Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect known risky user agents ASIM Web Session

Back
Id6a4dbcf8-f5e2-4b33-b34f-2db6487613f0
RulenameDetect known risky user agents (ASIM Web Session)
DescriptionThis rule is designed to flag web requests that contain a user agent header that is recognized as malicious. It relies on a predefined list of known user agents, which is referenced from a specific CSV file
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1190
T1133
T1071
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/KnownMaliciousUserAgents.yaml
Version1.0.0
Arm template6a4dbcf8-f5e2-4b33-b34f-2db6487613f0.json
Deploy To Azure
let lookback = 5m;
let knownUserAgentsIndicators = materialize(externaldata(UserAgent: string, UserAgentCategory: string)
  [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"] 
  with(format="csv", ignoreFirstRecord=True)
  | extend joiner = 1);
let CustomUserAgentIndicators = (_ASIM_GetWatchlistRaw("UnusualUserAgents") // Create new Watchlist and add your custom indicators(Optional)
  | extend
      UserAgent = tostring(WatchlistItem["UserAgent"]),
      UserAgentCategory = tostring(WatchlistItem["UserAgentCategory"])
  | project UserAgent, UserAgentCategory, joiner = 1
  | where isnotempty(UserAgent) and isnotempty(UserAgentCategory));
let CombinedUAList = union knownUserAgentsIndicators, CustomUserAgentIndicators;
let knownUserAgents=toscalar(CombinedUAList
  | where isnotempty(UserAgent)
  | summarize make_list(UserAgent, 1000));
_Im_WebSession (starttime=ago(lookback), httpuseragent_has_any=knownUserAgents)
| project SrcIpAddr, SrcUsername, SrcHostname, HttpUserAgent, Url, DstIpAddr, DstPortNumber, TimeGenerated
| extend joiner = 1
| join kind=inner CombinedUAList on joiner
| where HttpUserAgent has UserAgent
| summarize
  EventCount=count(),
  EventStartTime = min(TimeGenerated),
  EventEndTime=max(TimeGenerated)
  by SrcIpAddr, SrcUsername, SrcHostname, Url, HttpUserAgent, DstIpAddr, DstPortNumber, UserAgentCategory
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
version: 1.0.0
name: Detect known risky user agents (ASIM Web Session)
triggerOperator: gt
status: Available
relevantTechniques:
- T1190
- T1133
- T1071
query: |
  let lookback = 5m;
  let knownUserAgentsIndicators = materialize(externaldata(UserAgent: string, UserAgentCategory: string)
    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"] 
    with(format="csv", ignoreFirstRecord=True)
    | extend joiner = 1);
  let CustomUserAgentIndicators = (_ASIM_GetWatchlistRaw("UnusualUserAgents") // Create new Watchlist and add your custom indicators(Optional)
    | extend
        UserAgent = tostring(WatchlistItem["UserAgent"]),
        UserAgentCategory = tostring(WatchlistItem["UserAgentCategory"])
    | project UserAgent, UserAgentCategory, joiner = 1
    | where isnotempty(UserAgent) and isnotempty(UserAgentCategory));
  let CombinedUAList = union knownUserAgentsIndicators, CustomUserAgentIndicators;
  let knownUserAgents=toscalar(CombinedUAList
    | where isnotempty(UserAgent)
    | summarize make_list(UserAgent, 1000));
  _Im_WebSession (starttime=ago(lookback), httpuseragent_has_any=knownUserAgents)
  | project SrcIpAddr, SrcUsername, SrcHostname, HttpUserAgent, Url, DstIpAddr, DstPortNumber, TimeGenerated
  | extend joiner = 1
  | join kind=inner CombinedUAList on joiner
  | where HttpUserAgent has UserAgent
  | summarize
    EventCount=count(),
    EventStartTime = min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by SrcIpAddr, SrcUsername, SrcHostname, Url, HttpUserAgent, DstIpAddr, DstPortNumber, UserAgentCategory
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/KnownMaliciousUserAgents.yaml
kind: Scheduled
description: |
    'This rule is designed to flag web requests that contain a user agent header that is recognized as malicious. It relies on a predefined list of known user agents, which is referenced from a specific CSV file'
triggerThreshold: 0
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
id: 6a4dbcf8-f5e2-4b33-b34f-2db6487613f0
customDetails:
  EventEndTime: EventEndTime
  UserAgentCategory: UserAgentCategory
  EventStartTime: EventStartTime
  EventCount: EventCount
  HttpUserAgent: HttpUserAgent
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using User Agent categorized as '{{UserAgentCategory}}'
  alertDescriptionFormat: User accessed this URL '{{Url}}' using User Agent '{{HttpUserAgent}}'. Perform a thorough analysis of the requests associated with this user agent header
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
  entityType: Host
queryFrequency: 5m
queryPeriod: 5m
requiredDataConnectors: []
tactics:
- InitialAccess
- CommandAndControl
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a4dbcf8-f5e2-4b33-b34f-2db6487613f0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a4dbcf8-f5e2-4b33-b34f-2db6487613f0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "User accessed this URL '{{Url}}' using User Agent '{{HttpUserAgent}}'. Perform a thorough analysis of the requests associated with this user agent header",
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using User Agent categorized as '{{UserAgentCategory}}'"
        },
        "alertRuleTemplateName": "6a4dbcf8-f5e2-4b33-b34f-2db6487613f0",
        "customDetails": {
          "EventCount": "EventCount",
          "EventEndTime": "EventEndTime",
          "EventStartTime": "EventStartTime",
          "HttpUserAgent": "HttpUserAgent",
          "UserAgentCategory": "UserAgentCategory"
        },
        "description": "'This rule is designed to flag web requests that contain a user agent header that is recognized as malicious. It relies on a predefined list of known user agents, which is referenced from a specific CSV file'\n",
        "displayName": "Detect known risky user agents (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/KnownMaliciousUserAgents.yaml",
        "query": "let lookback = 5m;\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent: string, UserAgentCategory: string)\n  [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n  with(format=\"csv\", ignoreFirstRecord=True)\n  | extend joiner = 1);\nlet CustomUserAgentIndicators = (_ASIM_GetWatchlistRaw(\"UnusualUserAgents\") // Create new Watchlist and add your custom indicators(Optional)\n  | extend\n      UserAgent = tostring(WatchlistItem[\"UserAgent\"]),\n      UserAgentCategory = tostring(WatchlistItem[\"UserAgentCategory\"])\n  | project UserAgent, UserAgentCategory, joiner = 1\n  | where isnotempty(UserAgent) and isnotempty(UserAgentCategory));\nlet CombinedUAList = union knownUserAgentsIndicators, CustomUserAgentIndicators;\nlet knownUserAgents=toscalar(CombinedUAList\n  | where isnotempty(UserAgent)\n  | summarize make_list(UserAgent, 1000));\n_Im_WebSession (starttime=ago(lookback), httpuseragent_has_any=knownUserAgents)\n| project SrcIpAddr, SrcUsername, SrcHostname, HttpUserAgent, Url, DstIpAddr, DstPortNumber, TimeGenerated\n| extend joiner = 1\n| join kind=inner CombinedUAList on joiner\n| where HttpUserAgent has UserAgent\n| summarize\n  EventCount=count(),\n  EventStartTime = min(TimeGenerated),\n  EventEndTime=max(TimeGenerated)\n  by SrcIpAddr, SrcUsername, SrcHostname, Url, HttpUserAgent, DstIpAddr, DstPortNumber, UserAgentCategory\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1071",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}