Detect instances of multiple client errors occurring within a brief period of time ASIM Web Session
| Id | faa40333-1e8b-40cc-a003-51ae41fa886f |
| Rulename | Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) |
| Description | This detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame. |
| Severity | Medium |
| Tactics | InitialAccess CommandAndControl |
| Techniques | T1190 T1133 T1071 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml |
| Version | 1.0.0 |
| Arm template | faa40333-1e8b-40cc-a003-51ae41fa886f.json |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can set threshold value that suits your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (400 .. 499)
| summarize
TotalErrorCount = count(),
EventStartTime = min(TimeGenerated),
EventEndTime = max(TimeGenerated),
URLs=make_set(Url, 100),
EventResultDetailsSet=make_set(EventResultDetails,10)
by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold
severity: Medium
relevantTechniques:
- T1190
- T1133
- T1071
requiredDataConnectors: []
status: Available
triggerThreshold: 0
description: |
'This detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.'
triggerOperator: gt
alertDetailsOverride:
alertDescriptionFormat: "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in client errors. A sudden surge in HTTP code errors, especially in the form of client-side errors like 400 or 401, could indicate malicious activity, such as attackers attempting to exploit vulnerabilities or perform unauthorized actions. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status."
alertDisplayNameFormat: High number of client errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'
name: Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)
customDetails:
EventStartTime: EventStartTime
RequestURLs: URLs
ErrorThreshold: Threshold
TotalErrorCount: TotalErrorCount
EventResultSet: EventResultDetailsSet
EventEndTime: EventEndTime
queryFrequency: 1h
version: 1.0.0
kind: Scheduled
query: |
// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.
// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
let threshold = 100; // You can set threshold value that suits your environment
_Im_WebSession(starttime=ago(1h))
| where toint(EventResultDetails) between (400 .. 499)
| summarize
TotalErrorCount = count(),
EventStartTime = min(TimeGenerated),
EventEndTime = max(TimeGenerated),
URLs=make_set(Url, 100),
EventResultDetailsSet=make_set(EventResultDetails,10)
by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname
| where TotalErrorCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
- entityType: Account
fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Host
fieldMappings:
- columnName: SrcHostname
identifier: HostName
tactics:
- InitialAccess
- CommandAndControl
queryPeriod: 1h
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml
id: faa40333-1e8b-40cc-a003-51ae41fa886f
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/faa40333-1e8b-40cc-a003-51ae41fa886f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/faa40333-1e8b-40cc-a003-51ae41fa886f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The client has made a total of '{{TotalErrorCount}}' requests to URLs '{{URLs}}', which have resulted in client errors. A sudden surge in HTTP code errors, especially in the form of client-side errors like 400 or 401, could indicate malicious activity, such as attackers attempting to exploit vulnerabilities or perform unauthorized actions. For detailed information regarding the specific errors encountered, please refer to the following link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status.",
"alertDisplayNameFormat": "High number of client errors originated by user '{{SrcUsername}}' from IP address '{{SrcIpAddr}}'"
},
"alertRuleTemplateName": "faa40333-1e8b-40cc-a003-51ae41fa886f",
"customDetails": {
"ErrorThreshold": "Threshold",
"EventEndTime": "EventEndTime",
"EventResultSet": "EventResultDetailsSet",
"EventStartTime": "EventStartTime",
"RequestURLs": "URLs",
"TotalErrorCount": "TotalErrorCount"
},
"description": "'This detection mechanism identifies situations where multiple client errors originate from a single source within a limited time frame.'\n",
"displayName": "Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleClientErrorsWithinShortTime.yaml",
"query": "// HTTP response status codes indicate whether a specific HTTP request has been successfully completed.\n// Please refer this for more details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status\nlet threshold = 100; // You can set threshold value that suits your environment\n_Im_WebSession(starttime=ago(1h))\n| where toint(EventResultDetails) between (400 .. 499)\n| summarize\n TotalErrorCount = count(),\n EventStartTime = min(TimeGenerated),\n EventEndTime = max(TimeGenerated),\n URLs=make_set(Url, 100),\n EventResultDetailsSet=make_set(EventResultDetails,10)\n by SrcIpAddr, bin(TimeGenerated, 5m), SrcUsername, SrcHostname\n| where TotalErrorCount > threshold\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\"), Threshold=threshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1071",
"T1133",
"T1190"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}