Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Web session public preview #8932

Merged
merged 7 commits into from
Sep 5, 2023
Merged

Web session public preview #8932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d2a9081
Adding YAML for Registry and DHCP
vakohl Aug 30, 2023
5916db6
Merge branch 'master' of https://github.com/Azure/Azure-Sentinel
vakohl Aug 30, 2023
f337d42
Merge branch 'master' of https://github.com/Azure/Azure-Sentinel
vakohl Sep 2, 2023
3845041
removing incorrectly added files
vakohl Sep 2, 2023
63e034a
updated AlertTable graphs
vakohl Sep 2, 2023
8256327
typo fix
vakohl Sep 2, 2023
d1354d7
rule version update post changes
vakohl Sep 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Solutions/Web Session Essentials/Analytic Rules/RarelyRequestedResources.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ query: |
| where tostring(set_Url) has_any(scriptExtensions)
//Remove matches with referer
| where max_HttpReferrer == ""
//Keep requests where data was trasferred either in a GET with parameters or a POST
//Keep requests where data was transferred either in a GET with parameters or a POST
| where set_HttpRequestMethod in~ ("POST") or max_GetData == 1
//Defeat email click tracking, may increase FN's while decreasing FP's
| where set_Url !has "click" and set_HttpRequestMethod !has "GET"
Expand Down Expand Up @@ -102,5 +102,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: "User with IP '{{SourceIP}}' has been observed making request for a rare resource"
alertDescriptionFormat: "User requested (TotalEvents='{{EventCount}}') for URL '{{RequestURL}}' which contains a known script extension. The domain associated with this URL has not been accessed by any other user. This activity could be a potential beaconing activity to maintain control over compromised systems, receive instructions, or exfiltrate data"
version: 1.0.0
version: 1.0.1
kind: Scheduled
14 changes: 5 additions & 9 deletions Solutions/Web Session Essentials/Workbooks/WebSessionEssentials.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2545,12 +2545,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n | where Entities in~ (AllIPs)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| project SrcIpAddr\r\n\t\t| distinct SrcIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcIpAddr_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct SrcIpAddr=SrcIpAddr_s\r\n )\r\n | distinct SrcIpAddr;\r\nlet AllDstIPs = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(DstIpAddr)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DstIpAddr_s)\r\n | extend DstIpAddr=DstIpAddr_s, DestHostname=DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n\t\t| distinct DstIpAddr\r\n )\r\n | distinct DstIpAddr;\r\nlet AllIPs =\r\nunion AllSrcIPs, AllDstIPs;\r\n SecurityAlert\r\n | where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'ip'\r\n | extend IPEntity = tostring(Parsed_Entities.Address)\r\n | project-away Parsed_Entities\r\n | where IPEntity in~ (AllIPs)\r\n | project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, IPEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Source or Destination IPs matching with Entities in Security Alert table",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
Expand All @@ -2565,12 +2563,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where Entities has_any (AllDstWebsites)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllDstWebsites = \r\nunion isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(Url)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n ),\r\n (\r\n WebSession_Summarized_DstIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(DestDomain_s)\r\n | extend DestHostname = DestDomain_s\r\n | where ('*' in~ ({SrcIpAddr}))\r\n and ('*' in~ ({SrcUsername}))\r\n and ('*' in~ ({SrcHostname}))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct DestHostname\r\n )\r\n | distinct DestHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'url'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where UrlEntity has_any (AllDstWebsites)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, UrlEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Request URLs matching with Entities in Security Alert table",
"timeContext": {
"durationMs": 86400000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
Expand All @@ -2587,7 +2583,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend UrlEntity = tostring(Parsed_Entities.Url)\r\n | project-away Parsed_Entities\r\n| where Entities in~ (AllSrcHostnames)",
"query": "let LastIngestionTime = toscalar (\r\n union isfuzzy=true \r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | summarize max_TimeGenerated=max(EventTime_t)\r\n | extend max_TimeGenerated = datetime_add('hour', 1, max_TimeGenerated)\r\n ),\r\n (\r\n print({TimeRange:start})\r\n | extend max_TimeGenerated = print_0\r\n | project max_TimeGenerated\r\n )\r\n | summarize maxTimeGenerated = max(max_TimeGenerated) \r\n );\r\nlet AllSrcHostnames = \r\n union isfuzzy=true \r\n (\r\n _Im_WebSession(starttime=todatetime(LastIngestionTime), endtime=now())\r\n | where isnotempty(SrcHostname)\r\n | extend DestHostname = tostring(parse_url(Url)[\"Host\"])\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname\r\n ),\r\n (\r\n WebSession_Summarized_SrcIP_CL\r\n | where EventTime_t >= {TimeRange:start}\r\n | where isnotempty(SrcHostname_s)\r\n | extend SrcIpAddr=SrcIpAddr_s, DestHostname=DestDomain_s, SrcUsername=SrcUsername_s, SrcHostname=SrcHostname_s\r\n | where ('*' in~ ({SrcIpAddr}) or (SrcIpAddr in~ ({SrcIpAddr})))\r\n and ('*' in~ ({SrcUsername}) or (SrcUsername in~ ({SrcUsername})))\r\n and ('*' in~ ({SrcHostname}) or (SrcHostname in~ ({SrcHostname})))\r\n and ('*' in~ ({DstHostname}) or (DestHostname in~ ({DstHostname})))\r\n | distinct SrcHostname=SrcHostname_s\r\n )\r\n | distinct SrcHostname;\r\nSecurityAlert\r\n| where TimeGenerated > {TimeRange:start}\r\n | extend Parsed_Entities = parse_json(Entities)\r\n | mv-expand Parsed_Entities\r\n | extend Parsed_EntityType=tostring(Parsed_Entities.Type)\r\n | where Parsed_EntityType =~ 'host'\r\n | extend HostEntity = tostring(Parsed_Entities.HostName)\r\n | project-away Parsed_Entities\r\n| where HostEntity in~ (AllSrcHostnames)\r\n| project TimeGenerated, AlertSeverity, AlertName, Description, ProviderName, HostEntity, Status, Tactics, Techniques",
"size": 1,
"title": "Source HostNames matching with Entities in Security Alert table",
"timeContextFromParameter": "TimeRange",
Expand Down
Loading