Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect instances of multiple server errors occurring within a brief period of time ASIM Web Session

Back
Ida59ba76c-0205-4966-948e-3d5640140688
RulenameDetect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)
DescriptionThis detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1190
T1133
T1498
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml
Version1.0.0
Arm templatea59ba76c-0205-4966-948e-3d5640140688.json
Deploy To Azure
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can update threshold value as per your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (500 .. 599)
| summarize
    TotalErrorCount = count(),
    URLs=make_set(Url, 100),
    EventStartTime = min(TimeGenerated),
    EventEndTime = max(TimeGenerated),
    EventResultDetailsSet=make_set(EventResultDetails,10)
    by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), ""), Threshold=threshold
status: Available
queryFrequency: 1h
description: |
    'This detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.'
customDetails:
  TotalErrorCount: TotalErrorCount
  EventResultSet: EventResultDetailsSet
  ErrorThreshold: Threshold
  EventStartTime: EventStartTime
  EventEndTime: EventEndTime
  RequestURLs: URLs
severity: Medium
version: 1.0.0
relevantTechniques:
- T1190
- T1133
- T1498
kind: Scheduled
name: Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
  // Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
  let threshold = 100; // You can update threshold value as per your environment
  _Im_WebSession(starttime=ago(1h))
  | where toint(EventResultDetails) between (500 .. 599)
  | summarize
      TotalErrorCount = count(),
      URLs=make_set(Url, 100),
      EventStartTime = min(TimeGenerated),
      EventEndTime = max(TimeGenerated),
      EventResultDetailsSet=make_set(EventResultDetails,10)
      by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
  | where TotalErrorCount > threshold
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), ""), Threshold=threshold  
alertDetailsOverride:
  alertDisplayNameFormat: High number of server errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'
  alertDescriptionFormat: "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in server errors. It is recommended to thoroughly investigate this alert to determine the underlying cause behind this significant number of errors. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status."
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml
requiredDataConnectors: []
tactics:
- InitialAccess
- Impact
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
id: a59ba76c-0205-4966-948e-3d5640140688
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
  entityType: Host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a59ba76c-0205-4966-948e-3d5640140688')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a59ba76c-0205-4966-948e-3d5640140688')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in server errors. It is recommended to thoroughly investigate this alert to determine the underlying cause behind this significant number of errors. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status.",
          "alertDisplayNameFormat": "High number of server errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'"
        },
        "alertRuleTemplateName": "a59ba76c-0205-4966-948e-3d5640140688",
        "customDetails": {
          "ErrorThreshold": "Threshold",
          "EventEndTime": "EventEndTime",
          "EventResultSet": "EventResultDetailsSet",
          "EventStartTime": "EventStartTime",
          "RequestURLs": "URLs",
          "TotalErrorCount": "TotalErrorCount"
        },
        "description": "'This detection mechanism identifies situations where multiple server errors originate from a single source within a limited time frame.'\n",
        "displayName": "Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleServerErrorsWithinShortTime.yaml",
        "query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet threshold = 100; // You can update threshold value as per your environment\n_Im_WebSession(starttime=ago(1h))\n| where toint(EventResultDetails) between (500 .. 599)\n| summarize\n    TotalErrorCount = count(),\n    URLs=make_set(Url, 100),\n    EventStartTime = min(TimeGenerated),\n    EventEndTime = max(TimeGenerated),\n    EventResultDetailsSet=make_set(EventResultDetails,10)\n    by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname\n| where TotalErrorCount > threshold\n| extend\n    Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n    UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\"), Threshold=threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1498"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}