Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect Local File InclusionLFI in web requests ASIM Web Session

Back
Id7bb55d05-ef39-4a40-8079-0bc3c05e7881
RulenameDetect Local File Inclusion(LFI) in web requests (ASIM Web Session)
DescriptionLFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1190
T1133
T1059
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml
Version1.0.0
Arm template7bb55d05-ef39-4a40-8079-0bc3c05e7881.json
Deploy To Azure
let lookback = 5m;
let LFI_Indicators = materialize(externaldata(Indicators: string)
    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"] 
    with(format="csv", ignoreFirstRecord=True));
let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
    | extend
        Indicators = tostring(WatchlistItem["Indicators"])
    | project Indicators
    | where isnotempty(Indicators));
let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
let knownLFIIndicators=toscalar(CombinedLFIList
    | where isnotempty(Indicators)
    | summarize make_set(Indicators, 1000));
_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownLFIIndicators)
| summarize
    EventCount=count(),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
| order by EventCount desc
name: Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)
relevantTechniques:
- T1190
- T1133
- T1059
severity: High
queryFrequency: 5m
triggerOperator: gt
customDetails:
  EventEndTime: EventEndTime
  EventStartTime: EventStartTime
  EventCount: EventCount
  Decoded_url: Decoded_url
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
status: Available
description: |
    'LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Potential Local File Inlcusion(LFI) performed by user '{{SrcUsername}}' from IP '{{SrcIpAddr}}'
  alertDescriptionFormat: User requested for URL '{{Url}}' which contains LFI related keywords or indicators. It suggests an attempt to traverse directories and access files outside the intended directory structure
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
  entityType: Host
tactics:
- InitialAccess
- Execution
queryPeriod: 5m
query: |
  let lookback = 5m;
  let LFI_Indicators = materialize(externaldata(Indicators: string)
      [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"] 
      with(format="csv", ignoreFirstRecord=True));
  let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
      | extend
          Indicators = tostring(WatchlistItem["Indicators"])
      | project Indicators
      | where isnotempty(Indicators));
  let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
  let knownLFIIndicators=toscalar(CombinedLFIList
      | where isnotempty(Indicators)
      | summarize make_set(Indicators, 1000));
  _Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
  | where isnotempty(Url)
  | project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
  | extend Decoded_url = url_decode(Url)
  | where Decoded_url has_any (knownLFIIndicators)
  | summarize
      EventCount=count(),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated)
      by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
  | order by EventCount desc  
version: 1.0.0
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
id: 7bb55d05-ef39-4a40-8079-0bc3c05e7881
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bb55d05-ef39-4a40-8079-0bc3c05e7881')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bb55d05-ef39-4a40-8079-0bc3c05e7881')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "User requested for URL '{{Url}}' which contains LFI related keywords or indicators. It suggests an attempt to traverse directories and access files outside the intended directory structure",
          "alertDisplayNameFormat": "Potential Local File Inlcusion(LFI) performed by user '{{SrcUsername}}' from IP '{{SrcIpAddr}}'"
        },
        "alertRuleTemplateName": "7bb55d05-ef39-4a40-8079-0bc3c05e7881",
        "customDetails": {
          "Decoded_url": "Decoded_url",
          "EventCount": "EventCount",
          "EventEndTime": "EventEndTime",
          "EventStartTime": "EventStartTime"
        },
        "description": "'LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information'\n",
        "displayName": "Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml",
        "query": "let lookback = 5m;\nlet LFI_Indicators = materialize(externaldata(Indicators: string)\n    [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv\"] \n    with(format=\"csv\", ignoreFirstRecord=True));\nlet CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw(\"Web_LocalFileInclusionIndicators\") // Create new Watchlist and add your custom indicators(Optional)\n    | extend\n        Indicators = tostring(WatchlistItem[\"Indicators\"])\n    | project Indicators\n    | where isnotempty(Indicators));\nlet CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;\nlet knownLFIIndicators=toscalar(CombinedLFIList\n    | where isnotempty(Indicators)\n    | summarize make_set(Indicators, 1000));\n_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')\n| where isnotempty(Url)\n| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated\n| extend Decoded_url = url_decode(Url)\n| where Decoded_url has_any (knownLFIIndicators)\n| summarize\n    EventCount=count(),\n    EventStartTime=min(TimeGenerated),\n    EventEndTime=max(TimeGenerated)\n    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n| order by EventCount desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1059",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}