Detect instances of multiple server errors occurring within a brief period of time ASIM Web Session
| Id | a59ba76c-0205-4966-948e-3d5640140688 |
| Rulename | Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) |
| Description | This detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame. |
| Severity | Medium |
| Tactics | InitialAccess Impact |
| Techniques | T1190 T1133 T1498 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml |
| Version | 1.0.0 |
| Arm template | a59ba76c-0205-4966-948e-3d5640140688.json |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can update threshold value as per your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (500 .. 599)
| summarize
TotalErrorCount = count(),
URLs=make_set(Url, 100),
EventStartTime = min(TimeGenerated),
EventEndTime = max(TimeGenerated),
EventResultDetailsSet=make_set(EventResultDetails,10)
by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), ""), Threshold=threshold
id: a59ba76c-0205-4966-948e-3d5640140688
tactics:
- InitialAccess
- Impact
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
name: Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)
query: |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can update threshold value as per your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (500 .. 599)
| summarize
TotalErrorCount = count(),
URLs=make_set(Url, 100),
EventStartTime = min(TimeGenerated),
EventEndTime = max(TimeGenerated),
EventResultDetailsSet=make_set(EventResultDetails,10)
by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), ""), Threshold=threshold
severity: Medium
customDetails:
TotalErrorCount: TotalErrorCount
RequestURLs: URLs
EventResultSet: EventResultDetailsSet
ErrorThreshold: Threshold
EventEndTime: EventEndTime
EventStartTime: EventStartTime
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1190
- T1133
- T1498
tags:
- SchemaVersion: 0.2.6
Schema: WebSession
queryFrequency: 1h
requiredDataConnectors: []
version: 1.0.0
description: |
'This detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.'
status: Available
alertDetailsOverride:
alertDisplayNameFormat: High number of server errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'
alertDescriptionFormat: "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in server errors. It is recommended to thoroughly investigate this alert to determine the underlying cause behind this significant number of errors. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status."
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a59ba76c-0205-4966-948e-3d5640140688')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a59ba76c-0205-4966-948e-3d5640140688')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in server errors. It is recommended to thoroughly investigate this alert to determine the underlying cause behind this significant number of errors. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status.",
"alertDisplayNameFormat": "High number of server errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'"
},
"alertRuleTemplateName": "a59ba76c-0205-4966-948e-3d5640140688",
"customDetails": {
"ErrorThreshold": "Threshold",
"EventEndTime": "EventEndTime",
"EventResultSet": "EventResultDetailsSet",
"EventStartTime": "EventStartTime",
"RequestURLs": "URLs",
"TotalErrorCount": "TotalErrorCount"
},
"description": "'This detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.'\n",
"displayName": "Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml",
"query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet threshold = 100; // You can update threshold value as per your environment\n_Im_WebSession(starttime=ago(1h))\n| where toint(EventResultDetails) between (500 .. 599)\n| summarize\n TotalErrorCount = count(),\n URLs=make_set(Url, 100),\n EventStartTime = min(TimeGenerated),\n EventEndTime = max(TimeGenerated),\n EventResultDetailsSet=make_set(EventResultDetails,10)\n by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname\n| where TotalErrorCount > threshold\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\"), Threshold=threshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact",
"InitialAccess"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1133",
"T1190",
"T1498"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}