Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Possible Phishing with CSL and Network Sessions

Possible Phishing with CSL and Network Sessions

Back
Id6c3a1258-bcdd-4fcd-b753-1a9bc826ce12
RulenamePossible Phishing with CSL and Network Sessions
DescriptionThis query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events.

If your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1102
Required data connectorsAIVectraStream
AWSS3
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
Fortinet
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml
Version1.1.2
Arm template6c3a1258-bcdd-4fcd-b753-1a9bc826ce12.json
Deploy To Azure
//SuspiciousUrlClicked
AlertEvidence
| where ServiceSource =~ "Microsoft Defender for Office 365"
| where EntityType =~ "Url"
| project AlertId, RemoteUrl
| join kind=inner (
AlertEvidence
| where ServiceSource =~ "Microsoft Defender for Office 365"
| where EntityType =~ "MailMessage"
| project AlertId, NetworkMessageId
)
on AlertId
| distinct RemoteUrl, NetworkMessageId
| join EmailEvents on NetworkMessageId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId
| join kind = inner IdentityInfo on $left.RecipientObjectId  == $right.AccountObjectId
| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID
| join kind = inner  
(DeviceEvents
| where ActionType =~ "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
| project  UrlClickedByUserSid = RemoteUrl,
InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName,
InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain
)
on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
| distinct  RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
 AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName,
 InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain
|  join kind=inner
(
//Suspicious url clicked found in common security logs
CommonSecurityLog
| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
) on $left.RemoteUrl== $right.RequestURL
|  join kind=inner
(
//Find the relevant network sessions
_Im_NetworkSession
| where isnotempty(DstIpAddr)
| where not(ipv4_is_private(DstIpAddr))
| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
) on  $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected 
| summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain,
DeviceName, InitiatingProcessFileName, DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
| extend RecipientEmailName = tostring(split(RecipientEmailAddress,'@',0)[0]), RecipientEmailUPNSuffix = tostring(split(RecipientEmailAddress,'@',1)[0])

