A host is potentially running a crypto miner ASIM Web Session schema
| Id | 8cbc3215-fa58-4bd6-aaaa-f0029c351730 |
| Rulename | A host is potentially running a crypto miner (ASIM Web Session schema) |
| Description | This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the UnusualUserAgents Watchlist.<br><br> This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1496 |
| Required data connectors | SquidProxy Zscaler |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml |
| Version | 1.1.4 |
| Arm template | 8cbc3215-fa58-4bd6-aaaa-f0029c351730.json |
let threatCategory="Cryptominer";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
metadata:
source:
kind: Community
author:
name: Yaron
categories:
domains:
- Security - Threat Protection
support:
tier: Community
relevantTechniques:
- T1496
queryFrequency: 15m
description: |
'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br> This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
customDetails:
UserAgent: HttpUserAgent
severity: Medium
entityMappings:
- fieldMappings:
- identifier: Url
columnName: Url
entityType: URL
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: SrcUsername
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
triggerThreshold: 0
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
- SquidProxy_CL
connectorId: SquidProxy
- dataTypes:
- CommonSecurityLog
connectorId: Zscaler
eventGroupingSettings:
aggregationKind: AlertPerResult
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
version: 1.0.0
- SchemaVersion: 0.2.1
Schema: ASimWebSession
queryPeriod: 15m
id: 8cbc3215-fa58-4bd6-aaaa-f0029c351730
triggerOperator: gt
query: |
let threatCategory="Cryptominer";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
alertDetailsOverride:
alertDisplayNameFormat: The host {{SrcIpAddr}} is potentially running a crypto miner
alertDescriptionFormat: The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.
name: A host is potentially running a crypto miner (ASIM Web Session schema)
version: 1.1.4
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/UnusualUACryptoMiners.yaml