Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Put and post method request in high risk file type

Back
Idf12e9d10-51ca-11ec-bf63-0242ac130002
RulenamePaloAlto - Put and post method request in high risk file type
DescriptionDetects put and post method request in high risk file type.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsPaloAltoCDL
PaloAltoCDLAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
Version1.0.2
Arm templatef12e9d10-51ca-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
PaloAltoCDLEvent
| where EventResourceId =~ 'THREAT'
| where EventResult =~ 'file'
| where HttpRequestMethod has_any ("POST", "PUT")
| where FileType in (HighRiskFileType)
| extend FileCustomEntity = SrcFileName
queryFrequency: 10m
severity: High
id: f12e9d10-51ca-11ec-bf63-0242ac130002
status: Available
requiredDataConnectors:
- dataTypes:
  - PaloAltoCDLEvent
  connectorId: PaloAltoCDL
- dataTypes:
  - PaloAltoCDLEvent
  connectorId: PaloAltoCDLAma
kind: Scheduled
description: |
    'Detects put and post method request in high risk file type.'
query: |
  let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'THREAT'
  | where EventResult =~ 'file'
  | where HttpRequestMethod has_any ("POST", "PUT")
  | where FileType in (HighRiskFileType)
  | extend FileCustomEntity = SrcFileName  
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileCustomEntity
version: 1.0.2
name: PaloAlto - Put and post method request in high risk file type
queryPeriod: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "f12e9d10-51ca-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects put and post method request in high risk file type.'\n",
        "displayName": "PaloAlto - Put and post method request in high risk file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml",
        "query": "let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where HttpRequestMethod has_any (\"POST\", \"PUT\")\n| where FileType in (HighRiskFileType)\n| extend FileCustomEntity = SrcFileName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}