Possible Phishing with CSL and Network Sessions
| Id | 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12 |
| Rulename | Possible Phishing with CSL and Network Sessions |
| Description | This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. If your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored. |
| Severity | Medium |
| Tactics | InitialAccess CommandAndControl |
| Techniques | T1566 T1102 |
| Required data connectors | AIVectraStream AWSS3 AzureMonitor(VMInsights) AzureNSG CheckPoint Fortinet MicrosoftSysmonForLinux MicrosoftThreatProtection PaloAltoNetworks SecurityEvents WindowsForwardedEvents Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml |
| Version | 1.0.0 |
| Arm template | 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12.json |
//SuspiciousUrlClicked
AlertEvidence
| where ServiceSource == "Microsoft Defender for Office 365"
| where EntityType == "Url"
| project AlertId, RemoteUrl
| join (
AlertEvidence
| where ServiceSource == "Microsoft Defender for Office 365"
| where EntityType == "MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID
| join kind = inner
(DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName
)
on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName
| join kind=inner
(
//Suspicious url clicked found in common security logs
CommonSecurityLog
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
) on $left.RemoteUrl== $right.RequestURL
| join kind=inner
(
//Find the relevant network sessions
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| where not(ipv4_is_private(DstIpAddr))
| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
) on $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected
| summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
| extend UPNSuffix = InitiatingProcessAccountName
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.5
queryPeriod: 1d
version: 1.0.0
relevantTechniques:
- T1566
- T1102
queryFrequency: 1d
kind: Scheduled
name: Possible Phishing with CSL and Network Sessions
id: 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DstIpAddr
identifier: Address
entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml
severity: Medium
query: |
//SuspiciousUrlClicked
AlertEvidence
| where ServiceSource == "Microsoft Defender for Office 365"
| where EntityType == "Url"
| project AlertId, RemoteUrl
| join (
AlertEvidence
| where ServiceSource == "Microsoft Defender for Office 365"
| where EntityType == "MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID
| join kind = inner
(DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName
)
on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName
| join kind=inner
(
//Suspicious url clicked found in common security logs
CommonSecurityLog
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
) on $left.RemoteUrl== $right.RequestURL
| join kind=inner
(
//Find the relevant network sessions
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| where not(ipv4_is_private(DstIpAddr))
| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
) on $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected
| summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
| extend UPNSuffix = InitiatingProcessAccountName
tactics:
- InitialAccess
- CommandAndControl
description: |
'This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events.
If your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.'
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertEvidence
- EmailEvents
- IdentityInfo
- DeviceEvents
- DeviceNetworkEvents
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: AWSS3
datatypes:
- AWSVPCFlow
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftSysmonForLinux
dataTypes:
- Syslog
- connectorId: AzureNSG
dataTypes:
- AzureDiagnostics
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: AIVectraStream
dataTypes:
- VectraStream_CL
status: Available
triggerThreshold: 0
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Possible Phishing with CSL and Network Sessions",
"description": "'This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. \nIf your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.'\n",
"severity": "Medium",
"enabled": true,
"query": "//SuspiciousUrlClicked\nAlertEvidence\n| where ServiceSource == \"Microsoft Defender for Office 365\"\n| where EntityType == \"Url\"\n| project AlertId, RemoteUrl\n| join (\nAlertEvidence\n| where ServiceSource == \"Microsoft Defender for Office 365\"\n| where EntityType == \"MailMessage\"\n| project AlertId, NetworkMessageId\n)\non AlertId\n| distinct RemoteUrl, NetworkMessageId\n| join EmailEvents on NetworkMessageId\n| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId\n| join kind = inner IdentityInfo on $left.RecipientObjectId == $right.AccountObjectId\n| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID\n| join kind = inner \n(DeviceEvents\n| where ActionType == \"BrowserLaunchedToOpenUrl\"| where isnotempty(RemoteUrl)\n| project UrlClickedByUserSid = RemoteUrl,\nInitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName\n)\non $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid\n| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,\n AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessAccountName\n| join kind=inner\n(\n//Suspicious url clicked found in common security logs\nCommonSecurityLog\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n) on $left.RemoteUrl== $right.RequestURL \n| join kind=inner\n(\n//Find the relevant network sessions\n_Im_NetworkSession\n| where isnotempty(DstIpAddr)\n| where not(ipv4_is_private(DstIpAddr))\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\n) on $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected \n| summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountName, DeviceName, InitiatingProcessFileName,DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n| extend UPNSuffix = InitiatingProcessAccountName\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"CommandAndControl"
],
"techniques": [
"T1566",
"T1102"
],
"alertRuleTemplateName": "6c3a1258-bcdd-4fcd-b753-1a9bc826ce12",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AccountCustomEntity"
},
{
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "DstIpAddr"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365 Defender/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml",
"templateVersion": "1.0.0",
"status": "Available",
"tags": [
{
"Schema": "ASimNetworkSessions",
"SchemaVersion": "0.2.5"
}
]
}
}
]
}