A client made a web request to a potentially harmful file ASIM Web Session schema
| Id | 09c49590-4e9d-4da9-a34d-17222d0c9e7e |
| Rulename | A client made a web request to a potentially harmful file (ASIM Web Session schema) |
| Description | This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1189 |
| Required data connectors | SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml |
| Version | 1.1.3 |
| Arm template | 09c49590-4e9d-4da9-a34d-17222d0c9e7e.json |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
queryPeriod: 10m
query: |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
name: A client made a web request to a potentially harmful file (ASIM Web Session schema)
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
- fieldMappings:
- columnName: requestedFileName
identifier: Name
entityType: File
- fieldMappings:
- columnName: SrcUsername
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
version: 1.0.0
- SchemaVersion: 0.2.1
Schema: ASimWebSession
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
description: |
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
kind: Scheduled
version: 1.1.3
metadata:
author:
name: Yaron
categories:
domains:
- Security - Others
support:
tier: Community
source:
kind: Community
alertDetailsOverride:
alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}
alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.
queryFrequency: 10m
severity: Medium
relevantTechniques:
- T1189
triggerOperator: gt
triggerThreshold: 0
customDetails:
Username: SrcUsername
requestedFileExt: requestedFileExtension
SrcHostname: SrcHostname
tactics:
- InitialAccess
id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e