The hypothesis is that an initial connection to an unpopular website may indicate an adversary attempting to establish a foothold or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage malicious activity before it escalates.
KQL Query
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated
id: 75297f62-10a8-4fc1-9b2a-12f25c6f05a7
name: Cisco Umbrella - Connection to Unpopular Website Detected
description: |
'Detects first connection to an unpopular website (possible malicious payload delivery).'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let domain_lookBack= 14d;
let timeframe = 1d;
let top_million_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| summarize count() by tostring(Hostname)
| top 1000000 by count_
| summarize make_list(Hostname);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| extend Hostname = parse_url(UrlOriginal)["Host"]
| where Hostname !in (top_million_list)
| extend Message = "Connect to unpopular website (possible malicious payload delivery)"
| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlOriginal
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.2
kind: Scheduled
Scenario: A system administrator is using Cisco Umbrella to access a known security research website (e.g., VirusTotal) to analyze a suspicious file.
Filter/Exclusion: Exclude traffic to known security research domains using a custom list in Cisco Umbrella’s Whitelist or via URL filtering rules.
Scenario: A scheduled backup job (e.g., using Veeam Backup & Replication) is connecting to a cloud storage service (e.g., AWS S3) that is flagged as an “unpopular” website due to its low popularity score.
Filter/Exclusion: Add the cloud storage domain to the Cisco Umbrella Allowlist or create a custom category for backup-related domains.
Scenario: A system update task (e.g., using Windows Update or WSUS) is attempting to connect to a Microsoft server that is incorrectly flagged as an unpopular website.
Filter/Exclusion: Exclude Microsoft update domains using Cisco Umbrella’s built-in categories or add them to a custom exclusion list.
Scenario: A developer using a code repository (e.g., GitHub Actions) is connecting to a private GitHub instance, which is being flagged due to its low popularity.
Filter/Exclusion: Add the private GitHub domain to the Cisco Umbrella Allowlist or configure a custom URL category for internal development tools.
Scenario: A network monitoring tool (e.g., SolarWinds Network Performance Monitor) is connecting to an internal monitoring dashboard that is mistakenly classified as an unpopular website.
Filter/Exclusion: Exclude the internal monitoring domain via Cisco Umbrella’s IP filtering or by adding it to a custom exclusion list.