What Changed
New Analytic Rule URLEntity_imWebSession.yaml added to complement existing domain-based IOC detection with full URL matching capabilities.
Detection Logic
- Primary data source: ASIM Web Session events via _Im_WebSession() function
- Core logic: Joins ThreatIntelIndicators table (URL type) against web session URLs, requiring active indicators within 14-day lookback period and confidence validation
- Entity types mapped: IP (source address), URL (requested URL)
- Query optimization: Uses has_any filtering with 10,000 IOC limit for performance
MITRE Mapping
- T1071: Application Layer Protocol (Command and Control)
Detection Surface Unlocked
Enables detection of web requests to known malicious URLs from threat intelligence feeds, providing coverage for:
- C2 infrastructure communication via HTTP/HTTPS
- Initial access through malicious landing pages
- Exfiltration to attacker-controlled domains
Rule supports multiple web session data sources including Squid Proxy, Zscaler, and other ASIM-compliant web security solutions.
Affected Files
Solutions/Threat Intelligence (NEW)/Analytic Rules/URLEntity_imWebSession.yaml
(packaging artefacts: 3.0.14.zip, ReleaseNotes.md, Solution_ThreatIntelligenceUpdated.json, createUiDefinition.json, mainTemplate.json)