Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CreepyDrive request URL sequence

Back
Ideda260eb-f4a1-4379-ad98-452604da9b3e
RulenameCreepyDrive request URL sequence
DescriptionCreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.

This detecton will alert when over 20 sequences are observed in a single day.
SeverityHigh
TacticsExfiltration
CommandAndControl
TechniquesT1567.002
T1102.002
Required data connectorsCheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
Version1.0.1
Arm templateeda260eb-f4a1-4379-ad98-452604da9b3e.json
Deploy To Azure
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
metadata:
  categories:
    domains:
    - Security - Others
  author:
    name: Thomas McElroy
  source:
    kind: Community
  support:
    tier: Community
id: eda260eb-f4a1-4379-ad98-452604da9b3e
query: |
  let eventsThreshold = 20;
  CommonSecurityLog
  | where isnotempty(RequestURL)
  | project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
  | evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
  | summarize Events=count() by SourceIP, SourceHostName
  | where Events >= eventsThreshold  
tags:
- POLONIUM
description: |
  'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.
  This detecton will alert when over 20 sequences are observed in a single day.'  
name: CreepyDrive request URL sequence
relevantTechniques:
- T1567.002
- T1102.002
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.1
kind: Scheduled
tactics:
- Exfiltration
- CommandAndControl
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eda260eb-f4a1-4379-ad98-452604da9b3e')]",
      "properties": {
        "alertRuleTemplateName": "eda260eb-f4a1-4379-ad98-452604da9b3e",
        "customDetails": null,
        "description": "'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\nThis detecton will alert when over 20 sequences are observed in a single day.'\n",
        "displayName": "CreepyDrive request URL sequence",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml",
        "query": "let eventsThreshold = 20;\nCommonSecurityLog\n| where isnotempty(RequestURL)\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \"login.microsoftonline.com/consumers/oauth2/v2.0/token\"), graph=(RequestURL has \"graph.microsoft.com/v1.0/me/drive/\"), SourceIP, SourceHostName)\n| summarize Events=count() by SourceIP, SourceHostName\n| where Events >= eventsThreshold\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1567.002",
          "T1102.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "tags": [
          "POLONIUM"
        ],
        "techniques": [
          "T1102",
          "T1567"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}