Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Identify instances where a single source is observed using multiple user agents ASIM Web Session

Back
Id813ccf3b-0321-4622-b0bc-63518fd14454
RulenameIdentify instances where a single source is observed using multiple user agents (ASIM Web Session)
DescriptionThis detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes
SeverityMedium
TacticsInitialAccess
CredentialAccess
TechniquesT1190
T1133
T1528
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml
Version1.0.1
Arm template813ccf3b-0321-4622-b0bc-63518fd14454.json
Deploy To Azure
let threshold = 5; // Please update threshold limit as per your environment
_Im_WebSession(starttime=ago(1h), eventresult="Success")
| where isnotempty(HttpUserAgent)
| summarize
    EventCount=count(),
    UserAgentList=make_set(HttpUserAgent, 100),
    URL_List = make_set(Url, 100),
    DestinationIPList = make_set(DstIpAddr, 100)
    by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
| extend UserAgentCount = array_length(UserAgentList)
| where UserAgentCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml
customDetails:
  URLs: URL_List
  UserAgentThreshold: Threshold
  UserAgentCount: UserAgentCount
  UserAgentArray: UserAgentList
  DestinationIPList: DestinationIPList
status: Available
id: 813ccf3b-0321-4622-b0bc-63518fd14454
alertDetailsOverride:
  alertDescriptionFormat: "The system has detected high User Agent count of '{{UserAgentCount}}' originating from '{{SrcUsername}}'. Further investigation is necessary to determine the reason behind the detection of multiple user agents associated with the SrcIpAddr in this incident. User Agent list include: '{{UserAgentList}}'"
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using high number of User Agents within short timeframe
query: |
  let threshold = 5; // Please update threshold limit as per your environment
  _Im_WebSession(starttime=ago(1h), eventresult="Success")
  | where isnotempty(HttpUserAgent)
  | summarize
      EventCount=count(),
      UserAgentList=make_set(HttpUserAgent, 100),
      URL_List = make_set(Url, 100),
      DestinationIPList = make_set(DstIpAddr, 100)
      by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
  | extend UserAgentCount = array_length(UserAgentList)
  | where UserAgentCount > threshold
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold  
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
description: |
    'This detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes'
name: Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
relevantTechniques:
- T1190
- T1133
- T1528
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
triggerThreshold: 0
severity: Medium
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.1
kind: Scheduled
tactics:
- InitialAccess
- CredentialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/813ccf3b-0321-4622-b0bc-63518fd14454')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/813ccf3b-0321-4622-b0bc-63518fd14454')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The system has detected high User Agent count of '{{UserAgentCount}}' originating from '{{SrcUsername}}'. Further investigation is necessary to determine the reason behind the detection of multiple user agents associated with the SrcIpAddr in this incident. User Agent list include: '{{UserAgentList}}'",
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using high number of User Agents within short timeframe"
        },
        "alertRuleTemplateName": "813ccf3b-0321-4622-b0bc-63518fd14454",
        "customDetails": {
          "DestinationIPList": "DestinationIPList",
          "URLs": "URL_List",
          "UserAgentArray": "UserAgentList",
          "UserAgentCount": "UserAgentCount",
          "UserAgentThreshold": "Threshold"
        },
        "description": "'This detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes'\n",
        "displayName": "Identify instances where a single source is observed using multiple user agents (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml",
        "query": "let threshold = 5; // Please update threshold limit as per your environment\n_Im_WebSession(starttime=ago(1h), eventresult=\"Success\")\n| where isnotempty(HttpUserAgent)\n| summarize\n    EventCount=count(),\n    UserAgentList=make_set(HttpUserAgent, 100),\n    URL_List = make_set(Url, 100),\n    DestinationIPList = make_set(DstIpAddr, 100)\n    by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)\n| extend UserAgentCount = array_length(UserAgentList)\n| where UserAgentCount > threshold\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\"), Threshold=threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1528"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}