Detect threat information in web requests ASIM Web Session
| Id | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7 |
| Rulename | Detect threat information in web requests (ASIM Web Session) |
| Description | This rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml |
| Version | 1.0.0 |
| Arm template | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
description: |
'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DstIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
version: 1.0.0
triggerOperator: gt
query: |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 5m
name: Detect threat information in web requests (ASIM Web Session)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
severity: High
queryPeriod: 5m
requiredDataConnectors: []
status: Available
customDetails:
EventCount: EventCount
EvenEndTime: EvenEndTime
ThreatCategory: ThreatCategory
ThreatConfidence: ThreatOriginalConfidence
ThreatName: ThreatName
EventStartTime: EventStartTime
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1133