Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Put and post method request in high risk file type

Back
Idf12e9d10-51ca-11ec-bf63-0242ac130002
RulenamePaloAlto - Put and post method request in high risk file type
DescriptionDetects put and post method request in high risk file type.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
Version1.0.4
Arm templatef12e9d10-51ca-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
PaloAltoCDLEvent
| where EventResourceId =~ 'THREAT'
| where EventResult =~ 'file'
| where HttpRequestMethod has_any ("POST", "PUT")
| where FileType in (HighRiskFileType)
| extend FileCustomEntity = SrcFileName
description: |
    'Detects put and post method request in high risk file type.'
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.4
relevantTechniques:
- T1190
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
id: f12e9d10-51ca-11ec-bf63-0242ac130002
severity: High
entityMappings:
- fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
  entityType: File
triggerThreshold: 0
queryFrequency: 10m
status: Available
queryPeriod: 10m
triggerOperator: gt
kind: Scheduled
query: |
  let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'THREAT'
  | where EventResult =~ 'file'
  | where HttpRequestMethod has_any ("POST", "PUT")
  | where FileType in (HighRiskFileType)
  | extend FileCustomEntity = SrcFileName  
name: PaloAlto - Put and post method request in high risk file type
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "f12e9d10-51ca-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects put and post method request in high risk file type.'\n",
        "displayName": "PaloAlto - Put and post method request in high risk file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml",
        "query": "let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where HttpRequestMethod has_any (\"POST\", \"PUT\")\n| where FileType in (HighRiskFileType)\n| extend FileCustomEntity = SrcFileName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}