Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts in the WCSIISLog to surface new alerts for potentially malicious web request activity. The lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions has been provided in scriptExtensions that should be tailored to your environment.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Web Shells Threat Protection |
| ID | fbfbf530-506b-49a4-81ad-4030885a195c |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | Persistence |
| Techniques | T1505 |
| Required Connectors | MicrosoftDefenderAdvancedThreatProtection, AzureMonitor(IIS) |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SecurityAlert |
✓ | ✗ | ? |
W3CIISLog |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Web Shells Threat Protection