Imperva - Request to unexpected destination port

Back


Id	0ba78922-033c-468c-82de-2974d7b1797d
Rulename	Imperva - Request to unexpected destination port
Description	Detects request attempts to unexpected destination ports.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
Version	1.0.1
Arm template	0ba78922-033c-468c-82de-2974d7b1797d.json

KQL

let bl_ports = dynamic(['22', '3389']);
ImpervaWAFCloud
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| where DstPortNumber in (bl_ports)
| extend IPCustomEntity = SrcIpAddr

YAML

triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml
name: Imperva - Request to unexpected destination port
relevantTechniques:
- T1190
- T1133
status: Available
version: 1.0.1
queryPeriod: 10m
kind: Scheduled
id: 0ba78922-033c-468c-82de-2974d7b1797d
query: |
  let bl_ports = dynamic(['22', '3389']);
  ImpervaWAFCloud
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | where DstPortNumber in (bl_ports)
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects request attempts to unexpected destination ports.'
queryFrequency: 10m
severity: High
triggerOperator: gt
tactics:
- InitialAccess

ARM