Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect threat information in web requests ASIM Web Session

Back
Id7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
RulenameDetect threat information in web requests (ASIM Web Session)
DescriptionThis rule would generate an alert if EvenSeverity is ‘High’ or ‘ThreatRiskLevel’ or ‘ThreatOriginalConfidence’ value is greater than 90.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
Version1.0.0
Arm template7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7.json
Deploy To Azure
let lookback= 5m;
_Im_WebSession(starttime=ago(lookback))
| project
    EventSeverity,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField,
    TimeGenerated,
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr
| where ThreatRiskLevel >= 90
    or toint(ThreatOriginalConfidence) >= 90
    or EventSeverity =~ "High"
| summarize
    EventCount = count(),
    EventStartTime=min(TimeGenerated),
    EvenEndTime=max(TimeGenerated)
    by
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    Url,
    DstIpAddr,
    ThreatName,
    ThreatCategory,
    ThreatRiskLevel,
    ThreatOriginalConfidence,
    ThreatField
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
queryFrequency: 5m
name: Detect threat information in web requests (ASIM Web Session)
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- InitialAccess
triggerThreshold: 0
query: |
  let lookback= 5m;
  _Im_WebSession(starttime=ago(lookback))
  | project
      EventSeverity,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField,
      TimeGenerated,
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr
  | where ThreatRiskLevel >= 90
      or toint(ThreatOriginalConfidence) >= 90
      or EventSeverity =~ "High"
  | summarize
      EventCount = count(),
      EventStartTime=min(TimeGenerated),
      EvenEndTime=max(TimeGenerated)
      by
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      Url,
      DstIpAddr,
      ThreatName,
      ThreatCategory,
      ThreatRiskLevel,
      ThreatOriginalConfidence,
      ThreatField
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")  
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
customDetails:
  ThreatCategory: ThreatCategory
  ThreatName: ThreatName
  ThreatConfidence: ThreatOriginalConfidence
  EvenEndTime: EvenEndTime
  EventStartTime: EventStartTime
  EventCount: EventCount
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml
severity: High
status: Available
id: 7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7
requiredDataConnectors: []
version: 1.0.0
description: |
    'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been identified as being associated with a threat named '{{ThreatName}}'"
        },
        "alertRuleTemplateName": "7d2ed1c7-da26-45fd-b4ea-b6f2bbeccea7",
        "customDetails": {
          "EvenEndTime": "EvenEndTime",
          "EventCount": "EventCount",
          "EventStartTime": "EventStartTime",
          "ThreatCategory": "ThreatCategory",
          "ThreatConfidence": "ThreatOriginalConfidence",
          "ThreatName": "ThreatName"
        },
        "description": "'This rule would generate an alert if EvenSeverity is 'High' or 'ThreatRiskLevel' or 'ThreatOriginalConfidence' value is greater than 90.\n",
        "displayName": "Detect threat information in web requests (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DstIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/ThreatInfoFoundInWebRequests.yaml",
        "query": "let lookback= 5m;\n_Im_WebSession(starttime=ago(lookback))\n| project\n    EventSeverity,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField,\n    TimeGenerated,\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr\n| where ThreatRiskLevel >= 90\n    or toint(ThreatOriginalConfidence) >= 90\n    or EventSeverity =~ \"High\"\n| summarize\n    EventCount = count(),\n    EventStartTime=min(TimeGenerated),\n    EvenEndTime=max(TimeGenerated)\n    by\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    Url,\n    DstIpAddr,\n    ThreatName,\n    ThreatCategory,\n    ThreatRiskLevel,\n    ThreatOriginalConfidence,\n    ThreatField\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}