Merge branch 'master' into dependabot/pip/Solutions/CiscoDuoSecurity/Data-Connectors/cryptography-46.0.6

Author: v-atulyadav

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -0,0 +1,78 @@
+id: fa4c4f1c-3c5f-4c3a-a13f-924c30db56e9
+name: Netskope - Anomalous User Behavior (High Volume from Unmanaged Device)
+description: |
+  Detects anomalous user behavior including high data volume transfers from unmanaged devices, unusual access patterns, and suspicious application usage.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: NetskopeWebTxConnector
+    dataTypes:
+      - NetskopeWebTransactions_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+  - Collection
+relevantTechniques:
+  - T1567
+  - T1074
+query: |
+  let highVolumeThresholdGB = 1;
+  NetskopeWebTransactions_CL
+  | where TimeGenerated > ago(1h)
+  | where isnotempty(CsUsername)
+  | summarize 
+      TotalBytes = sum(Bytes),
+      UploadBytes = sum(CsBytes),
+      DownloadBytes = sum(ScBytes),
+      UniqueApps = dcount(XCsApp),
+      Apps = make_set(XCsApp, 20),
+      UniqueHosts = dcount(CsHost),
+      Activities = make_set(XCsAppActivity),
+      Countries = make_set(XCCountry),
+      Devices = make_set(XCDevice),
+      AccessMethods = make_set(XCsAccessMethod),
+      EventCount = count()
+      by CsUsername, XCDevice, XCsAccessMethod
+  | extend 
+      TotalGB = round(TotalBytes / 1073741824.0, 3),
+      UploadGB = round(UploadBytes / 1073741824.0, 3),
+      DownloadGB = round(DownloadBytes / 1073741824.0, 3)
+  | where TotalGB > highVolumeThresholdGB
+  | extend IsUnmanagedDevice = XCDevice =~ 'unmanaged' or XCDevice =~ 'BYOD' or XCDevice =~ 'Personal' or XCDevice =~ 'Unknown' or XCsAccessMethod != 'Client'
+  | where IsUnmanagedDevice or TotalGB > 5 or UniqueApps > 20
+  | extend RiskIndicators = strcat_array(array_concat(
+      iff(IsUnmanagedDevice, dynamic(['Unmanaged Device']), dynamic([])),
+      iff(TotalGB > 5, dynamic(['High Data Volume']), dynamic([])),
+      iff(UniqueApps > 20, dynamic(['Many Apps Accessed']), dynamic([])),
+      iff(array_length(Countries) > 1, dynamic(['Multiple Countries']), dynamic([]))
+  ), ', ')
+  | project 
+      TimeGenerated = now(),
+      User = CsUsername,
+      Device = XCDevice,
+      AccessMethod = XCsAccessMethod,
+      TotalDataGB = TotalGB,
+      UploadGB,
+      DownloadGB,
+      UniqueApplications = UniqueApps,
+      Applications = Apps,
+      UniqueHosts,
+      Activities,
+      Countries,
+      EventCount,
+      IsUnmanagedDevice,
+      RiskIndicators
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: User
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: Device
+version: 1.0.0
+kind: Scheduled

Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule1.yaml

@@ -0,0 +1,73 @@
+id: cdc01279-d6ea-41b1-a32d-49d726be95b8
+name: Netskope - Unsanctioned/Risky Cloud App Access (Shadow IT)
+description: |
+  Alerts when users access unsanctioned or risky cloud applications based on Cloud Confidence Level (CCL) and app tags. Detects Shadow IT usage.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: NetskopeWebTxConnector
+    dataTypes:
+      - NetskopeWebTransactions_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Exfiltration
+relevantTechniques:
+  - T1199
+  - T1567
+query: |
+  NetskopeWebTransactions_CL
+  | where TimeGenerated > ago(1h)
+  | where isnotempty(CsUsername) and isnotempty(XCsApp)
+  | where XCsAppTags contains 'Unsanctioned' 
+      or XCsAppCcl =~ 'poor'
+      or XCsAppCcl =~ 'low'
+      or XCsAppCci < 50
+  | summarize 
+      EventCount = count(),
+      TotalBytesMB = round(sum(Bytes) / 1048576.0, 2),
+      Activities = make_set(XCsAppActivity),
+      FirstSeen = min(TimeGenerated),
+      LastSeen = max(TimeGenerated)
+      by 
+      CsUsername,
+      XCsApp,
+      XCsAppCategory,
+      XCsAppCcl,
+      XCsAppCci,
+      XCsAppTags,
+      XCCountry,
+      XCDevice
+  | extend RiskLevel = case(
+      XCsAppCci < 30, 'Critical',
+      XCsAppCci < 50, 'High',
+      XCsAppCci < 70, 'Medium',
+      'Low')
+  | project 
+      TimeGenerated = LastSeen,
+      User = CsUsername,
+      RiskyApplication = XCsApp,
+      AppCategory = XCsAppCategory,
+      CloudConfidenceLevel = XCsAppCcl,
+      CloudConfidenceIndex = XCsAppCci,
+      AppTags = XCsAppTags,
+      RiskLevel,
+      Country = XCCountry,
+      Device = XCDevice,
+      Activities,
+      EventCount,
+      DataTransferMB = TotalBytesMB
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: User
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: RiskyApplication
+version: 1.0.0
+kind: Scheduled

Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule10.yaml

@@ -0,0 +1,72 @@
+id: cf103180-cb81-4796-921d-3cc7eef4e817
+name: Netskope - Data Movement Tracking (Upload/Download Monitoring)
+description: |
+  Tracks file uploads and downloads, monitoring data movement direction, size, and destination. Provides visibility into data flow patterns.
+severity: Informational
+status: Available
+requiredDataConnectors:
+  - connectorId: NetskopeWebTxConnector
+    dataTypes:
+      - NetskopeWebTransactions_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+  - Collection
+relevantTechniques:
+  - T1567
+  - T1074
+query: |
+  let significantSizeMB = 50;
+  NetskopeWebTransactions_CL
+  | where TimeGenerated > ago(1h)
+  | where isnotempty(CsUsername)
+  | where CsBytes > 0 or ScBytes > 0 or XRsFileSize > 0
+  | extend 
+      Direction = case(
+          CsBytes > ScBytes, 'Upload',
+          ScBytes > CsBytes, 'Download',
+          'Unknown'),
+      TransferSize = max_of(CsBytes, ScBytes, XRsFileSize)
+  | summarize 
+      TotalUploadBytes = sumif(CsBytes, Direction == 'Upload'),
+      TotalDownloadBytes = sumif(ScBytes, Direction == 'Download'),
+      UploadCount = countif(Direction == 'Upload'),
+      DownloadCount = countif(Direction == 'Download'),
+      UniqueFiles = dcount(XCsAppObjectName),
+      Files = make_set(XCsAppObjectName, 20),
+      FileTypes = make_set(XRsFileType),
+      Apps = make_set(XCsApp),
+      Destinations = make_set(CsHost, 20)
+      by CsUsername, XCDevice, XCCountry, bin(TimeGenerated, 1h)
+  | extend 
+      TotalUploadMB = round(TotalUploadBytes / 1048576.0, 2),
+      TotalDownloadMB = round(TotalDownloadBytes / 1048576.0, 2),
+      TotalTransferMB = round((TotalUploadBytes + TotalDownloadBytes) / 1048576.0, 2)
+  | where TotalTransferMB > significantSizeMB
+  | extend DataFlowSummary = strcat('Upload: ', TotalUploadMB, ' MB (', UploadCount, ' ops), Download: ', TotalDownloadMB, ' MB (', DownloadCount, ' ops)')
+  | project 
+      TimeGenerated,
+      User = CsUsername,
+      Device = XCDevice,
+      Country = XCCountry,
+      TotalUploadMB,
+      TotalDownloadMB,
+      TotalTransferMB,
+      UploadOperations = UploadCount,
+      DownloadOperations = DownloadCount,
+      UniqueFiles,
+      FilesSample = Files,
+      FileTypes,
+      Applications = Apps,
+      Destinations,
+      DataFlowSummary
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: User
+version: 1.0.0
+kind: Scheduled

Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule2.yaml

@@ -0,0 +1,67 @@
+id: dd0ebd84-ffbe-45df-848b-0615ac446b04
+name: Netskope - Excessive Downloads Detection (Spike vs Baseline)
+description: |
+  Detects users with excessive download activity compared to their 7-day baseline. Triggers when current download volume exceeds 3x the average.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: NetskopeWebTxConnector
+    dataTypes:
+      - NetskopeWebTransactions_CL
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+  - Collection
+relevantTechniques:
+  - T1530
+  - T1074
+query: |
+  let lookbackPeriod = 7d;
+  let currentPeriod = 1h;
+  let threshold = 3;
+  let baseline = NetskopeWebTransactions_CL
+      | where TimeGenerated between (ago(lookbackPeriod) .. ago(currentPeriod))
+      | where isnotempty(CsUsername)
+      | where XCsAppActivity =~ 'Download' or ScBytes > 0
+      | summarize 
+          BaselineAvgBytes = avg(ScBytes),
+          BaselineTotalBytes = sum(ScBytes),
+          BaselineCount = count()
+          by CsUsername
+      | extend BaselineDailyAvg = BaselineTotalBytes / 7;
+  let current = NetskopeWebTransactions_CL
+      | where TimeGenerated > ago(currentPeriod)
+      | where isnotempty(CsUsername)
+      | where XCsAppActivity =~ 'Download' or ScBytes > 0
+      | summarize 
+          CurrentTotalBytes = sum(ScBytes),
+          CurrentCount = count(),
+          Apps = make_set(XCsApp),
+          Files = make_set(XCsAppObjectName)
+          by CsUsername;
+  current
+  | join kind=inner baseline on CsUsername
+  | where CurrentTotalBytes > (BaselineDailyAvg * threshold)
+  | extend 
+      SpikeMultiplier = round(CurrentTotalBytes / BaselineDailyAvg, 2),
+      CurrentTotalMB = round(CurrentTotalBytes / 1048576.0, 2),
+      BaselineDailyMB = round(BaselineDailyAvg / 1048576.0, 2)
+  | project 
+      TimeGenerated = now(),
+      User = CsUsername,
+      CurrentDownloadMB = CurrentTotalMB,
+      BaselineDailyAvgMB = BaselineDailyMB,
+      SpikeMultiplier,
+      DownloadCount = CurrentCount,
+      ApplicationsUsed = Apps,
+      FilesDownloaded = Files
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: User
+version: 1.0.0
+kind: Scheduled

Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule3.yaml

@@ -0,0 +1,71 @@
+id: 272f9bca-5fd0-4413-b494-03b2d9f0bb9b
+name: Netskope - Heavy Personal Cloud Storage Usage (Shadow IT)
+description: |
+  Detects heavy usage of personal cloud storage applications like personal Dropbox, Google Drive, OneDrive personal, etc. Indicates potential Shadow IT or data leakage risk.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: NetskopeWebTxConnector
+    dataTypes:
+      - NetskopeWebTransactions_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+  - Collection
+relevantTechniques:
+  - T1567
+  - T1530
+query: |
+  let heavyUsageThresholdMB = 500;
+  NetskopeWebTransactions_CL
+  | where TimeGenerated > ago(1h)
+  | where isnotempty(CsUsername) and isnotempty(XCsApp)
+  | where XCsApp has_any ('Dropbox', 'Google Drive', 'OneDrive', 'Box', 'iCloud', 'pCloud', 'MEGA', 'MediaFire', 'WeTransfer')
+  | where XCsAppInstanceTag contains 'Personal' 
+      or XCsAppInstanceName contains 'Personal'
+      or XCsAppTags contains 'Unsanctioned'
+      or not(XCsAppTags contains 'Enterprise')
+  | summarize 
+      TotalBytes = sum(Bytes),
+      UploadBytes = sum(CsBytes),
+      DownloadBytes = sum(ScBytes),
+      FileCount = dcount(XCsAppObjectName),
+      Files = make_set(XCsAppObjectName, 10),
+      Activities = make_set(XCsAppActivity),
+      EventCount = count()
+      by CsUsername, XCsApp, XCsAppCategory, XCsAppInstanceName, XCsAppTags, XCDevice, XCCountry
+  | extend 
+      TotalMB = round(TotalBytes / 1048576.0, 2),
+      UploadMB = round(UploadBytes / 1048576.0, 2),
+      DownloadMB = round(DownloadBytes / 1048576.0, 2)
+  | where TotalMB > heavyUsageThresholdMB or FileCount > 50
+  | project 
+      TimeGenerated = now(),
+      User = CsUsername,
+      CloudApplication = XCsApp,
+      AppCategory = XCsAppCategory,
+      AppInstance = XCsAppInstanceName,
+      AppTags = XCsAppTags,
+      TotalDataMB = TotalMB,
+      UploadMB,
+      DownloadMB,
+      FileCount,
+      Files,
+      Activities,
+      Device = XCDevice,
+      Country = XCCountry,
+      EventCount
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: User
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApplication
+version: 1.0.0
+kind: Scheduled