A client made a web request to a potentially harmful file (ASIM Web Session schema)
Id | 09c49590-4e9d-4da9-a34d-17222d0c9e7e |
Rulename | A client made a web request to a potentially harmful file (ASIM Web Session schema) |
Description | This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) |
Severity | Medium |
Tactics | InitialAccess |
Required data connectors | SquidProxy Zscaler |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml |
Version | 1.1.1 |
Arm template | 09c49590-4e9d-4da9-a34d-17222d0c9e7e.json |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists("Extension","") | where isnotempty(Extension) | summarize make_set(Extension));
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]),'/')[-1])
| extend requestedFileExt=extract(@(\.\w+)$,1,requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url
triggerOperator: gt
id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e
queryFrequency: 10m
entityMappings:
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
- entityType: URL
fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
requiredDataConnectors:
- dataTypes:
- SquidProxy_CL
connectorId: SquidProxy
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
severity: Medium
metadata:
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
author:
name: Yaron
triggerThreshold: 0
kind: Scheduled
version: 1.1.1
queryPeriod: 10m
alertDetailsOverride:
alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}
alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists("Extension","") | where isnotempty(Extension) | summarize make_set(Extension));
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]),'/')[-1])
| extend requestedFileExt=extract(@(\.\w+)$,1,requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url
description: |
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
name: A client made a web request to a potentially harmful file (ASIM Web Session schema)
tactics:
- InitialAccess
customDetails:
requestedFileExt: requestedFileExt
Username: SrcUsername
requestedFileName: requestedFileName
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml
version: 1.0.0
- Schema: ASimWebSession
SchemaVersion: 0.2.1
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09c49590-4e9d-4da9-a34d-17222d0c9e7e')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
"description": "'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
"severity": "Medium",
"enabled": true,
"query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}",
"alertDescriptionFormat": "The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity."
},
"customDetails": {
"requestedFileExt": "requestedFileExt",
"Username": "SrcUsername",
"requestedFileName": "requestedFileName"
},
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "UrlCustomEntity"
}
],
"entityType": "URL"
}
],
"tags": [
{
"version": "1.0.0",
"ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml"
},
{
"Schema": "ASimWebSession",
"SchemaVersion": "0.2.1"
}
],
"templateVersion": "1.1.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml"
}
}
]
}