Imperva - Request to unexpected destination port

Back


Id	0ba78922-033c-468c-82de-2974d7b1797d
Rulename	Imperva - Request to unexpected destination port
Description	Detects request attempts to unexpected destination ports.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
Version	1.0.1
Arm template	0ba78922-033c-468c-82de-2974d7b1797d.json

KQL

let bl_ports = dynamic(['22', '3389']);
ImpervaWAFCloud
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| where DstPortNumber in (bl_ports)
| extend IPCustomEntity = SrcIpAddr

YAML

description: |
    'Detects request attempts to unexpected destination ports.'
kind: Scheduled
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
severity: High
name: Imperva - Request to unexpected destination port
triggerThreshold: 0
queryPeriod: 10m
query: |
  let bl_ports = dynamic(['22', '3389']);
  ImpervaWAFCloud
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | where DstPortNumber in (bl_ports)
  | extend IPCustomEntity = SrcIpAddr  
relevantTechniques:
- T1190
- T1133
id: 0ba78922-033c-468c-82de-2974d7b1797d
queryFrequency: 10m
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address

ARM