Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

A host is potentially running a hacking tool ASIM Web Session schema

Back
Id3f0c20d5-6228-48ef-92f3-9ff7822c1954
RulenameA host is potentially running a hacking tool (ASIM Web Session schema)
DescriptionThis rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the UnusualUserAgents Watchlist.

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)
SeverityMedium
TacticsExecution
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
TechniquesT1059
T1046
T1021
T1557
T1102
T1020
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml
Version1.1.5
Arm template3f0c20d5-6228-48ef-92f3-9ff7822c1954.json
Deploy To Azure
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
    [ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"] 
        with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
customDetails:
  UserAgent: HttpUserAgent
id: 3f0c20d5-6228-48ef-92f3-9ff7822c1954
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
description: |
  'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
   This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'  
severity: Medium
queryPeriod: 15m
kind: Scheduled
tags:
- ParentName: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
  version: 1.0.0
- SchemaVersion: 0.2.1
  Schema: ASimWebSession
tactics:
- Execution
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 15m
query: |
  let threatCategory="Hacking Tool";
  let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
      [ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"] 
          with(format="csv", ignoreFirstRecord=True));
  let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
  let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
  let fullUAList = array_concat(knownUserAgents,customUserAgents);
  _Im_WebSession(httpuseragent_has_any=fullUAList)
  | project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
  | extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])  
version: 1.1.5
triggerThreshold: 0
name: A host is potentially running a hacking tool (ASIM Web Session schema)
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: SrcUsername
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
relevantTechniques:
- T1059
- T1046
- T1021
- T1557
- T1102
- T1020
alertDetailsOverride:
  alertDisplayNameFormat: Host {{SrcIpAddr}} is potentially running a hacking tool
  alertDescriptionFormat: The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Protection
  author:
    name: Yaron
  source:
    kind: Community
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f0c20d5-6228-48ef-92f3-9ff7822c1954')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f0c20d5-6228-48ef-92f3-9ff7822c1954')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.",
          "alertDisplayNameFormat": "Host {{SrcIpAddr}} is potentially running a hacking tool"
        },
        "alertRuleTemplateName": "3f0c20d5-6228-48ef-92f3-9ff7822c1954",
        "customDetails": {
          "UserAgent": "HttpUserAgent"
        },
        "description": "'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
        "displayName": "A host is potentially running a hacking tool (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAHackTool.yaml",
        "query": "let threatCategory=\"Hacking Tool\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n    [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n        with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\n_Im_WebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\n| extend AccountName = tostring(split(SrcUsername, \"@\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \"@\")[1])\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "Discovery",
          "Execution",
          "Exfiltration",
          "LateralMovement"
        ],
        "tags": [
          {
            "ParentName": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASimWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1020",
          "T1021",
          "T1046",
          "T1059",
          "T1102",
          "T1557"
        ],
        "templateVersion": "1.1.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}