SonicWall - Capture ATP Malicious File Detection

Back


Id	3db9f99e-a459-41e0-8e02-8b332f5fcb2c
Rulename	SonicWall - Capture ATP Malicious File Detection
Description	This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall). Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/ Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/
Severity	Medium
Tactics	Execution
Techniques	T1204
Required data connectors	CEF SonicWallFirewall
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
Version	1.0.0
Arm template	3db9f99e-a459-41e0-8e02-8b332f5fcb2c.json

KQL

CommonSecurityLog
| where DeviceEventClassID == 1631
| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
| where CaptureATPVerdict == "BAD"
| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
| extend
    NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
    NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
| project
    TimeGenerated,
    DeviceModel = DeviceProduct,
    SerialNumber = Computer,
    SrcIpAddr = SourceIP,
    SrcUsername = coalesce(susr, SourceUserName),
    NetworkProtocol,
    NetworkApplicationProtocol,
    RequestURL,
    File = url_decode(tostring(split(RequestURL, '/')[-1])),
    Hash = fileid,
    Verdict = CaptureATPVerdict

YAML

id: 3db9f99e-a459-41e0-8e02-8b332f5fcb2c
triggerOperator: gt
queryPeriod: 5m
tactics:
- Execution
triggerThreshold: 0
version: 1.0.0
queryFrequency: 5m
entityMappings:
- entityType: File
  fieldMappings:
  - columnName: File
    identifier: Name
- entityType: Url
  fieldMappings:
  - columnName: RequestURL
    identifier: Url
- entityType: Account
  fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
name: SonicWall - Capture ATP Malicious File Detection
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CEF
- dataTypes:
  - CommonSecurityLog
  connectorId: SonicWallFirewall
severity: Medium
relevantTechniques:
- T1204
status: Experimental
query: |
  CommonSecurityLog
  | where DeviceEventClassID == 1631
  | extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
  | where CaptureATPVerdict == "BAD"
  | parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
  | extend
      NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
      NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
  | project
      TimeGenerated,
      DeviceModel = DeviceProduct,
      SerialNumber = Computer,
      SrcIpAddr = SourceIP,
      SrcUsername = coalesce(susr, SourceUserName),
      NetworkProtocol,
      NetworkApplicationProtocol,
      RequestURL,
      File = url_decode(tostring(split(RequestURL, '/')[-1])),
      Hash = fileid,
      Verdict = CaptureATPVerdict  
description: |
  'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
    Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/
    Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'  
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3db9f99e-a459-41e0-8e02-8b332f5fcb2c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3db9f99e-a459-41e0-8e02-8b332f5fcb2c')]",
      "properties": {
        "alertRuleTemplateName": "3db9f99e-a459-41e0-8e02-8b332f5fcb2c",
        "customDetails": null,
        "description": "'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).\n  Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/\n  Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'\n",
        "displayName": "SonicWall - Capture ATP Malicious File Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "File",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Url",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml",
        "query": "CommonSecurityLog\n| where DeviceEventClassID == 1631\n| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, Message)\n| where CaptureATPVerdict == \"BAD\"\n| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n    NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol)))),\n    NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n| project\n    TimeGenerated,\n    DeviceModel = DeviceProduct,\n    SerialNumber = Computer,\n    SrcIpAddr = SourceIP,\n    SrcUsername = coalesce(susr, SourceUserName),\n    NetworkProtocol,\n    NetworkApplicationProtocol,\n    RequestURL,\n    File = url_decode(tostring(split(RequestURL, '/')[-1])),\n    Hash = fileid,\n    Verdict = CaptureATPVerdict\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Experimental",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}