Skip to content

Commit

Permalink
Merge pull request #8932 from Azure/WebSessionPublicPreview
Browse files Browse the repository at this point in the history 
Web session public preview
  • Loading branch information
@v-atulyadav
v-atulyadav authored Sep 5, 2023
2 parents 437dfd0 + d1354d7 commit 7ae3cb4
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 11 deletions.
4 changes: 2 additions & 2 deletions Solutions/Web Session Essentials/Analytic Rules/RarelyRequestedResources.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ query: |
| where tostring(set_Url) has_any(scriptExtensions)
//Remove matches with referer
| where max_HttpReferrer == ""
//Keep requests where data was trasferred either in a GET with parameters or a POST
//Keep requests where data was transferred either in a GET with parameters or a POST
| where set_HttpRequestMethod in~ ("POST") or max_GetData == 1
//Defeat email click tracking, may increase FN's while decreasing FP's
| where set_Url !has "click" and set_HttpRequestMethod !has "GET"
Expand Down Expand Up @@ -102,5 +102,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: "User with IP '{{SourceIP}}' has been observed making request for a rare resource"
alertDescriptionFormat: "User requested (TotalEvents='{{EventCount}}') for URL '{{RequestURL}}' which contains a known script extension. The domain associated with this URL has not been accessed by any other user. This activity could be a potential beaconing activity to maintain control over compromised systems, receive instructions, or exfiltrate data"
version: 1.0.0
version: 1.0.1
kind: Scheduled
14 changes: 5 additions & 9 deletions Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2545,12 +2545,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n | where Entities in~ (AllIPs)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend IPEntity = tostring(Parsed_Entities.Address)\r\n | project-away Parsed_Entities\r\n | where IPEntity in~ (AllIPs)\r\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Source or Destination IPs matching with Entities in Security Alert table",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
Expand All @@ -2565,12 +2563,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where Entities has_any (AllDstWebsites)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where UrlEntity has_any (AllDstWebsites)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Request URLs matching with Entities in Security Alert table",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
Expand All @@ -2587,7 +2583,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where Entities in~ (AllSrcHostnames)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend HostEntity = tostring(Parsed_Entities.HostName)\r\n | project-away Parsed_Entities\r\n| where HostEntity in~ (AllSrcHostnames)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Source HostNames matching with Entities in Security Alert table",
"timeContextFromParameter": "TimeRange",
Expand Down

0 comments on commit 7ae3cb4

Please sign in to comment.