Detection rules › Kusto
TI map Domain entity to Web Session Events (ASIM Web Session schema)
'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071 Application Layer Protocol |
Rule body kusto
id: b1832f60-6c3d-4722-a0a5-3d564ee61a63
name: TI map Domain entity to Web Session Events (ASIM Web Session schema)
description: |
'This rule identifies Web Sessions for which the target URL hostname is a known IoC. This rule uses the [Advanced Security Information Model (ASIM)](https:/aka.ms/AboutASIM) and supports any web session source that complies with ASIM.'
severity: Medium
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
query: |
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
//Create a list of TLDs in our threat feed for later validation
let DOMAIN_TI=ThreatIntelligenceIndicator
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now();
let DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName)
| project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
DOMAIN_TI
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
_Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
//Extract domain patterns from syslog message
| extend domain = tostring(parse_url(Url)["Host"])
| where isnotempty(domain)
| extend tld = tostring(split(domain, '.')[-1])
| extend Event_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.domain
| where Event_TimeGenerated < ExpirationDateTime
| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
customDetails:
EventTime: Event_TimeGenerated
IoCDescription: Description
ActivityGroupNames: ActivityGroupNames
IndicatorId: IndicatorId
ThreatType: ThreatType
IoCExpirationTime: ExpirationDateTime
IoCConfidenceScore: ConfidenceScore
alertDetailsOverride:
alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC
alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
version: 1.0.6
kind: Scheduled
Stages and Predicates
Parameters
let HAS_ANY_MAX = 10000;
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
Let binding: DOMAIN_TI_list
let DOMAIN_TI_list = todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName)
| project Domains=iff(NIoCs > HAS_ANY_MAX, dynamic([]), Domains) ));
Derived from HAS_ANY_MAX, DOMAIN_TI.
The stages below define let DOMAIN_TI (the rule's main pipeline source).
Stage 1: source
ThreatIntelligenceIndicator
Stage 2: where
| where isnotempty(DomainName)
Stage 3: where
| where TimeGenerated >= ago(ioc_lookBack)
Stage 4: summarize
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
Stage 5: where
| where Active == true and ExpirationDateTime > now()
The stages below run on DOMAIN_TI (the outer pipeline).
Stage 6: join
DOMAIN_TI
| join kind=innerunique (
_Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )
| extend domain = tostring(parse_url(Url)["Host"])
| where isnotempty(domain)
| extend tld = tostring(split(domain, '.')[-1])
| extend Event_TimeGenerated = TimeGenerated
) on $left.DomainName==$right.domain
Stage 7: where
| where Event_TimeGenerated < ExpirationDateTime
Stage 8: summarize
| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain
Stage 9: project
| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Active | eq |
|
DomainName | is_not_null | |
Event_TimeGenerated | lt |
|
domain | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
ActivityGroupNames | project |
ConfidenceScore | project |
Description | project |
Event_TimeGenerated | project |
ExpirationDateTime | project |
IndicatorId | project |
SrcIpAddr | project |
ThreatType | project |
Url | project |
domain | project |