {
+            "Name": "OutboundMalwareScanningPolicyGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "PolicyGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestSideAntiMalwareScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestSideDvsScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestSideDvsThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestSideDvsVerdictName",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestSideScanningUrlCategoryVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "RequestUri",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseBodyMimeType",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseSideScanningUrlCategoryVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseSideThreatCategory",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseSideThreatCategoryCode",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseSideThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "ResponseThreatCategory",
+            "Type": "String"
+        },
+        {
+            "Name": "RoutingPolicy",
+            "Type": "String"
+        },
+        {
+            "Name": "SafeBrowsingScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "SeverityLevel",
+            "Type": "String"
+        },
+        {
+            "Name": "SophosScannedFileName",
+            "Type": "String"
+        },
+        {
+            "Name": "SophosScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "SophosScanReturnCode",
+            "Type": "String"
+        },
+        {
+            "Name": "SophosThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcBytes",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcPortNumber",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcUserName",
+            "Type": "String"
+        },
+        {
+            "Name": "SuspectedUserAgent",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatIdentifier",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "ThreatRiskRatioValue",
+            "Type": "String"
+        },
+        {
+            "Name": "Throttled",
+            "Type": "String"
+        },
+        {
+            "Name": "TraceIdentifier",
+            "Type": "String"
+        },
+        {
+            "Name": "UrlCategory",
+            "Type": "String"
+        },
+        {
+            "Name": "UrlOriginal",
+            "Type": "String"
+        },
+        {
+            "Name": "UserType",
+            "Type": "String"
+        },
+        {
+            "Name": "WbrsScore",
+            "Type": "String"
+        },
+        {
+            "Name": "WebReputationScore",
+            "Type": "String"
+        },
+        {
+            "Name": "WebReputationThreatCategory",
+            "Type": "String"
+        },
+        {
+            "Name": "WebReputationThreatType",
+            "Type": "String"
+        },
+        {
+            "Name": "WebrootScanningVerdict",
+            "Type": "String"
+        },
+        {
+            "Name": "WebrootSpyId",
+            "Type": "String"
+        },
+        {
+            "Name": "WebrootThreatName",
+            "Type": "String"
+        },
+        {
+            "Name": "WebrootThreatRiskRatio",
+            "Type": "String"
+        },
+        {
+            "Name": "WebrootTraceId",
+            "Type": "String"
+        },
+        {
+            "Name": "WebTapBehavior",
+            "Type": "String"
+        },
+        {
+            "Name": "YouTubeUrlCategory",
+            "Type": "String"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -39,6 +39,7 @@
   "CiscoSecureEndpoint",
   "CiscoUCS",
   "CiscoUmbrellaDataConnector",
+  "CiscoWSA",
   "Citrix",
   "CitrixWAF",
   "CloudflareDataConnector",

Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml

@@ -0,0 +1,29 @@
+id: 38029e86-030c-46c4-8a91-a2be7c74d74c
+name: Cisco WSA - Access to unwanted site
+description: |
+  'Detects when users attempting to access sites from high risk category.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
+  CiscoWSAEvent
+  | where UrlCategory in~ (risky_sites)
+  | extend AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSADataExfiltration.yaml

@@ -0,0 +1,32 @@
+id: 32c460ad-2d40-43e9-8ead-5cdd1d7a3163
+name: Cisco WSA - Unexpected uploads
+description: |
+  'Detects unexpected file uploads.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1567
+query: |
+  CiscoWSAEvent
+  | where HttpRequestMethod in~ ('POST', 'PUT')
+  | where isnotempty(AmpFileName)
+  | where UrlCategory in~ ('IW_fts', 'IW_osb')
+  | summarize count() by AmpFileName, SrcUserName, bin(TimeGenerated, 10m)
+  | where count_ >= 5
+  | extend AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml

@@ -0,0 +1,39 @@
+id: ebf9db0c-ba7b-4249-b9ec-50a05fa7c7c9
+name: Cisco WSA - Multiple errors to resource from risky category
+description: |
+  'Detects multiple connection errors to resource from risky category.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - CommandAndControl
+relevantTechniques:
+  - T1189
+  - T1102
+query: |
+  let threshold = 10;
+  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
+  CiscoWSAEvent
+  | where DvcAction startswith 'BLOCK_'
+  | where UrlCategory in~ (risky_sites)
+  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
+  | where count_ >= threshold
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml

@@ -0,0 +1,35 @@
+id: 1db49647-435c-41ad-bf8c-7130ba75429d
+name: Cisco WSA - Multiple errors to URL
+description: |
+  'Detects multiple connection errors to URL.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+  - T1102
+query: |
+  let threshold = 5;
+  CiscoWSAEvent
+  | where DvcAction =~ 'NONE'
+  | summarize count() by SrcUserName, UrlOriginal, bin(TimeGenerated, 5m)
+  | where count_ >= threshold
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleInfectedFles.yaml

