Adversaries may attempt to access malicious URI categories by bypassing network controls, leveraging allowed requests to exfiltrate data or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command-and-control activities that evade standard policy enforcement.
KQL Query
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
id: d6bf1931-b1eb-448d-90b2-de118559c7ce
name: Cisco Umbrella - Request Allowed to harmful/malicious URI category
description: |
'It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- InitialAccess
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlCategory contains 'Adult Themes' or
UrlCategory contains 'Adware' or
UrlCategory contains 'Alcohol' or
UrlCategory contains 'Illegal Downloads' or
UrlCategory contains 'Drugs' or
UrlCategory contains 'Child Abuse Content' or
UrlCategory contains 'Hate/Discrimination' or
UrlCategory contains 'Nudity' or
UrlCategory contains 'Pornography' or
UrlCategory contains 'Proxy/Anonymizer' or
UrlCategory contains 'Sexuality' or
UrlCategory contains 'Tasteless' or
UrlCategory contains 'Terrorism' or
UrlCategory contains 'Web Spam' or
UrlCategory contains 'German Youth Protection' or
UrlCategory contains 'Illegal Activities' or
UrlCategory contains 'Lingerie/Bikini' or
UrlCategory contains 'Weapons'
| project TimeGenerated, SrcIpAddr, Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Identities
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.1
kind: Scheduled
Scenario: Legitimate system update via Cisco Umbrella
Description: A scheduled job or automated system update (e.g., Windows Update, Linux package manager) accesses a URI in the “harmful/malicious” category as part of a known safe update process.
Filter/Exclusion: Exclude traffic from known update servers (e.g., update.microsoft.com, packages.debian.org) or use a custom list of trusted update domains.
Scenario: Internal tool using a third-party API
Description: An internal application (e.g., Jira, Confluence, or a custom DevOps tool) makes a legitimate API call to a service categorized as harmful/malicious by Cisco Umbrella.
Filter/Exclusion: Exclude traffic to specific API endpoints (e.g., api.atlassian.com, api.gitlab.com) or add the domain to a trusted list in the Umbrella policy.
Scenario: Admin task using a known safe URL
Description: An administrator uses a tool like curl or wget to manually test or troubleshoot a known safe URL that is incorrectly categorized as harmful.
Filter/Exclusion: Exclude traffic from local IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) or add the specific URL to a whitelist in the Umbrella policy.
Scenario: Cloud service integration (e.g., AWS, Azure, GCP)
Description: A cloud service (e.g., AWS S3, Azure Blob Storage) is accessed via a URI that is incorrectly flagged as harmful due to a misconfiguration or false positive in the category.
Filter/Exclusion: Exclude traffic to cloud service endpoints (e.g., s3.amazonaws.com, blob.core.windows.net) or use a custom domain list in the