SonicWall - Capture ATP Malicious File Detection

Back


Id	3db9f99e-a459-41e0-8e02-8b332f5fcb2c
Rulename	SonicWall - Capture ATP Malicious File Detection
Description	This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall). Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/ Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/
Severity	Medium
Tactics	Execution
Techniques	T1204
Required data connectors	CEF CefAma SonicWallFirewall
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
Version	1.0.1
Arm template	3db9f99e-a459-41e0-8e02-8b332f5fcb2c.json

KQL

CommonSecurityLog
| where DeviceEventClassID == 1631
| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
| where CaptureATPVerdict == "BAD"
| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
| extend
    NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
    NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
| project
    TimeGenerated,
    DeviceModel = DeviceProduct,
    SerialNumber = Computer,
    SrcIpAddr = SourceIP,
    SrcUsername = coalesce(susr, SourceUserName),
    NetworkProtocol,
    NetworkApplicationProtocol,
    RequestURL,
    File = url_decode(tostring(split(RequestURL, '/')[-1])),
    Hash = fileid,
    Verdict = CaptureATPVerdict

YAML

relevantTechniques:
- T1204
name: SonicWall - Capture ATP Malicious File Detection
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CEF
- dataTypes:
  - CommonSecurityLog
  connectorId: SonicWallFirewall
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: File
  entityType: File
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: Url
- fieldMappings:
  - identifier: FullName
    columnName: SrcUsername
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0
id: 3db9f99e-a459-41e0-8e02-8b332f5fcb2c
tactics:
- Execution
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
queryPeriod: 5m
kind: Scheduled
queryFrequency: 5m
severity: Medium
status: Experimental
description: |
  'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
    Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/
    Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'  
query: |
  CommonSecurityLog
  | where DeviceEventClassID == 1631
  | extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
  | where CaptureATPVerdict == "BAD"
  | parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
  | extend
      NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
      NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
  | project
      TimeGenerated,
      DeviceModel = DeviceProduct,
      SerialNumber = Computer,
      SrcIpAddr = SourceIP,
      SrcUsername = coalesce(susr, SourceUserName),
      NetworkProtocol,
      NetworkApplicationProtocol,
      RequestURL,
      File = url_decode(tostring(split(RequestURL, '/')[-1])),
      Hash = fileid,
      Verdict = CaptureATPVerdict  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3db9f99e-a459-41e0-8e02-8b332f5fcb2c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3db9f99e-a459-41e0-8e02-8b332f5fcb2c')]",
      "properties": {
        "alertRuleTemplateName": "3db9f99e-a459-41e0-8e02-8b332f5fcb2c",
        "customDetails": null,
        "description": "'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).\n  Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/\n  Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'\n",
        "displayName": "SonicWall - Capture ATP Malicious File Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "File",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Url",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml",
        "query": "CommonSecurityLog\n| where DeviceEventClassID == 1631\n| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, Message)\n| where CaptureATPVerdict == \"BAD\"\n| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n    NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol)))),\n    NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n| project\n    TimeGenerated,\n    DeviceModel = DeviceProduct,\n    SerialNumber = Computer,\n    SrcIpAddr = SourceIP,\n    SrcUsername = coalesce(susr, SourceUserName),\n    NetworkProtocol,\n    NetworkApplicationProtocol,\n    RequestURL,\n    File = url_decode(tostring(split(RequestURL, '/')[-1])),\n    Hash = fileid,\n    Verdict = CaptureATPVerdict\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Experimental",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}