Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

A client made a web request to a potentially harmful file (ASIM Web Session schema)

Back
Id09c49590-4e9d-4da9-a34d-17222d0c9e7e
RulenameA client made a web request to a potentially harmful file (ASIM Web Session schema)
DescriptionThis rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)
SeverityMedium
TacticsInitialAccess
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
Version1.1.1
Arm template09c49590-4e9d-4da9-a34d-17222d0c9e7e.json
Deploy To Azure
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists("Extension","") | where isnotempty(Extension) | summarize make_set(Extension));
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]),'/')[-1])
| extend requestedFileExt=extract(@(\.\w+)$,1,requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url
triggerOperator: gt
id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e
queryFrequency: 10m
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
severity: Medium
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  author:
    name: Yaron
triggerThreshold: 0
kind: Scheduled
version: 1.1.1
queryPeriod: 10m
alertDetailsOverride:
  alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}
  alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
  let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists("Extension","") | where isnotempty(Extension) | summarize make_set(Extension));
  let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
  _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')
  | extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]),'/')[-1])
  | extend requestedFileExt=extract(@(\.\w+)$,1,requestedFileName, typeof(string))
  | where requestedFileExtension in (file_ext_blocklist)
  | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url  
description: |
  'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).
   This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
name: A client made a web request to a potentially harmful file (ASIM Web Session schema)
tactics:
- InitialAccess
customDetails:
  requestedFileExt: requestedFileExt
  Username: SrcUsername
  requestedFileName: requestedFileName
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
  version: 1.0.0
- Schema: ASimWebSession
  SchemaVersion: 0.2.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
        "description": "'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}",
          "alertDescriptionFormat": "The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity."
        },
        "customDetails": {
          "requestedFileExt": "requestedFileExt",
          "Username": "SrcUsername",
          "requestedFileName": "requestedFileName"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "UrlCustomEntity"
              }
            ],
            "entityType": "URL"
          }
        ],
        "tags": [
          {
            "version": "1.0.0",
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml"
          },
          {
            "Schema": "ASimWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "templateVersion": "1.1.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml"
      }
    }
  ]
}