Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Detect instances of multiple client errors occurring within a brief period of time ASIM Web Session

Detect instances of multiple client errors occurring within a brief period of time ASIM Web Session

Back
Idfaa40333-1e8b-40cc-a003-51ae41fa886f
RulenameDetect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)
DescriptionThis detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1190
T1133
T1071
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml
Version1.0.0
Arm templatefaa40333-1e8b-40cc-a003-51ae41fa886f.json
Deploy To Azure
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can set threshold value that suits your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (400 .. 499)
| summarize
    TotalErrorCount = count(),
    EventStartTime = min(TimeGenerated),
    EventEndTime = max(TimeGenerated),
    URLs=make_set(Url, 100),
    EventResultDetailsSet=make_set(EventResultDetails,10)
    by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold

id: faa40333-1e8b-40cc-a003-51ae41fa886f
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)
query: |
  // HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
  // Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
  let threshold = 100; // You can set threshold value that suits your environment
  _Im_WebSession(starttime=ago(1h))
  | where toint(EventResultDetails) between (400 .. 499)
  | summarize
      TotalErrorCount = count(),
      EventStartTime = min(TimeGenerated),
      EventEndTime = max(TimeGenerated),
      URLs=make_set(Url, 100),
      EventResultDetailsSet=make_set(EventResultDetails,10)
      by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
  | where TotalErrorCount > threshold
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold  
severity: Medium
customDetails:
  TotalErrorCount: TotalErrorCount
  RequestURLs: URLs
  EventResultSet: EventResultDetailsSet
  ErrorThreshold: Threshold
  EventEndTime: EventEndTime
  EventStartTime: EventStartTime
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1190
- T1133
- T1071
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
queryFrequency: 1h
requiredDataConnectors: []
version: 1.0.0
description: |
    'This detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.'
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: High number of client errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'
  alertDescriptionFormat: "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in client errors. A sudden surge in HTTP code errors, especially in the form of client-side errors like 400 or 401, could indicate malicious activity, such as attackers attempting to exploit vulnerabilities or perform unauthorized actions. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status."
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
  entityType: Host

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/faa40333-1e8b-40cc-a003-51ae41fa886f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/faa40333-1e8b-40cc-a003-51ae41fa886f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in client errors. A sudden surge in HTTP code errors, especially in the form of client-side errors like 400 or 401, could indicate malicious activity, such as attackers attempting to exploit vulnerabilities or perform unauthorized actions. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status.",
          "alertDisplayNameFormat": "High number of client errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'"
        },
        "alertRuleTemplateName": "faa40333-1e8b-40cc-a003-51ae41fa886f",
        "customDetails": {
          "ErrorThreshold": "Threshold",
          "EventEndTime": "EventEndTime",
          "EventResultSet": "EventResultDetailsSet",
          "EventStartTime": "EventStartTime",
          "RequestURLs": "URLs",
          "TotalErrorCount": "TotalErrorCount"
        },
        "description": "'This detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.'\n",
        "displayName": "Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml",
        "query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet threshold = 100; // You can set threshold value that suits your environment\n_Im_WebSession(starttime=ago(1h))\n| where toint(EventResultDetails) between (400 .. 499)\n| summarize\n    TotalErrorCount = count(),\n    EventStartTime = min(TimeGenerated),\n    EventEndTime = max(TimeGenerated),\n    URLs=make_set(Url, 100),\n    EventResultDetailsSet=make_set(EventResultDetails,10)\n    by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname\n| where TotalErrorCount > threshold\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\"), Threshold=threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1071",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}