A host is potentially running PowerShell to send HTTPS requests ASIM Web Session schema
| Id | 42436753-9944-4d70-801c-daaa4d19ddd2 |
| Rulename | A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema) |
| Description | This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the UnusualUserAgents Watchlist.<br><br> This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) |
| Severity | Medium |
| Tactics | CommandAndControl DefenseEvasion Execution |
| Techniques | T1132 T1140 T1059.001 |
| Required data connectors | SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml |
| Version | 1.1.4 |
| Arm template | 42436753-9944-4d70-801c-daaa4d19ddd2.json |
let threatCategory="Powershell";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
relevantTechniques:
- T1132
- T1140
- T1059.001
name: A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)
requiredDataConnectors:
- dataTypes:
- SquidProxy_CL
connectorId: SquidProxy
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
entityMappings:
- fieldMappings:
- identifier: Url
columnName: Url
entityType: URL
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: SrcUsername
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
triggerThreshold: 0
id: 42436753-9944-4d70-801c-daaa4d19ddd2
tactics:
- CommandAndControl
- DefenseEvasion
- Execution
version: 1.1.4
customDetails:
UserAgent: HttpUserAgent
queryPeriod: 15m
alertDetailsOverride:
alertDisplayNameFormat: Host {{SrcIpAddr}} is potentially running PowerShell
alertDescriptionFormat: The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.
triggerOperator: gt
kind: Scheduled
tags:
- version: 1.0.0
ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml
- Schema: ASimWebSession
SchemaVersion: 0.2.1
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml
metadata:
categories:
domains:
- Security - Threat Protection
author:
name: Yaron
support:
tier: Community
source:
kind: Community
queryFrequency: 15m
severity: Medium
description: |
'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
query: |
let threatCategory="Powershell";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/42436753-9944-4d70-801c-daaa4d19ddd2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/42436753-9944-4d70-801c-daaa4d19ddd2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.",
"alertDisplayNameFormat": "Host {{SrcIpAddr}} is potentially running PowerShell"
},
"alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2",
"customDetails": {
"UserAgent": "HttpUserAgent"
},
"description": "'This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'\n",
"displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SrcUsername",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUAPowershell.yaml",
"query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"]\n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\n_Im_WebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername\n| extend AccountName = tostring(split(SrcUsername, \"@\")[0]), AccountUPNSuffix = tostring(split(SrcUsername, \"@\")[1])\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT15M",
"severity": "Medium",
"subTechniques": [
"T1059.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Execution"
],
"tags": [
{
"ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml",
"version": "1.0.0"
},
{
"Schema": "ASimWebSession",
"SchemaVersion": "0.2.1"
}
],
"techniques": [
"T1059",
"T1132",
"T1140"
],
"templateVersion": "1.1.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}