Web Session Essentials

Web Session Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.0.3
Author Microsoft - support@microsoft.com
First Published 2023-06-29
Solution Folder Web Session Essentials
Marketplace Azure Marketplace · Popularity: ⚪ Very Low (0%)
Pre-requisites PaloAlto-PAN-OS, SquidProxy, Vectra AI Stream, zscaler1579058425289.zscaler_internet_access_mss

Web Session Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.

For details on the required solutions, see the Pre-requisites section below.

Recommendation :-

It is highly recommended to use the SummarizeWebSessionData logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

Contents

Pre-requisites

This solution depends on 3 other solution(s):

Solution
PaloAlto-PAN-OS
SquidProxy
Vectra AI Stream

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Tables Used

This solution queries 1 table(s) from its content items:

Table Used By Content
ThreatIntelligenceIndicator Workbooks

Internal Tables

The following 7 table(s) are used internally by this solution's content items:

Table Used By Content
Anomalies Analytics
SecurityAlert Workbooks
Watchlist Analytics
WebSession_Summarized_DstIP_CL Playbooks (writes), Workbooks
WebSession_Summarized_SrcIP_CL Analytics, Playbooks (writes), Workbooks
WebSession_Summarized_SrcInfo_CL Analytics, Playbooks (writes), Workbooks
WebSession_Summarized_ThreatInfo_CL Playbooks (writes), Workbooks

Content Items

This solution includes 26 content item(s):

Content Type Count
Analytic Rules 15
Hunting Queries 9
Workbooks 1
Playbooks 1

Analytic Rules

Name Severity Tactics Tables Used
Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) High InitialAccess, Execution Internal use:
Watchlist
Detect URLs containing known malicious keywords or commands (ASIM Web Session) High InitialAccess, CommandAndControl Internal use:
Watchlist
Detect instances of multiple client errors occurring within a brief period of time (ASIM Web Session) Medium InitialAccess, CommandAndControl -
Detect instances of multiple server errors occurring within a brief period of time (ASIM Web Session) Medium InitialAccess, Impact -
Detect known risky user agents (ASIM Web Session) Medium InitialAccess, CommandAndControl Internal use:
Watchlist
Detect potential file enumeration activity (ASIM Web Session) Medium Discovery, CommandAndControl, CredentialAccess -
Detect potential presence of a malicious file with a double extension (ASIM Web Session) Medium DefenseEvasion, Persistence, CommandAndControl -
Detect presence of private IP addresses in URLs (ASIM Web Session) Medium Exfiltration, CommandAndControl -
Detect presence of uncommon user agents in web requests (ASIM Web Session) Medium InitialAccess Internal use:
WebSession_Summarized_SrcInfo_CL
Detect requests for an uncommon resources on the web (ASIM Web Session) Low CommandAndControl -
Detect threat information in web requests (ASIM Web Session) High InitialAccess -
Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) Medium Exfiltration Internal use:
Anomalies
WebSession_Summarized_SrcIP_CL
Detect web requests to potentially harmful files (ASIM Web Session) Medium InitialAccess, Persistence, Execution Internal use:
Watchlist
Identify instances where a single source is observed using multiple user agents (ASIM Web Session) Medium InitialAccess, CredentialAccess -
The download of potentially risky files from the Discord Content Delivery Network (CDN) (ASIM Web Session) Medium CommandAndControl Internal use:
Watchlist

Hunting Queries

Name Tactics Tables Used
Beaconing traffic based on common user agents visiting limited number of domains (ASIM Web Session) CommandAndControl -
Detect IPAddress in the requested URL (ASIM Web Session) Exfiltration, CommandAndControl -
Detect Kali Linux UserAgent (ASIM Web Session) Execution -
Detect threat information in web requests (ASIM Web Session) InitialAccess -
Empty User Agent Detected (ASIM Web Session) InitialAccess -
Excessive number of forbidden requests detected (ASIM Web Session) Persistence, CredentialAccess -
Potential beaconing detected (ASIM Web Session) CommandAndControl -
Potential beaconing detected - Similar sent bytes (ASIM Web Session) CommandAndControl -
Request from bots and crawlers (ASIM Web Session) InitialAccess -

Workbooks

Name Tables Used
WebSessionEssentials ThreatIntelligenceIndicator
Internal use:
SecurityAlert
WebSession_Summarized_DstIP_CL
WebSession_Summarized_SrcIP_CL
WebSession_Summarized_SrcInfo_CL
WebSession_Summarized_ThreatInfo_CL

Playbooks

Name Description Tables Used
Summarize Web Session Data The 'SummarizeWebSessionData' Playbook helps with summarizing the Web Session logs and ingesting the... Internal use:
WebSession_Summarized_DstIP_CL (read/write)
WebSession_Summarized_SrcIP_CL (read/write)
WebSession_Summarized_SrcInfo_CL (read/write)
WebSession_Summarized_ThreatInfo_CL (read/write)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.3 06-06-2024 Updated Entity Mapping Analytic Rule CommandInURL.yaml
3.0.2 31-01-2024 Updated the solution to fix Analytic Rules deployment issue
3.0.1 02-01-2024 Tagged for dependent Solutions for deployment
3.0.0 11-09-2023 Initial Solution Release

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index