Imperva - Request to unexpected destination port

Back


Id	0ba78922-033c-468c-82de-2974d7b1797d
Rulename	Imperva - Request to unexpected destination port
Description	Detects request attempts to unexpected destination ports.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
Version	1.0.1
Arm template	0ba78922-033c-468c-82de-2974d7b1797d.json

KQL

let bl_ports = dynamic(['22', '3389']);
ImpervaWAFCloud
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| where DstPortNumber in (bl_ports)
| extend IPCustomEntity = SrcIpAddr

YAML

name: Imperva - Request to unexpected destination port
queryFrequency: 10m
description: |
    'Detects request attempts to unexpected destination ports.'
relevantTechniques:
- T1190
- T1133
id: 0ba78922-033c-468c-82de-2974d7b1797d
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
kind: Scheduled
status: Available
tactics:
- InitialAccess
triggerThreshold: 0
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
query: |
  let bl_ports = dynamic(['22', '3389']);
  ImpervaWAFCloud
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | where DstPortNumber in (bl_ports)
  | extend IPCustomEntity = SrcIpAddr  
severity: High

ARM