SonicWall - Capture ATP Malicious File Detection

CommonSecurityLog
| where DeviceEventClassID == 1631
| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
| where CaptureATPVerdict == "BAD"
| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
| extend
    NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
    NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
| project
    TimeGenerated,
    DeviceModel = DeviceProduct,
    SerialNumber = Computer,
    SrcIpAddr = SourceIP,
    SrcUsername = coalesce(susr, SourceUserName),
    NetworkProtocol,
    NetworkApplicationProtocol,
    RequestURL,
    File = url_decode(tostring(split(RequestURL, '/')[-1])),
    Hash = fileid,
    Verdict = CaptureATPVerdict

queryPeriod: 5m
query: |
  CommonSecurityLog
  | where DeviceEventClassID == 1631
  | extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
  | where CaptureATPVerdict == "BAD"
  | parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
  | extend
      NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
      NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
  | project
      TimeGenerated,
      DeviceModel = DeviceProduct,
      SerialNumber = Computer,
      SrcIpAddr = SourceIP,
      SrcUsername = coalesce(susr, SourceUserName),
      NetworkProtocol,
      NetworkApplicationProtocol,
      RequestURL,
      File = url_decode(tostring(split(RequestURL, '/')[-1])),
      Hash = fileid,
      Verdict = CaptureATPVerdict  
name: SonicWall - Capture ATP Malicious File Detection
entityMappings:
- fieldMappings:
  - columnName: File
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: Url
- fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
description: |
  'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
    Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/
    Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'  
kind: Scheduled
version: 1.0.2
status: Experimental
severity: Medium
relevantTechniques:
- T1204
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
id: 3db9f99e-a459-41e0-8e02-8b332f5fcb2c