Detect threat information in web requests ASIM Web Session
| Id | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7 |
| Rulename | Detect threat information in web requests (ASIM Web Session) |
| Description | This rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml |
| Version | 1.0.0 |
| Arm template | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
queryPeriod: 5m
query: |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
name: Detect threat information in web requests (ASIM Web Session)
entityMappings:
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DstIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
tags:
- SchemaVersion: 0.2.6
Schema: WebSession
description: |
'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
kind: Scheduled
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
status: Available
severity: High
requiredDataConnectors: []
triggerOperator: gt
triggerThreshold: 0
customDetails:
EventCount: EventCount
ThreatConfidence: ThreatOriginalConfidence
EventStartTime: EventStartTime
EvenEndTime: EvenEndTime
ThreatCategory: ThreatCategory
ThreatName: ThreatName
tactics:
- InitialAccess
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
relevantTechniques:
- T1190
- T1133