@@ -0,0 +1,35 @@
+id: 93186e3d-5dc2-4a00-a993-fa1448db8734
+name: Cisco WSA - Multiple infected files
+description: |
+  'Detects multiple infected files on same source.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where isnotempty(AmpFileName)
+  | where isnotempty(ThreatName)
+  | summarize count() by SrcIpAddr, SrcUserName, bin(TimeGenerated, 15m)
+  | where count_ > 1
+  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml

@@ -0,0 +1,35 @@
+id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
+name: Cisco WSA - Multiple attempts to download unwanted file
+description: |
+  'Detects when multiple attempts to download unwanted file occur.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  let threshold = 2;
+  CiscoWSAEvent
+  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
+  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
+  | where array_length(i_src) >= threshold
+  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: UrlCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAProtocolAbuse.yaml

@@ -0,0 +1,33 @@
+id: 6f756792-4888-48a5-97cf-40d9430dc932
+name: Cisco WSA - Suspected protocol abuse
+description: |
+  'Detects possible protocol abuse.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1048
+query: |
+  CiscoWSAEvent
+  | where DstPortNumber !in ('80', '443')
+  | where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs')
+  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml

@@ -0,0 +1,29 @@
+id: 4250b050-e1c6-4926-af04-9484bbd7e94f
+name: Cisco WSA - Internet access from public IP
+description: |
+  'Detects internet access from public IP.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list
+  CiscoWSAEvent
+  | where ipv4_is_private(SrcIpAddr) == false
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedFileType.yaml

@@ -0,0 +1,35 @@
+id: 8e9d1f70-d529-4598-9d3e-5dd5164d1d02
+name: Cisco WSA - Unexpected file type
+description: |
+  'Detects unexpected file type.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where isnotempty(AmpFileName)
+  | where isempty(AmpThreatName)
+  | where ResponseBodyMimeType =~ 'application/octet-stream'
+  | where AmpFileName !endswith '.exe'
+  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml

@@ -0,0 +1,33 @@
+id: 010644fd-2830-4451-9e0e-606cc192f2e7
+name: Cisco WSA - Unexpected URL
+description: |
+  'Detects unexpected URL.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+  - T1102
+query: |
+  let threshold = 5;
+  CiscoWSAEvent
+  | where UrlOriginal matches regex @'\Ahttp(s)?[:][/][/]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnscannableFile.yaml

@@ -0,0 +1,37 @@
+id: 9b61a945-ebcb-4245-b6e4-51f3addb5248
+name: Cisco WSA - Unscannable file or scan error
+description: |
+  'Detects unscanned downloaded file.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where isnotempty(AmpFileName)
+  | where AmpScanningVerdict in ('2', '3')
+  | extend IPCustomEntity = SrcIpAddr, FileCustomEntity = AmpFileName, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: File
+    fieldMappings:
+      - identifier: Name
+        columnName: FileCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/CiscoWSA/Hunting Queries/CiscoWSABlockedFiles.yaml

@@ -0,0 +1,24 @@
+id: ebbd2b87-44c6-481a-8e4f-eaf5aa76e017
+name: Cisco WSA - Blocked files
+description: |
+  'Query searches for blocked files.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
+  | summarize count() by UrlOriginal
+  | extend URLCustomEntity = UrlOriginal
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSARareApplications.yaml

@@ -0,0 +1,26 @@
+id: 686ec2d3-fdbb-4fa2-b834-ff1d0f2486fb
+name: Cisco WSA - Rare aplications
+description: |
+  'Query searches for rare applications.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - CommandAndControl
+  - Exfiltration
+relevantTechniques:
+  - T1048
+  - T1567
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | summarize count() by AvcApplicationName, SrcUserName
+  | order by count_ asc
+  | extend AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSATopApplications.yaml

@@ -0,0 +1,23 @@
+id: 6d4d7689-5e1d-4687-b1fc-eb0b7340c9a3
+name: Cisco WSA - Top aplications
+description: |
+  'Query searches for top applications.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | summarize count() by AvcApplicationName, SrcUserName
+  | extend AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSATopResources.yaml

@@ -0,0 +1,27 @@
+id: aaf6ba04-7a00-401e-a650-06e213f3bfbc
+name: Cisco WSA - Top URLs
+description: |
+  'Query searches for top URLs.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | summarize count() by UrlOriginal, SrcUserName
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUncategorizedResources.yaml

