Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

A client made a web request to a potentially harmful file ASIM Web Session schema

Back
Id09c49590-4e9d-4da9-a34d-17222d0c9e7e
RulenameA client made a web request to a potentially harmful file (ASIM Web Session schema)
DescriptionThis rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
Version1.1.3
Arm template09c49590-4e9d-4da9-a34d-17222d0c9e7e.json
Deploy To Azure
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
  | extend Extension=column_ifexists("Extension", "")
  | where isnotempty(Extension)
  | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
  EventStartTime=min(TimeGenerated),
  EventEndTime=max(TimeGenerated),
  EventCount=count()
  by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
  Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
  UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
customDetails:
  requestedFileExt: requestedFileExtension
  SrcHostname: SrcHostname
  Username: SrcUsername
id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
description: |
    'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
severity: Medium
queryPeriod: 10m
kind: Scheduled
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
  version: 1.0.0
- SchemaVersion: 0.2.1
  Schema: ASimWebSession
tactics:
- InitialAccess
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 10m
query: |
  let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
  let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
    | extend Extension=column_ifexists("Extension", "")
    | where isnotempty(Extension)
    | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
  let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
  _Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
  | extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
  | extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
  | where requestedFileExtension in (file_ext_blocklist)
  | summarize
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated),
    EventCount=count()
    by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
  | extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")  
version: 1.1.3
triggerThreshold: 0
name: A client made a web request to a potentially harmful file (ASIM Web Session schema)
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: File
  fieldMappings:
  - columnName: requestedFileName
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
relevantTechniques:
- T1189
alertDetailsOverride:
  alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}
  alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Yaron
  source:
    kind: Community
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExtension}}. Downloading a file with this extension may be harmful and may indicate malicious activity.",
          "alertDisplayNameFormat": "Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExtension}}"
        },
        "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
        "customDetails": {
          "requestedFileExt": "requestedFileExtension",
          "SrcHostname": "SrcHostname",
          "Username": "SrcUsername"
        },
        "description": "'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
        "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "requestedFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml",
        "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')\n  | extend Extension=column_ifexists(\"Extension\", \"\")\n  | where isnotempty(Extension)\n  | summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\n_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]), '/')[-1])\n| extend requestedFileExtension=extract(@'(\\.\\w+)$', 1, requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize\n  EventStartTime=min(TimeGenerated),\n  EventEndTime=max(TimeGenerated),\n  EventCount=count()\n  by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url\n| extend\n  Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n  UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASimWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1189"
        ],
        "templateVersion": "1.1.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}