Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Put and post method request in high risk file type

Back
Idf12e9d10-51ca-11ec-bf63-0242ac130002
RulenamePaloAlto - Put and post method request in high risk file type
DescriptionDetects put and post method request in high risk file type.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
PaloAltoCDL
PaloAltoCDLAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
Version1.0.3
Arm templatef12e9d10-51ca-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
PaloAltoCDLEvent
| where EventResourceId =~ 'THREAT'
| where EventResult =~ 'file'
| where HttpRequestMethod has_any ("POST", "PUT")
| where FileType in (HighRiskFileType)
| extend FileCustomEntity = SrcFileName
status: Available
queryFrequency: 10m
description: |
    'Detects put and post method request in high risk file type.'
severity: High
version: 1.0.3
relevantTechniques:
- T1190
- T1133
name: PaloAlto - Put and post method request in high risk file type
triggerThreshold: 0
kind: Scheduled
query: |
  let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'THREAT'
  | where EventResult =~ 'file'
  | where HttpRequestMethod has_any ("POST", "PUT")
  | where FileType in (HighRiskFileType)
  | extend FileCustomEntity = SrcFileName  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
requiredDataConnectors:
- connectorId: PaloAltoCDL
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: PaloAltoCDLAma
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- InitialAccess
id: f12e9d10-51ca-11ec-bf63-0242ac130002
queryPeriod: 10m
entityMappings:
- fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
  entityType: File
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f12e9d10-51ca-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "f12e9d10-51ca-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects put and post method request in high risk file type.'\n",
        "displayName": "PaloAlto - Put and post method request in high risk file type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml",
        "query": "let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where HttpRequestMethod has_any (\"POST\", \"PUT\")\n| where FileType in (HighRiskFileType)\n| extend FileCustomEntity = SrcFileName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}