Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect threat information in web requests ASIM Web Session

Back
Id7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
RulenameDetect threat information in web requests (ASIM Web Session)
DescriptionThis rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
Version1.0.0
Arm template7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json
Deploy To Azure
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
    EventSeverity,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField,
    TimeGenerated,
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr
| where ThreatRiskLevel >= 90
    or toint(ThreatOriginalConfidence) >= 90
    or EventSeverity =~ "High"
| summarize
    EventCount = count(),
    EventStartTime=min(TimeGenerated),
    EvenEndTime=max(TimeGenerated)
    by
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
kind: Scheduled
relevantTechniques:
- T1190
- T1133
description: |
    'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
queryPeriod: 5m
queryFrequency: 5m
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
tactics:
- InitialAccess
name: Detect threat information in web requests (ASIM Web Session)
requiredDataConnectors: []
customDetails:
  EventStartTime: EventStartTime
  ThreatConfidence: ThreatOriginalConfidence
  ThreatCategory: ThreatCategory
  EventCount: EventCount
  EvenEndTime: EvenEndTime
  ThreatName: ThreatName
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
version: 1.0.0
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
query: |
  let lookback= 5m;
  _Im_WebSession(starttime=ago(lookback))
  | project
      EventSeverity,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField,
      TimeGenerated,
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr
  | where ThreatRiskLevel >= 90
      or toint(ThreatOriginalConfidence) >= 90
      or EventSeverity =~ "High"
  | summarize
      EventCount = count(),
      EventStartTime=min(TimeGenerated),
      EvenEndTime=max(TimeGenerated)
      by
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")  
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'"
        },
        "alertRuleTemplateName": "7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7",
        "customDetails": {
          "EvenEndTime": "EvenEndTime",
          "EventCount": "EventCount",
          "EventStartTime": "EventStartTime",
          "ThreatCategory": "ThreatCategory",
          "ThreatConfidence": "ThreatOriginalConfidence",
          "ThreatName": "ThreatName"
        },
        "description": "'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.\n",
        "displayName": "Detect threat information in web requests (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml",
        "query": "let lookback= 5m;\n_Im_WebSession(starttime=ago(lookback))\n| project\n    EventSeverity,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField,\n    TimeGenerated,\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr\n| where ThreatRiskLevel >= 90\n    or toint(ThreatOriginalConfidence) >= 90\n    or EventSeverity =~ \"High\"\n| summarize\n    EventCount = count(),\n    EventStartTime=min(TimeGenerated),\n    EvenEndTime=max(TimeGenerated)\n    by\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}