The download of potentially risky files from the Discord Content Delivery Network CDN ASIM Web Session
Id | b7fe8f27-7010-404b-aec5-6e5245cea580 |
Rulename | The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) |
Description | This detection mechanism identifies instances where requests are made to Discord CDN addresses for file extensions that are considered risky. It triggers when a callout is made to a Discord server that has only been encountered once in your environment. The uniqueness of Discord servers is determined based on the server ID present in the request URL (DiscordServerId in the query). Discord CDN has been utilized in numerous campaigns to download additional payloads, highlighting the importance of monitoring such activities. The query includes a sample set of popular web script extensions (scriptExtensions), which should be customized to align with the specific requirements of your environment |
Severity | Medium |
Tactics | CommandAndControl |
Techniques | T1071.001 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/DiscordCDNRiskyFileDownload.yaml |
Version | 1.0.0 |
Arm template | b7fe8f27-7010-404b-aec5-6e5245cea580.json |
let lookback = 1d;
let connectionThreshold = 1;
let RiskyFileExtensions = materialize(externaldata(Extensions: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/RiskyFileExtensionsInUrl.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomRiskyFileExtensions = (_ASIM_GetWatchlistRaw("Web_RiskyFileExtensions") // Create new Watchlist and add your custom indicators(Optional)
| extend
Extensions = tostring(WatchlistItem["Extensions"])
| project Extensions
| where isnotempty(Extensions));
let CombinedRiskyFileExtensions = union RiskyFileExtensions, CustomRiskyFileExtensions;
let knownRiskyFileExtensions=toscalar(CombinedRiskyFileExtensions
| where isnotempty(Extensions)
| summarize make_set(Extensions, 1000));
let discord=dynamic(["cdn.discordapp.com", "media.discordapp.com"]);
let WebData = _Im_WebSession(starttime=ago(lookback), url_has_any=discord, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcUsername, SrcIpAddr, TimeGenerated, SrcHostname
| where Url has "attachments"
| extend DiscordServerId = extract(@"\/attachments\/([0-9]+)\/", 1, Url);
WebData
| summarize
dcount(Url),
min(TimeGenerated),
max(TimeGenerated)
by DiscordServerId
| join kind=inner (WebData) on DiscordServerId
| where dcount_Url <= connectionThreshold and Url has_any (knownRiskyFileExtensions)
| summarize EventCount = count()
by
EventStartTime=min_TimeGenerated,
EventEndTime=max_TimeGenerated,
SrcUsername,
SrcHostname,
SrcIpAddr,
Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
requiredDataConnectors: []
status: Available
relevantTechniques:
- T1071.001
queryFrequency: 1d
id: b7fe8f27-7010-404b-aec5-6e5245cea580
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
EventEndTime: EventEndTime
EventStartTime: EventStartTime
name: The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/DiscordCDNRiskyFileDownload.yaml
queryPeriod: 1d
entityMappings:
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
description: |
'This detection mechanism identifies instances where requests are made to Discord CDN addresses for file extensions that are considered risky.
It triggers when a callout is made to a Discord server that has only been encountered once in your environment. The uniqueness of Discord servers is determined based on the server ID present in the request URL (DiscordServerId in the query).
Discord CDN has been utilized in numerous campaigns to download additional payloads, highlighting the importance of monitoring such activities.
