Anomalous User Agent connection attempt

Back


Id	f845881e-2500-44dc-8ed7-b372af3e1e25
Rulename	Anomalous User Agent connection attempt
Description	Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.
Severity	Low
Tactics	InitialAccess
Techniques	T1190
Required data connectors	AzureMonitor(IIS)
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml
Version	1.0.3
Arm template	f845881e-2500-44dc-8ed7-b372af3e1e25.json

KQL

let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])

YAML

name: Anomalous User Agent connection attempt
relevantTechniques:
- T1190
severity: Low
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
  dataTypes:
  - W3CIISLog
tactics:
- InitialAccess
queryFrequency: 1d
version: 1.0.3
description: |
    'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
kind: Scheduled
id: f845881e-2500-44dc-8ed7-b372af3e1e25
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: csUserName
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: cIP
  entityType: IP
triggerThreshold: 0
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml
query: |
  let short_uaLength = 5;
  let long_uaLength = 1000;
  let c_threshold = 100;
  W3CIISLog
  // Exclude local IPs as these create noise
  | where cIP !startswith "192.168." and cIP != "::1"
  | where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
  | extend csUserAgent_size = string_size(csUserAgent)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
  | where ConnectionCount < c_threshold
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])  
triggerOperator: gt
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
  author:
    name: Microsoft Security Research

ARM