Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
hrushikeshdeshpande-updating-semgrep-yml

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Detections/ASimWebSession

Detections/ASimWebSession/UnusualUACryptoMiners.yaml

60lines · modepreview

RawDownload
Latest commit unavailable.
unknown
id: 8cbc3215-fa58-4bd6-aaaa-f0029c351730
name: A host is potentially running a crypto miner (ASIM Web Session schema)
description: |
  'This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.<br>You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>   This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
severity: Medium
tags:
    - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml
      version: 1.0.0
    - Schema: ASimWebSession
      SchemaVersion: 0.2.1
requiredDataConnectors:
  - connectorId: SquidProxy
    dataTypes:
      - SquidProxy_CL
  - connectorId: Zscaler
    dataTypes:
      - CommonSecurityLog

queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
    - CommandandControl
query: |
    let threatCategory="Cryptominer";
    let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
        [ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"] 
            with(format="csv", ignoreFirstRecord=True));
    let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
    let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
    let fullUAList = array_concat(knownUserAgents,customUserAgents);
    _Im_WebSession(httpuseragent_has_any=fullUAList)
    | summarize N_Events=count() by  SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername

entityMappings:
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: Url
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: SrcUsername

alertDetailsOverride:
  alertDisplayNameFormat: The host {{SrcIpAddr}} is potentially running a crypto miner
  alertDescriptionFormat: The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.
customDetails:
  UserAgent: HttpUserAgent

eventGroupingSettings:
  aggregationKind: AlertPerResult

version: 1.1.0
kind: Scheduled