Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect potential file enumeration activity (ASIM Web Session)

Back
Idb3731ce1-1f04-47c4-95c2-9827408c4375
RulenameDetect potential file enumeration activity (ASIM Web Session)
DescriptionThis detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes
SeverityMedium
TacticsDiscovery
CommandAndControl
CredentialAccess
TechniquesT1083
T1071
T1110
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml
Version1.0.0
Arm templateb3731ce1-1f04-47c4-95c2-9827408c4375.json
Deploy To Azure
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let HTTPErrorCode=dynamic(["404"]);
let threshold = 10; // You can update this threshold to the value that suites your environment
// let FileNotFoundRequests = 
_Im_WebSession (starttime=ago(1h))
| where EventResultDetails in~ (HTTPErrorCode)
// Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL
| where HttpRequestMethod =~ "GET" and Url contains "/"
| summarize
    RequestCount = count(),
    FileCount=dcount(Url),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated),
    RequestURLs = make_set(Url, 100),
    DestinationIPList=make_set(DstIpAddr, 100)
    by SrcIpAddr, SrcUsername, SrcHostname, DstHostname
| where RequestCount > threshold  // Adjust the threshold as per your requirements
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
customDetails:
  RequestURLs: RequestURLs
  FileCount: FileCount
  DestinationIPList: DestinationIPList
  EventStartTime: EventStartTime
  EventEndTime: EventEndTime
  RequestCount: RequestCount
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml
requiredDataConnectors: []
alertDetailsOverride:
  alertDescriptionFormat: User generated multiple requests '{{RequestCount}}' that has resulted in error code '404', suggesting the possibility of file enumeration activity. It's important to investigate the source and patterns of these extensive 404 errors to identify potential security threats. Details about this error code could be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status)
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed with performing file enumeration activity
id: b3731ce1-1f04-47c4-95c2-9827408c4375
tactics:
- Discovery
- CommandAndControl
- CredentialAccess
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
relevantTechniques:
- T1083
- T1071
- T1110
description: |
    'This detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes'
triggerThreshold: 0
kind: Scheduled
name: Detect potential file enumeration activity (ASIM Web Session)
query: |
  // HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
  // Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
  let HTTPErrorCode=dynamic(["404"]);
  let threshold = 10; // You can update this threshold to the value that suites your environment
  // let FileNotFoundRequests = 
  _Im_WebSession (starttime=ago(1h))
  | where EventResultDetails in~ (HTTPErrorCode)
  // Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL
  | where HttpRequestMethod =~ "GET" and Url contains "/"
  | summarize
      RequestCount = count(),
      FileCount=dcount(Url),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated),
      RequestURLs = make_set(Url, 100),
      DestinationIPList=make_set(DstIpAddr, 100)
      by SrcIpAddr, SrcUsername, SrcHostname, DstHostname
  | where RequestCount > threshold  // Adjust the threshold as per your requirements
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Host
  fieldMappings:
  - columnName: DstHostname
    identifier: HostName
- entityType: Host
  fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
status: Available
severity: Medium
version: 1.0.0
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3731ce1-1f04-47c4-95c2-9827408c4375')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3731ce1-1f04-47c4-95c2-9827408c4375')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Detect potential file enumeration activity (ASIM Web Session)",
        "description": "'This detection method identifies potential cases of file enumeration activity. The query is designed to identify client sources that generate multiple requests resulting in 404 error codes'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet HTTPErrorCode=dynamic([\"404\"]);\nlet threshold = 10; // You can update this threshold to the value that suites your environment\n// let FileNotFoundRequests = \n_Im_WebSession (starttime=ago(1h))\n| where EventResultDetails in~ (HTTPErrorCode)\n// Filter the logs to include only HTTP GET requests with an HTTP status code of 404 and '/' in the URL\n| where HttpRequestMethod =~ \"GET\" and Url contains \"/\"\n| summarize\n    RequestCount = count(),\n    FileCount=dcount(Url),\n    EventStartTime=min(TimeGenerated),\n    EventEndTime=max(TimeGenerated),\n    RequestURLs = make_set(Url, 100),\n    DestinationIPList=make_set(DstIpAddr, 100)\n    by SrcIpAddr, SrcUsername, SrcHostname, DstHostname\n| where RequestCount > threshold  // Adjust the threshold as per your requirements\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "CommandAndControl",
          "CredentialAccess"
        ],
        "techniques": [
          "T1083",
          "T1071",
          "T1110"
        ],
        "alertRuleTemplateName": "b3731ce1-1f04-47c4-95c2-9827408c4375",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed with performing file enumeration activity",
          "alertDescriptionFormat": "User generated multiple requests '{{RequestCount}}' that has resulted in error code '404', suggesting the possibility of file enumeration activity. It's important to investigate the source and patterns of these extensive 404 errors to identify potential security threats. Details about this error code could be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status)"
        },
        "customDetails": {
          "FileCount": "FileCount",
          "DestinationIPList": "DestinationIPList",
          "RequestURLs": "RequestURLs",
          "EventStartTime": "EventStartTime",
          "EventEndTime": "EventEndTime",
          "RequestCount": "RequestCount"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SrcIpAddr"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Name"
              },
              {
                "identifier": "UPNSuffix",
                "columnName": "UPNSuffix"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "DstHostname"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "SrcHostname"
              }
            ],
            "entityType": "Host"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PotentionalFileEnumeration.yaml",
        "tags": [
          {
            "SchemaVersion": "0.2.6",
            "Schema": "WebSession"
          }
        ]
      }
    }
  ]
}