Detect threat information in web requests (ASIM Web Session)
| Id | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7 |
| Rulename | Detect threat information in web requests (ASIM Web Session) |
| Description | This rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml |
| Version | 1.0.0 |
| Arm template | 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
customDetails:
ThreatCategory: ThreatCategory
EventCount: EventCount
ThreatConfidence: ThreatOriginalConfidence
EvenEndTime: EvenEndTime
EventStartTime: EventStartTime
ThreatName: ThreatName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
requiredDataConnectors: []
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
tactics:
- InitialAccess
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: gt
relevantTechniques:
- T1190
- T1133
description: |
'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
triggerThreshold: 0
kind: Scheduled
name: Detect threat information in web requests (ASIM Web Session)
query: |
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
EventSeverity,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField,
TimeGenerated,
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr
| where ThreatRiskLevel >= 90
or toint(ThreatOriginalConfidence) >= 90
or EventSeverity =~ "High"
| summarize
EventCount = count(),
EventStartTime=min(TimeGenerated),
EvenEndTime=max(TimeGenerated)
by
SrcIpAddr,
SrcUsername,
SrcHostname,
Url,
DstIpAddr,
ThreatName,
ThreatCategory,
ThreatRiskLevel,
ThreatOriginalConfidence,
ThreatField
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SrcHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DstIpAddr
identifier: Address
- entityType: Account
fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: URL
fieldMappings:
- columnName: Url
identifier: Url
status: Available
severity: High
version: 1.0.0
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Detect threat information in web requests (ASIM Web Session)",
"description": "'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.\n",
"severity": "High",
"enabled": true,
"query": "let lookback= 5m;\n_Im_WebSession(starttime=ago(lookback))\n| project\n EventSeverity,\n ThreatName,\n ThreatCategory,\n ThreatRiskLevel,\n ThreatOriginalConfidence,\n ThreatField,\n TimeGenerated,\n SrcIpAddr,\n SrcUsername,\n SrcHostname,\n Url,\n DstIpAddr\n| where ThreatRiskLevel >= 90\n or toint(ThreatOriginalConfidence) >= 90\n or EventSeverity =~ \"High\"\n| summarize\n EventCount = count(),\n EventStartTime=min(TimeGenerated),\n EvenEndTime=max(TimeGenerated)\n by\n SrcIpAddr,\n SrcUsername,\n SrcHostname,\n Url,\n DstIpAddr,\n ThreatName,\n ThreatCategory,\n ThreatRiskLevel,\n ThreatOriginalConfidence,\n ThreatField\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1190",
"T1133"
],
"alertRuleTemplateName": "7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'"
},
"customDetails": {
"ThreatCategory": "ThreatCategory",
"EventCount": "EventCount",
"ThreatConfidence": "ThreatOriginalConfidence",
"EvenEndTime": "EvenEndTime",
"EventStartTime": "EventStartTime",
"ThreatName": "ThreatName"
},
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "SrcHostname"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "DstIpAddr"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Name"
},
{
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Url"
}
],
"entityType": "URL"
}
],
"status": "Available",
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml",
"tags": [
{
"SchemaVersion": "0.2.6",
"Schema": "WebSession"
}
]
}
}
]
}