@@ -0,0 +1,32 @@
+id: deddf5e8-8fee-4ec5-9121-415eb954c34d
+name: Cisco WSA - Uncategorized URLs
+description: |
+  'Query searches for uncategorized URLs.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where UrlCategory in~ ('IW_nc', 'IW_nact')
+  | project UrlOriginal, SrcUserName, SrcIpAddr
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUploadedFiles.yaml

@@ -0,0 +1,25 @@
+id: 9d08418d-e21e-4fd6-b9bc-d80ce786d2da
+name: Cisco WSA - Uploaded files
+description: |
+  'Query searches for uploaded files.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where HttpRequestMethod in~ ('POST', 'PUT')
+  | where isnotempty(AmpFileName)
+  | project AmpFileName, SrcUserName
+  | extend AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml

@@ -0,0 +1,27 @@
+id: 88edb5d8-3ad9-4004-aefa-43c289483935
+name: Cisco WSA - Rare URL with error
+description: |
+  'Query searches for rare URLs with errors.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+  - CommandAndControl
+relevantTechniques:
+  - T1189
+  - T1048
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ 'OTHER'
+  | summarize count() by UrlOriginal
+  | order by count_ asc
+  | extend URLCustomEntity = UrlOriginal
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlShortenerLinks.yaml

@@ -0,0 +1,32 @@
+id: 04582ef2-42be-4371-9ecf-635337c92ddb
+name: Cisco WSA - URL shorteners
+description: |
+  'Query searches connections to Url shorteners resources.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where UrlCategory =~ 'IW_shrt'
+  | project UrlOriginal, SrcUserName, SrcIpAddr
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml

@@ -0,0 +1,32 @@
+id: 8c35faed-a8cf-4d8d-8c67-f14f2ff6e7e9
+name: Cisco WSA - Potentially risky resources
+description: |
+  'Query searches for potentially risky resources.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1189
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ 'BLOCK_CONTINUE_WEBCAT'
+  | project UrlOriginal, SrcUserName, SrcIpAddr
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml

@@ -0,0 +1,30 @@
+id: 77ec347d-db28-4556-8a5a-dbc2ec7c9461
+name: Cisco WSA - User errors
+description: |
+  'Query searches for user errors during accessing resource.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: CiscoWSA
+    dataTypes:
+      - CiscoWSAEvent
+tactics:
+  - InitialAccess
+  - CommandAndControl
+relevantTechniques:
+  - T1189
+  - T1048
+query: |
+  CiscoWSAEvent
+  | where TimeGenerated > ago(24h)
+  | where DvcAction =~ 'OTHER'
+  | summarize count() by UrlOriginal, SrcUserName
+  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/CiscoWSA/Workbooks/CiscoWSA.json

