Anomalous User Agent connection attempt

Back


Id	f845881e-2500-44dc-8ed7-b372af3e1e25
Rulename	Anomalous User Agent connection attempt
Description	Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.
Severity	Low
Tactics	InitialAccess
Techniques	T1190
Required data connectors	AzureMonitor(IIS)
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml
Version	1.0.3
Arm template	f845881e-2500-44dc-8ed7-b372af3e1e25.json

KQL

let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])

YAML

description: |
    'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
version: 1.0.3
queryFrequency: 1d
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml
query: |
  let short_uaLength = 5;
  let long_uaLength = 1000;
  let c_threshold = 100;
  W3CIISLog
  // Exclude local IPs as these create noise
  | where cIP !startswith "192.168." and cIP != "::1"
  | where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
  | extend csUserAgent_size = string_size(csUserAgent)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
  | where ConnectionCount < c_threshold
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])  
id: f845881e-2500-44dc-8ed7-b372af3e1e25
name: Anomalous User Agent connection attempt
triggerOperator: gt
severity: Low
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Protection
  support:
    tier: Community
  source:
    kind: Community
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: csUserName
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: cIP
    identifier: Address
  entityType: IP
relevantTechniques:
- T1190
requiredDataConnectors:
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)

ARM