Anomalous User Agent connection attempt
| Id | f845881e-2500-44dc-8ed7-b372af3e1e25 |
| Rulename | Anomalous User Agent connection attempt |
| Description | Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts. |
| Severity | Low |
| Tactics | InitialAccess |
| Techniques | T1190 |
| Required data connectors | AzureMonitor(IIS) |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml |
| Version | 1.0.2 |
| Arm template | f845881e-2500-44dc-8ed7-b372af3e1e25.json |
let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml
severity: Low
metadata:
support:
tier: Community
categories:
domains:
- Security - Threat Protection
source:
kind: Community
author:
name: Shain
name: Anomalous User Agent connection attempt
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
relevantTechniques:
- T1190
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'
id: f845881e-2500-44dc-8ed7-b372af3e1e25
version: 1.0.2
tactics:
- InitialAccess
query: |
let short_uaLength = 5;
let long_uaLength = 1000;
let c_threshold = 100;
W3CIISLog
// Exclude local IPs as these create noise
| where cIP !startswith "192.168." and cIP != "::1"
| where isnotempty(csUserAgent) and csUserAgent !in~ ("-", "MSRPC") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)
| extend csUserAgent_size = string_size(csUserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status
| where ConnectionCount < c_threshold
| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP
requiredDataConnectors:
- dataTypes:
- W3CIISLog
connectorId: AzureMonitor(IIS)
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f845881e-2500-44dc-8ed7-b372af3e1e25')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f845881e-2500-44dc-8ed7-b372af3e1e25')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Anomalous User Agent connection attempt",
"description": "'Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.'\n",
"severity": "Low",
"enabled": true,
"query": "let short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold = 100;\nW3CIISLog\n// Exclude local IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1190"
],
"alertRuleTemplateName": "f845881e-2500-44dc-8ed7-b372af3e1e25",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"templateVersion": "1.0.2",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/AnomomlousUserAgentConnection.yaml"
}
}
]
}