Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect URLs containing known malicious keywords or commands ASIM Web Session

Back
Id32c08696-2e37-4730-86f8-97d9c8b184c9
RulenameDetect URLs containing known malicious keywords or commands (ASIM Web Session)
DescriptionThe utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.
SeverityHigh
TacticsInitialAccess
CommandAndControl
TechniquesT1190
T1133
T1071
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml
Version1.0.1
Arm template32c08696-2e37-4730-86f8-97d9c8b184c9.json
Deploy To Azure
let lookback = 5m;
let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
    with(format="csv", ignoreFirstRecord=True));
let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
    | extend
        Commands = tostring(WatchlistItem["Commands"])
    | project Commands
    | where isnotempty(Commands));
let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
    | where isnotempty(Commands)
    | summarize make_set(Commands, 1000));
// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownRiskyCommandsInUrl)
| summarize
    EventCount=count(),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
customDetails:
  Decoded_url: Decoded_url
  EventEndTime: EventEndTime
  EventCount: EventCount
  EventStartTime: EventStartTime
name: Detect URLs containing known malicious keywords or commands (ASIM Web Session)
status: Available
triggerThreshold: 0
severity: High
tactics:
- InitialAccess
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DstIpAddr
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: Account
  fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
queryPeriod: 5m
queryFrequency: 5m
version: 1.0.1
triggerOperator: gt
description: |
    'The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.'
query: |
  let lookback = 5m;
  let RiskyCommandsInUrl = materialize(externaldata(Commands: string)
      [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv"]
      with(format="csv", ignoreFirstRecord=True));
  let CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw("Web_RiskyCommandsInUrl") // Create new Watchlist and add your custom indicators(Optional)
      | extend
          Commands = tostring(WatchlistItem["Commands"])
      | project Commands
      | where isnotempty(Commands));
  let CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;
  let knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl
      | where isnotempty(Commands)
      | summarize make_set(Commands, 1000));
  // You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.
  _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)
  | where isnotempty(Url)
  | project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated
  | extend Decoded_url = url_decode(Url)
  | where Decoded_url has_any (knownRiskyCommandsInUrl)
  | summarize
      EventCount=count(),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated)
      by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")  
relevantTechniques:
- T1190
- T1133
- T1071
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
id: 32c08696-2e37-4730-86f8-97d9c8b184c9
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been identified as making request for URL '{{Url}}' that includes a recognizable malicious command
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32c08696-2e37-4730-86f8-97d9c8b184c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32c08696-2e37-4730-86f8-97d9c8b184c9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been identified as making request for URL '{{Url}}' that includes a recognizable malicious command"
        },
        "alertRuleTemplateName": "32c08696-2e37-4730-86f8-97d9c8b184c9",
        "customDetails": {
          "Decoded_url": "Decoded_url",
          "EventCount": "EventCount",
          "EventEndTime": "EventEndTime",
          "EventStartTime": "EventStartTime"
        },
        "description": "'The utilization of system commands or functions in the request URL may suggest that an attacker is trying to gain unauthorized access to the environment by exploiting a vulnerable service.'\n",
        "displayName": "Detect URLs containing known malicious keywords or commands (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/CommandInURL.yaml",
        "query": "let lookback = 5m;\nlet RiskyCommandsInUrl = materialize(externaldata(Commands: string)\n    [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/CommandsInURL.csv\"]\n    with(format=\"csv\", ignoreFirstRecord=True));\nlet CustomRiskyCommandsInUrl = (_ASIM_GetWatchlistRaw(\"Web_RiskyCommandsInUrl\") // Create new Watchlist and add your custom indicators(Optional)\n    | extend\n        Commands = tostring(WatchlistItem[\"Commands\"])\n    | project Commands\n    | where isnotempty(Commands));\nlet CombinedRiskyCommandsInUrl = union RiskyCommandsInUrl, CustomRiskyCommandsInUrl;\nlet knownRiskyCommandsInUrl=toscalar(CombinedRiskyCommandsInUrl\n    | where isnotempty(Commands)\n    | summarize make_set(Commands, 1000));\n// You can add more keywords to the query as necessary, depending on the specific indicators you want to detect.\n_Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=knownRiskyCommandsInUrl)\n| where isnotempty(Url)\n| project Url, SrcIpAddr, SrcUsername, SrcHostname, DstIpAddr, TimeGenerated\n| extend Decoded_url = url_decode(Url)\n| where Decoded_url has_any (knownRiskyCommandsInUrl)\n| summarize\n    EventCount=count(),\n    EventStartTime=min(TimeGenerated),\n    EventEndTime=max(TimeGenerated)\n    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url, DstIpAddr\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1071",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}