Cisco_Umbrella_ztna_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Tables Index

Attribute Value
Custom Log V1 Yes 🔶 — uses type-suffixed column names
Ingestion API Supported ✓ Yes

Contents

Schema (31 columns)

Source: KQL validation test schema

Column Name Type
anti_malware_agents_s string
app_Connector_group_id_s string
client_browser_s string
client_firewall_s string
client_geo_location_s string
client_ip_s string
client_os_s string
disk_encryption_s string
duo_device_id_s string
duo_device_id_string_s string
headend_type_s string
hostname_s string
identity_email_s string
identity_labels_s string
identity_type_labels_s string
posture_id_s string
private_app_group_id_s string
private_app_id_s string
private_resource_group_id_s string
private_resource_id_s string
requested_id_fqdn_s string
resolved_ip_s string
rule_id_s string
ruleset_id_s string
step_up_auth_result_s string
step_up_auth_token_life_d real
step_up_auth_type_s string
system_password_s string
TimeGenerated datetime
Timestamp_t datetime
verdict_s string

Solutions (1)

This table is used by the following solutions:

Connectors (2)

This table is ingested by the following connectors:

Connector Selection Criteria
Cisco Cloud Security
Cisco Cloud Security (using elastic premium plan)

Content Items Using This Table (31)

Analytic Rules (20)

GitHub Only:

Analytic Rule Selection Criteria
Cisco Cloud Security - Connection to Unpopular Website Detected
Cisco Cloud Security - Connection to non-corporate private network
Cisco Cloud Security - Crypto Miner User-Agent Detected
Cisco Cloud Security - Empty User Agent Detected
Cisco Cloud Security - Hack Tool User-Agent Detected
Cisco Cloud Security - Rare User Agent Detected
Cisco Cloud Security - Request Allowed to harmful/malicious URI category
Cisco Cloud Security - Request to blocklisted file type
Cisco Cloud Security - URI contains IP address
Cisco Cloud Security - Windows PowerShell User-Agent Detected
Cisco Umbrella - Connection to Unpopular Website Detected
Cisco Umbrella - Connection to non-corporate private network
Cisco Umbrella - Crypto Miner User-Agent Detected
Cisco Umbrella - Empty User Agent Detected
Cisco Umbrella - Hack Tool User-Agent Detected
Cisco Umbrella - Rare User Agent Detected
Cisco Umbrella - Request Allowed to harmful/malicious URI category
Cisco Umbrella - Request to blocklisted file type
Cisco Umbrella - URI contains IP address
Cisco Umbrella - Windows PowerShell User-Agent Detected

Hunting Queries (10)

In solution CiscoUmbrella:

Hunting Query Selection Criteria
Cisco Cloud Security - 'Blocked' User-Agents.
Cisco Cloud Security - Anomalous FQDNs for domain
Cisco Cloud Security - DNS Errors.
Cisco Cloud Security - DNS requests to unreliable categories.
Cisco Cloud Security - High values of Uploaded Data
Cisco Cloud Security - Higher values of count of the Same BytesIn size
Cisco Cloud Security - Possible connection to C2.
Cisco Cloud Security - Possible data exfiltration
Cisco Cloud Security - Proxy 'Allowed' to unreliable categories.
Cisco Cloud Security - Requests to uncategorized resources

Workbooks (1)

In solution CiscoUmbrella:

Workbook Selection Criteria
CiscoUmbrella

Parsers Using This Table (1)

Other Parsers (1)

Parser Solution Selection Criteria
Cisco_Umbrella CiscoUmbrella

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Tables Index