Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Detect URLs containing known malicious keywords or commands ASIM Web Session

Detect URLs containing known malicious keywords or commands ASIM Web Session

Back
Id32c08696-2e37-4730-86f8-97d9c8b184c9
RulenameDetect URLs containing known malicious keywords or commands (ASIM Web Session)
DescriptionThe utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.
SeverityHigh
TacticsInitialAccess
CommandAndControl
TechniquesT1190
T1133
T1071
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml
Version1.0.1
Arm template32c08696-2e37-4730-86f8-97d9c8b184c9.json
Deploy To Azure
let lookback = 5m;
let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
    with(format="csv", ignoreFirstRecord=True));
let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
    | extend
        Commands = tostring(WatchlistItem["Commands"])
    | project Commands
    | where isnotempty(Commands));
let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
    | where isnotempty(Commands)
    | summarize make_set(Commands, 1000));
// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownRiskyCommandsInUrl)
| summarize
    EventCount=count(),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")

status: Available
queryFrequency: 5m
id: 32c08696-2e37-4730-86f8-97d9c8b184c9
tactics:
- InitialAccess
- CommandAndControl
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DstIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been identified as making request for URL '{{Url}}' that includes a recognizable malicious command
eventGroupingSettings:
  aggregationKind: AlertPerResult
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
description: |
    'The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.'
relevantTechniques:
- T1190
- T1133
- T1071
version: 1.0.1
customDetails:
  EventCount: EventCount
  Decoded_url: Decoded_url
  EventStartTime: EventStartTime
  EventEndTime: EventEndTime
triggerThreshold: 0
queryPeriod: 5m
triggerOperator: gt
name: Detect URLs containing known malicious keywords or commands (ASIM Web Session)
severity: High
kind: Scheduled
query: |
  let lookback = 5m;
  let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
      [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
      with(format="csv", ignoreFirstRecord=True));
  let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
      | extend
          Commands = tostring(WatchlistItem["Commands"])
      | project Commands
      | where isnotempty(Commands));
  let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
  let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
      | where isnotempty(Commands)
      | summarize make_set(Commands, 1000));
  // You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
  _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
  | where isnotempty(Url)
  | project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
  | extend Decoded_url = url_decode(Url)
  | where Decoded_url has_any (knownRiskyCommandsInUrl)
  | summarize
      EventCount=count(),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated)
      by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")