tags:
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.5
tactics:
- InitialAccess
- CommandAndControl
triggerOperator: gt
description: |
  'This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. 
  If your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.'  
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - AlertEvidence
  - EmailEvents
  - IdentityInfo
  - DeviceEvents
  - DeviceNetworkEvents
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: AWSS3
  datatypes:
  - AWSVPCFlow
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: AzureNSG
  dataTypes:
  - AzureDiagnostics
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream_CL
relevantTechniques:
- T1566
- T1102
version: 1.1.2
id: 6c3a1258-bcdd-4fcd-b753-1a9bc826ce12
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: InitiatingProcessAccountUpn
    identifier: FullName
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: RecipientEmailAddress
    identifier: FullName
  - columnName: RecipientEmailName
    identifier: Name
  - columnName: RecipientEmailUPNSuffix
    identifier: UPNSuffix
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
kind: Scheduled
query: |
  //SuspiciousUrlClicked
  AlertEvidence
  | where ServiceSource =~ "Microsoft Defender for Office 365"
  | where EntityType =~ "Url"
  | project AlertId, RemoteUrl
  | join kind=inner (
  AlertEvidence
  | where ServiceSource =~ "Microsoft Defender for Office 365"
  | where EntityType =~ "MailMessage"
  | project AlertId, NetworkMessageId
  )
  on AlertId
  | distinct RemoteUrl, NetworkMessageId
  | join EmailEvents on NetworkMessageId
  | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId
  | join kind = inner IdentityInfo on $left.RecipientObjectId  == $right.AccountObjectId
  | distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID
  | join kind = inner  
  (DeviceEvents
  | where ActionType =~ "BrowserLaunchedToOpenUrl"| where isnotempty(RemoteUrl)
  | project  UrlClickedByUserSid = RemoteUrl,
  InitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName,
  InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain
  )
  on $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid
  | distinct  RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,
   AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName,
   InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain
  |  join kind=inner
  (
  //Suspicious url clicked found in common security logs
  CommonSecurityLog
  | project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication
  ) on $left.RemoteUrl== $right.RequestURL
  |  join kind=inner
  (
  //Find the relevant network sessions
  _Im_NetworkSession
  | where isnotempty(DstIpAddr)
  | where not(ipv4_is_private(DstIpAddr))
  | project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes
  ) on  $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected 
  | summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain,
  DeviceName, InitiatingProcessFileName, DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
  | extend RecipientEmailName = tostring(split(RecipientEmailAddress,'@',0)[0]), RecipientEmailUPNSuffix = tostring(split(RecipientEmailAddress,'@',1)[0])  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml
queryFrequency: 1d
severity: Medium
name: Possible Phishing with CSL and Network Sessions
queryPeriod: 1d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c3a1258-bcdd-4fcd-b753-1a9bc826ce12')]",
      "properties": {
        "alertRuleTemplateName": "6c3a1258-bcdd-4fcd-b753-1a9bc826ce12",
        "customDetails": null,
        "description": "'This query looks for malicious URL clicks in phishing email recognized by MDO in correlation with CommonSecurityLogs(CSL) & NetworkSession events. \nIf your workspace doesnt have one of the many data sources required for ASIM it may give informational error which can be safely ignored.'\n",
        "displayName": "Possible Phishing with CSL and Network Sessions",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatingProcessAccountUpn",
                "identifier": "FullName"
              },
              {
                "columnName": "InitiatingProcessAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatingProcessAccountDomain",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "RecipientEmailAddress",
                "identifier": "FullName"
              },
              {
                "columnName": "RecipientEmailName",
                "identifier": "Name"
              },
              {
                "columnName": "RecipientEmailUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml",
        "query": "//SuspiciousUrlClicked\nAlertEvidence\n| where ServiceSource =~ \"Microsoft Defender for Office 365\"\n| where EntityType =~ \"Url\"\n| project AlertId, RemoteUrl\n| join kind=inner (\nAlertEvidence\n| where ServiceSource =~ \"Microsoft Defender for Office 365\"\n| where EntityType =~ \"MailMessage\"\n| project AlertId, NetworkMessageId\n)\non AlertId\n| distinct RemoteUrl, NetworkMessageId\n| join EmailEvents on NetworkMessageId\n| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId\n| join kind = inner IdentityInfo on $left.RecipientObjectId  == $right.AccountObjectId\n| distinct RemoteUrl, NetworkMessageId, RecipientEmailAddress , RecipientObjectId, AccountSID\n| join kind = inner  \n(DeviceEvents\n| where ActionType =~ \"BrowserLaunchedToOpenUrl\"| where isnotempty(RemoteUrl)\n| project  UrlClickedByUserSid = RemoteUrl,\nInitiatingProcessAccountSid, DeviceName, DeviceId, InitiatingProcessFileName,\nInitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain\n)\non $left.AccountSID == $right.InitiatingProcessAccountSid and $left.RemoteUrl == $right.UrlClickedByUserSid\n| distinct  RemoteUrl, NetworkMessageId, RecipientEmailAddress, RecipientObjectId,\n AccountSID, UrlClickedByUserSid, DeviceName, DeviceId, InitiatingProcessFileName,\n InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain\n|  join kind=inner\n(\n//Suspicious url clicked found in common security logs\nCommonSecurityLog\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\n) on $left.RemoteUrl== $right.RequestURL\n|  join kind=inner\n(\n//Find the relevant network sessions\n_Im_NetworkSession\n| where isnotempty(DstIpAddr)\n| where not(ipv4_is_private(DstIpAddr))\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\n) on  $left.DestinationIP == $right.DstIpAddr //The relevant network session being projected \n| summarize count() by TimeGenerated, RecipientEmailAddress, UrlClickedByUserSid, InitiatingProcessAccountUpn, InitiatingProcessAccountName, InitiatingProcessAccountDomain,\nDeviceName, InitiatingProcessFileName, DeviceProduct, DeviceAction, SourceIP, DestinationIP, RequestClientApplication\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n| extend RecipientEmailName = tostring(split(RecipientEmailAddress,'@',0)[0]), RecipientEmailUPNSuffix = tostring(split(RecipientEmailAddress,'@',1)[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "ASimNetworkSessions",
            "SchemaVersion": "0.2.5"
          }
        ],
        "techniques": [
          "T1102",
          "T1566"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}