Detect threat information in web requests ASIM Web Session
| Id | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7 |
| Rulename | Detect threat information in web requests (ASIM Web Session) |
| Description | This rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml |
| Version | 1.0.0 |
| Arm template | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
relevantTechniques:
- T1190
- T1133
name: Detect threat information in web requests (ASIM Web Session)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SrcHostname
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DstIpAddr
entityType: IP
- fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Url
columnName: Url
entityType: URL
triggerThreshold: 0
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
tactics:
- InitialAccess
version: 1.0.0
customDetails:
ThreatCategory: ThreatCategory
EventCount: EventCount
ThreatConfidence: ThreatOriginalConfidence
ThreatName: ThreatName
EventStartTime: EventStartTime
EvenEndTime: EvenEndTime
queryPeriod: 5m
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
triggerOperator: gt
kind: Scheduled
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
queryFrequency: 5m
severity: High
status: Available
description: |
'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
query: |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
"properties": {
"alertDetailsOverride": {
"alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'"
},
"alertRuleTemplateName": "7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7",
"customDetails": {
"EvenEndTime": "EvenEndTime",
"EventCount": "EventCount",
"EventStartTime": "EventStartTime",
"ThreatCategory": "ThreatCategory",
"ThreatConfidence": "ThreatOriginalConfidence",
"ThreatName": "ThreatName"
},
"description": "'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.\n",
"displayName": "Detect threat information in web requests (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml",
"query": "let lookback= 5m;\n_Im_WebSession(starttime=ago(lookback))\n| project\n EventSeverity,\n ThreatName,\n ThreatCategory,\n ThreatRiskLevel,\n ThreatOriginalConfidence,\n ThreatField,\n TimeGenerated,\n SrcIpAddr,\n SrcUsername,\n SrcHostname,\n Url,\n DstIpAddr\n| where ThreatRiskLevel >= 90\n or toint(ThreatOriginalConfidence) >= 90\n or EventSeverity =~ \"High\"\n| summarize\n EventCount = count(),\n EventStartTime=min(TimeGenerated),\n EvenEndTime=max(TimeGenerated)\n by\n SrcIpAddr,\n SrcUsername,\n SrcHostname,\n Url,\n DstIpAddr,\n ThreatName,\n ThreatCategory,\n ThreatRiskLevel,\n ThreatOriginalConfidence,\n ThreatField\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1133",
"T1190"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}