Cisco WSA

Solution: CiscoWSA

CiscoWSA Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.0.1
Author Microsoft - support@microsoft.com
First Published 2021-06-29
Solution Folder CiscoWSA
Marketplace Azure Marketplace · Rating: ★★★☆☆ 3.0/5 (1 ratings) · Popularity: ⚪ Very Low (0%)
Pre-requisites Syslog

The Cisco Web Security Appliance (WSA) solution provides the capability to ingest Cisco WSA Access Logs into Microsoft Sentinel.

This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of Syslog via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

Contents

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Syslog

Data Connectors

This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):

Connectors from dependency solutions:

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table Used By Connectors Used By Content
Syslog Syslog via AMA (dependency), Syslog via Legacy Agent (dependency), [Deprecated] Cisco Web Security Appliance Analytics, Hunting, Workbooks

Content Items

This solution includes 23 content item(s):

Content Type Count
Analytic Rules 11
Hunting Queries 10
Workbooks 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Cisco WSA - Access to unwanted site High InitialAccess Syslog
Cisco WSA - Internet access from public IP Medium InitialAccess Syslog
Cisco WSA - Multiple attempts to download unwanted file Medium InitialAccess Syslog
Cisco WSA - Multiple errors to URL Medium CommandAndControl Syslog
Cisco WSA - Multiple errors to resource from risky category Medium InitialAccess, CommandAndControl Syslog
Cisco WSA - Multiple infected files High InitialAccess Syslog
Cisco WSA - Suspected protocol abuse Medium Exfiltration Syslog
Cisco WSA - Unexpected URL Medium CommandAndControl Syslog
Cisco WSA - Unexpected file type Medium InitialAccess Syslog
Cisco WSA - Unexpected uploads High Exfiltration Syslog
Cisco WSA - Unscannable file or scan error Medium InitialAccess Syslog

Hunting Queries

Name Tactics Tables Used
Cisco WSA - Blocked files InitialAccess Syslog
Cisco WSA - Potentially risky resources InitialAccess Syslog
Cisco WSA - Rare URL with error InitialAccess, CommandAndControl Syslog
Cisco WSA - Rare aplications CommandAndControl, Exfiltration Syslog
Cisco WSA - Top URLs InitialAccess Syslog
Cisco WSA - Top aplications InitialAccess Syslog
Cisco WSA - URL shorteners InitialAccess Syslog
Cisco WSA - Uncategorized URLs InitialAccess Syslog
Cisco WSA - Uploaded files InitialAccess Syslog
Cisco WSA - User errors InitialAccess, CommandAndControl Syslog

Workbooks

Name Tables Used
CiscoWSA Syslog

Parsers

Name Description Tables Used
CiscoWSAEvent - Syslog (read)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.2 19-12-2024 Removed Deprecated Data connector
3.0.1 24-07-2024 Deprecating data connectors
3.0.0 16-08-2023 Optimize the Parser by replacing the legacy code that uses regex with a more efficient algorithm to reduce the time taken to parse data.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index