The query includes a sample set of popular web script extensions (scriptExtensions), which should be customized to align with the specific requirements of your environment'
triggerThreshold: 0
tactics:
- CommandAndControl
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
query: |
let lookback = 1d;
let connectionThreshold = 1;
let RiskyFileExtensions = materialize(externaldata(Extensions: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/RiskyFileExtensionsInUrl.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomRiskyFileExtensions = (_ASIM_GetWatchlistRaw("Web_RiskyFileExtensions") // Create new Watchlist and add your custom indicators(Optional)
| extend
Extensions = tostring(WatchlistItem["Extensions"])
| project Extensions
| where isnotempty(Extensions));
let CombinedRiskyFileExtensions = union RiskyFileExtensions, CustomRiskyFileExtensions;
let knownRiskyFileExtensions=toscalar(CombinedRiskyFileExtensions
| where isnotempty(Extensions)
| summarize make_set(Extensions, 1000));
let discord=dynamic(["cdn.discordapp.com", "media.discordapp.com"]);
let WebData = _Im_WebSession(starttime=ago(lookback), url_has_any=discord, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcUsername, SrcIpAddr, TimeGenerated, SrcHostname
| where Url has "attachments"
| extend DiscordServerId = extract(@"\/attachments\/([0-9]+)\/", 1, Url);
WebData
| summarize
dcount(Url),
min(TimeGenerated),
max(TimeGenerated)
by DiscordServerId
| join kind=inner (WebData) on DiscordServerId
| where dcount_Url <= connectionThreshold and Url has_any (knownRiskyFileExtensions)
| summarize EventCount = count()
by
EventStartTime=min_TimeGenerated,
EventEndTime=max_TimeGenerated,
SrcUsername,
SrcHostname,
SrcIpAddr,
Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
kind: Scheduled
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with the IP address '{{SrcIpAddr}}' has been detected downloading potentially risky files from the Discord CDN
alertDescriptionFormat: " Client requested for URL '{{Url}}' that contains a files hosted on a recognized Discord Content Delivery Network (CDN) which are considered to be potentially risky. It is essential to investigate further to determine the nature of the files being requested and the intent of the users involved"
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7fe8f27-7010-404b-aec5-6e5245cea580')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7fe8f27-7010-404b-aec5-6e5245cea580')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": " Client requested for URL '{{Url}}' that contains a files hosted on a recognized Discord Content Delivery Network (CDN) which are considered to be potentially risky. It is essential to investigate further to determine the nature of the files being requested and the intent of the users involved",
"alertDisplayNameFormat": "User '{{SrcUsername}}' with the IP address '{{SrcIpAddr}}' has been detected downloading potentially risky files from the Discord CDN"
},
"alertRuleTemplateName": "b7fe8f27-7010-404b-aec5-6e5245cea580",
"customDetails": {
"EventEndTime": "EventEndTime",
"EventStartTime": "EventStartTime"
},
"description": "'This detection mechanism identifies instances where requests are made to Discord CDN addresses for file extensions that are considered risky.\n It triggers when a callout is made to a Discord server that has only been encountered once in your environment. The uniqueness of Discord servers is determined based on the server ID present in the request URL (DiscordServerId in the query).\n Discord CDN has been utilized in numerous campaigns to download additional payloads, highlighting the importance of monitoring such activities.\n The query includes a sample set of popular web script extensions (scriptExtensions), which should be customized to align with the specific requirements of your environment'\n",
"displayName": "The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/DiscordCDNRiskyFileDownload.yaml",
"query": "let lookback = 1d;\nlet connectionThreshold = 1;\nlet RiskyFileExtensions = materialize(externaldata(Extensions: string)\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/RiskyFileExtensionsInUrl.csv\"]\n with(format=\"csv\", ignoreFirstRecord=True));\nlet CustomRiskyFileExtensions = (_ASIM_GetWatchlistRaw(\"Web_RiskyFileExtensions\") // Create new Watchlist and add your custom indicators(Optional)\n | extend\n Extensions = tostring(WatchlistItem[\"Extensions\"])\n | project Extensions\n | where isnotempty(Extensions));\nlet CombinedRiskyFileExtensions = union RiskyFileExtensions, CustomRiskyFileExtensions;\nlet knownRiskyFileExtensions=toscalar(CombinedRiskyFileExtensions\n | where isnotempty(Extensions)\n | summarize make_set(Extensions, 1000));\nlet discord=dynamic([\"cdn.discordapp.com\", \"media.discordapp.com\"]);\nlet WebData = _Im_WebSession(starttime=ago(lookback), url_has_any=discord, eventresult='Success')\n | where isnotempty(Url)\n | project Url, SrcUsername, SrcIpAddr, TimeGenerated, SrcHostname\n | where Url has \"attachments\"\n | extend DiscordServerId = extract(@\"\\/attachments\\/([0-9]+)\\/\", 1, Url);\nWebData\n| summarize\n dcount(Url),\n min(TimeGenerated),\n max(TimeGenerated)\n by DiscordServerId\n| join kind=inner (WebData) on DiscordServerId\n| where dcount_Url <= connectionThreshold and Url has_any (knownRiskyFileExtensions)\n| summarize EventCount = count()\n by\n EventStartTime=min_TimeGenerated,\n EventEndTime=max_TimeGenerated,\n SrcUsername,\n SrcHostname,\n SrcIpAddr,\n Url\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1071"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}