cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/ASimWebSession/PotentiallyHarmfulFileTypes.yaml
58lines · modecode
unknown
| 1 | id: 09c49590-4e9d-4da9-a34d-17222d0c9e7e |
| 2 | name: A client made a web request to a potentially harmful file (ASIM Web Session schema) |
| 3 | description: | |
| 4 | 'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM). |
| 5 | This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)' |
| 6 | severity: Medium |
| 7 | tags: |
| 8 | - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml |
| 9 | version: 1.0.0 |
| 10 | - Schema: ASimWebSession |
| 11 | SchemaVersion: 0.2.1 |
| 12 | requiredDataConnectors: |
| 13 | - connectorId: SquidProxy |
| 14 | dataTypes: |
| 15 | - SquidProxy_CL |
| 16 | - connectorId: Zscaler |
| 17 | dataTypes: |
| 18 | - CommonSecurityLog |
| 19 | |
| 20 | queryFrequency: 10m |
| 21 | queryPeriod: 10m |
| 22 | triggerOperator: gt |
| 23 | triggerThreshold: 0 |
| 24 | tactics: |
| 25 | - InitialAccess |
| 26 | query: | |
| 27 | let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); |
| 28 | let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists("Extension","") | where isnotempty(Extension) | summarize make_set(Extension)); |
| 29 | let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist); |
| 30 | _Im_WebSession(url_has_any=file_ext_blocklist, eventresult='Success') |
| 31 | | extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]),'/')[-1]) |
| 32 | | extend requestedFileExt=extract(@(\.\w+)$,1,requestedFileName, typeof(string)) |
| 33 | | where requestedFileExtension in (file_ext_blocklist) |
| 34 | | summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url |
| 35 | | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url |
| 36 | |
| 37 | alertDetailsOverride: |
| 38 | alertDisplayNameFormat: Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}} |
| 39 | alertDescriptionFormat: The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity. |
| 40 | customDetails: |
| 41 | requestedFileName: requestedFileName |
| 42 | requestedFileExt: requestedFileExt |
| 43 | Username: SrcUsername |
| 44 | |
| 45 | eventGroupingSettings: |
| 46 | aggregationKind: AlertPerResult |
| 47 | |
| 48 | entityMappings: |
| 49 | - entityType: IP |
| 50 | fieldMappings: |
| 51 | - identifier: Address |
| 52 | columnName: IPCustomEntity |
| 53 | - entityType: URL |
| 54 | fieldMappings: |
| 55 | - identifier: Url |
| 56 | columnName: UrlCustomEntity |
| 57 | version: 1.1.0 |
| 58 | kind: Scheduled |