Cisco_Umbrella_intrusion_CL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

---

Attribute	Value
Custom Log V1	Yes 🔶 — uses type-suffixed column names
Ingestion API Supported	✓ Yes

Contents

• Schema
• Solutions
• Connectors
• Content Items
• Parsers

Schema (24 columns)

Source: KQL validation test schema

Column Name	Type
action_s	string
attack_classification_s	string
AWS_region_s	string
CVEs_s	string
destination_IP_s	string
destination_Port_d	real
direction_s	string
firewall_rule_ID_s	string
generator_id_s	string
identities_s	string
identity_types_s	string
IP_protocol_s	string
IPS_config_type_s	string
operation_mode_s	string
policy_resource_ID_s	string
session_ID_s	string
severity_s	string
signature_ID_s	string
signature_List_ID_s	string
signature_message_s	string
source_IP_s	string
source_port_d	real
TimeGenerated	datetime
Timestamp_t	datetime

Solutions (1)

This table is used by the following solutions:

• CiscoUmbrella

Connectors (2)

This table is ingested by the following connectors:

Connector	Selection Criteria
Cisco Cloud Security
Cisco Cloud Security (using elastic premium plan)

---

Content Items Using This Table (31)

Analytic Rules (20)

GitHub Only:

Analytic Rule	Selection Criteria
Cisco Cloud Security - Connection to Unpopular Website Detected
Cisco Cloud Security - Connection to non-corporate private network
Cisco Cloud Security - Crypto Miner User-Agent Detected
Cisco Cloud Security - Empty User Agent Detected
Cisco Cloud Security - Hack Tool User-Agent Detected
Cisco Cloud Security - Rare User Agent Detected
Cisco Cloud Security - Request Allowed to harmful/malicious URI category
Cisco Cloud Security - Request to blocklisted file type
Cisco Cloud Security - URI contains IP address
Cisco Cloud Security - Windows PowerShell User-Agent Detected
Cisco Umbrella - Connection to Unpopular Website Detected
Cisco Umbrella - Connection to non-corporate private network
Cisco Umbrella - Crypto Miner User-Agent Detected
Cisco Umbrella - Empty User Agent Detected
Cisco Umbrella - Hack Tool User-Agent Detected
Cisco Umbrella - Rare User Agent Detected
Cisco Umbrella - Request Allowed to harmful/malicious URI category
Cisco Umbrella - Request to blocklisted file type
Cisco Umbrella - URI contains IP address
Cisco Umbrella - Windows PowerShell User-Agent Detected

Hunting Queries (10)

In solution CiscoUmbrella:

Hunting Query	Selection Criteria
Cisco Cloud Security - 'Blocked' User-Agents.
Cisco Cloud Security - Anomalous FQDNs for domain
Cisco Cloud Security - DNS Errors.
Cisco Cloud Security - DNS requests to unreliable categories.
Cisco Cloud Security - High values of Uploaded Data
Cisco Cloud Security - Higher values of count of the Same BytesIn size
Cisco Cloud Security - Possible connection to C2.
Cisco Cloud Security - Possible data exfiltration
Cisco Cloud Security - Proxy 'Allowed' to unreliable categories.
Cisco Cloud Security - Requests to uncategorized resources

Workbooks (1)

In solution CiscoUmbrella:

Workbook	Selection Criteria
CiscoUmbrella

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
Cisco_Umbrella	CiscoUmbrella

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index