@@ -0,0 +1,370 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoWSAEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscowsa-parser)"
+      },
+      "name": "text - 8"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "description": "Sets the time name for analysis",
+            "value": {
+              "durationMs": 2592000000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 1800000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
+        "size": 0,
+        "title": "Events Over Time",
+        "color": "blueDark",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "timechart",
+        "graphSettings": {
+          "type": 0
+        }
+      },
+      "customWidth": "60",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "55"
+      }
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "title": "Sources Summary",
+        "items": [
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "CiscoWSAEvent\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr)",
+              "size": 3,
+              "title": "IP Addresses",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "customWidth": "50",
+            "name": "query - 3",
+            "styleSettings": {
+              "margin": "10",
+              "padding": "10"
+            }
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "CiscoWSAEvent\n| where isnotempty(SrcUserName)\n| where SrcUserName != '-'\n| summarize dcount(SrcUserName)",
+              "size": 3,
+              "title": "Users",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "customWidth": "50",
+            "name": "query - 1"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "CiscoWSAEvent\n| where isnotempty(DstBytes)\n| summarize tb = sum(tolong(DstBytes))\n| project mb = tb / 1000000",
+              "size": 3,
+              "title": "Total Traffic Volume (MB)",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "customWidth": "50",
+            "name": "query - 2"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "CiscoWSAEvent\n| where DvcAction startswith 'BLOCK_'\n| summarize count()",
+              "size": 3,
+              "title": "Threats Blocked",
+              "noDataMessage": "0",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "customWidth": "50",
+            "name": "query - 3"
+          }
+        ]
+      },
+      "customWidth": "40",
+      "name": "group - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\n| summarize count() by UrlCategory\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \"Infrastructure and CDN\", \n                                    UrlCategory =~ 'IW_adv', \"Advertisements\", \n                                    UrlCategory =~ 'IW_art', \"Arts\",\n                                    UrlCategory =~ 'IW_busi', \"Business and Industry\",\n                                    UrlCategory =~ 'IW_csec', \"Computer Security\",\n                                    UrlCategory =~ 'IW_comp', \"Computers and Internet\",\n                                    UrlCategory =~ 'IW_edu', \"Education\",\n                                    UrlCategory =~ 'IW_ent', \"Entertainment\",\n                                    UrlCategory =~ 'IW_fts', \"File Transfer Services\",\n                                    UrlCategory =~ 'IW_fnnc', \"Finance\",\n                                    UrlCategory =~ 'IW_hmed', \"Health and Medicine\",\n                                    UrlCategory =~ 'IW_job', \"Job Search\",\n                                    UrlCategory =~ 'IW_news', \"News\",\n                                    UrlCategory =~ 'IW_docs', \"Online Document Sharing and Collaboration\",\n                                    UrlCategory =~ 'IW_meet', \"Online Meetings\",\n                                    \"Other\")",
+        "size": 3,
+        "title": "URL Categories",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "35",
+      "name": "query - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\r\n| summarize count() by UrlCategory\r\n| project count_, ['URL Category'] = case(UrlCategory =~ 'IW_infr', \"Infrastructure and CDN\", \r\n                                    UrlCategory =~ 'IW_adv', \"Advertisements\", \r\n                                    UrlCategory =~ 'IW_art', \"Arts\",\r\n                                    UrlCategory =~ 'IW_busi', \"Business and Industry\",\r\n                                    UrlCategory =~ 'IW_csec', \"Computer Security\",\r\n                                    UrlCategory =~ 'IW_comp', \"Computers and Internet\",\r\n                                    UrlCategory =~ 'IW_edu', \"Education\",\r\n                                    UrlCategory =~ 'IW_ent', \"Entertainment\",\r\n                                    UrlCategory =~ 'IW_fts', \"File Transfer Services\",\r\n                                    UrlCategory =~ 'IW_fnnc', \"Finance\",\r\n                                    UrlCategory =~ 'IW_hmed', \"Health and Medicine\",\r\n                                    UrlCategory =~ 'IW_job', \"Job Search\",\r\n                                    UrlCategory =~ 'IW_news', \"News\",\r\n                                    UrlCategory =~ 'IW_docs', \"Online Document Sharing and Collaboration\",\r\n                                    UrlCategory =~ 'IW_meet', \"Online Meetings\",\r\n                                    \"Other\")\r\n| top 8 by ['URL Category'] desc\r\n",
+        "size": 3,
+        "title": "Top URL Categories",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "URL Category",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "count_",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "style": "decimal",
+                "maximumFractionDigits": 2,
+                "maximumSignificantDigits": 3
+              }
+            }
+          },
+          "secondaryContent": {
+            "columnMatch": "Trend",
+            "formatter": 9,
+            "formatOptions": {
+              "palette": "purple"
+            }
+          },
+          "showBorder": false
+        }
+      },
+      "customWidth": "35",
+      "name": "query - 0",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\n| where isnotempty(DstDvcHostname)\n| summarize count() by DstDvcHostname\n| top 10 by DstDvcHostname\n| order by count_\n| project-rename Domain = DstDvcHostname, ['Total Events'] = count_",
+        "size": 0,
+        "title": "Top visited domains",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "User",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "TotalMailsReceived",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          },
+          "secondaryContent": {
+            "columnMatch": "Trend",
+            "formatter": 10,
+            "formatOptions": {
+              "palette": "magenta"
+            }
+          },
+          "showBorder": false
+        }
+      },
+      "customWidth": "30",
+      "name": "query - 10"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\r\n| where isnotempty(SrcUserName)\r\n| summarize TotalBytes = sum(DstBytes) by SrcUserName\r\n| top 10 by TotalBytes\r\n| project User=SrcUserName, ['Total Bytes (KB)'] = TotalBytes/1000",
+        "size": 3,
+        "title": "Top Users",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "formatters": [
+            {
+              "columnMatch": "Total Bytes (KB)",
+              "formatter": 8,
+              "formatOptions": {
+                "palette": "greenRed"
+              }
+            }
+          ]
+        },
+        "sortBy": []
+      },
+      "customWidth": "33",
+      "name": "query - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\n| where isnotempty(ThreatName)\n| summarize count() by ThreatName",
+        "size": 3,
+        "title": "Discovered Threats",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "30",
+      "name": "query - 9"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "CiscoWSAEvent\r\n| where isnotempty(AmpFileName)\r\n| project TimeGenerated, SrcUserName, AmpFileName, Result=strcat(iff(isnotempty(AmpScanningVerdict) or AmpScanningVerdict !has 'clean', '❌ - Infected', '✅ - Clean'))\r\n",
+        "size": 1,
+        "title": "Latest scanned files",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table",
+        "gridSettings": {
+          "filter": true
+        }
+      },
+      "customWidth": "34",
+      "name": "query - 1"
+    }
+  ],
+  "fromTemplateId": "sentinel-CiscoWSAWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}