A client made a web request to a potentially harmful file ASIM Web Session schema
| Id | 09c49590-4e9d-4da9-a34d-17222d0c9e7e |
| Rulename | A client made a web request to a potentially harmful file (ASIM Web Session schema) |
| Description | This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1189 |
| Required data connectors | SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml |
| Version | 1.1.3 |
| Arm template | 09c49590-4e9d-4da9-a34d-17222d0c9e7e.json |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
relevantTechniques:
- T1189
name: A client made a web request to a potentially harmful file (ASIM Web Session schema)
requiredDataConnectors:
- dataTypes:
- SquidProxy_CL
connectorId: SquidProxy
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: Url
columnName: Url
entityType: URL
- fieldMappings:
- identifier: Name
columnName: requestedFileName
entityType: File
- fieldMappings:
- identifier: FullName
columnName: SrcUsername
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
triggerThreshold: 0
id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e
tactics:
- InitialAccess
version: 1.1.3
customDetails:
SrcHostname: SrcHostname
requestedFileExt: requestedFileExtension
Username: SrcUsername
queryPeriod: 10m
alertDetailsOverride:
alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}
alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.
triggerOperator: gt
kind: Scheduled
tags:
- version: 1.0.0
ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
- Schema: ASimWebSession
SchemaVersion: 0.2.1
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
metadata:
categories:
domains:
- Security - Others
author:
name: Yaron
support:
tier: Community
source:
kind: Community
queryFrequency: 10m
severity: Medium
description: |
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
query: |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.",
"alertDisplayNameFormat": "Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}"
},
"alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
"customDetails": {
"requestedFileExt": "requestedFileExtension",
"SrcHostname": "SrcHostname",
"Username": "SrcUsername"
},
"description": "'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
"displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "requestedFileName",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SrcUsername",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml",
"query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')\n | extend Extension=column_ifexists(\"Extension\", \"\")\n | where isnotempty(Extension)\n | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]), '/')[-1])\n| extend requestedFileExtension=extract(@'(\\.\\w+)$', 1, requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize\n EventStartTime=min(TimeGenerated),\n EventEndTime=max(TimeGenerated),\n EventCount=count()\n by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
{
"ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml",
"version": "1.0.0"
},
{
"Schema": "ASimWebSession",
"SchemaVersion": "0.2.1"
}
],
"techniques": [
"T1189"
],
"templateVersion": "1.1.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}