Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect threat information in web requests ASIM Web Session

Back
Id7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
RulenameDetect threat information in web requests (ASIM Web Session)
DescriptionThis rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
Version1.0.0
Arm template7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json
Deploy To Azure
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
    EventSeverity,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField,
    TimeGenerated,
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr
| where ThreatRiskLevel >= 90
    or toint(ThreatOriginalConfidence) >= 90
    or EventSeverity =~ "High"
| summarize
    EventCount = count(),
    EventStartTime=min(TimeGenerated),
    EvenEndTime=max(TimeGenerated)
    by
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
status: Available
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DstIpAddr
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
triggerOperator: gt
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
description: |
    'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
kind: Scheduled
requiredDataConnectors: []
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
name: Detect threat information in web requests (ASIM Web Session)
tactics:
- InitialAccess
triggerThreshold: 0
version: 1.0.0
severity: High
query: |
  let lookback= 5m;
  _Im_WebSession(starttime=ago(lookback))
  | project
      EventSeverity,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField,
      TimeGenerated,
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr
  | where ThreatRiskLevel >= 90
      or toint(ThreatOriginalConfidence) >= 90
      or EventSeverity =~ "High"
  | summarize
      EventCount = count(),
      EventStartTime=min(TimeGenerated),
      EvenEndTime=max(TimeGenerated)
      by
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")  
queryFrequency: 5m
customDetails:
  EvenEndTime: EvenEndTime
  EventCount: EventCount
  ThreatName: ThreatName
  ThreatCategory: ThreatCategory
  EventStartTime: EventStartTime
  ThreatConfidence: ThreatOriginalConfidence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'"
        },
        "alertRuleTemplateName": "7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7",
        "customDetails": {
          "EvenEndTime": "EvenEndTime",
          "EventCount": "EventCount",
          "EventStartTime": "EventStartTime",
          "ThreatCategory": "ThreatCategory",
          "ThreatConfidence": "ThreatOriginalConfidence",
          "ThreatName": "ThreatName"
        },
        "description": "'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.\n",
        "displayName": "Detect threat information in web requests (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml",
        "query": "let lookback= 5m;\n_Im_WebSession(starttime=ago(lookback))\n| project\n    EventSeverity,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField,\n    TimeGenerated,\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr\n| where ThreatRiskLevel >= 90\n    or toint(ThreatOriginalConfidence) >= 90\n    or EventSeverity =~ \"High\"\n| summarize\n    EventCount = count(),\n    EventStartTime=min(TimeGenerated),\n    EvenEndTime=max(TimeGenerated)\n    by\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}