NGINX - Private IP address in URL

Back


Id	1aa6bfed-f11b-402f-9007-0dccc1152ede
Rulename	NGINX - Private IP address in URL
Description	Detects requests to unusual URL
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CustomLogsAma NGINXHTTPServer
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPrivateIPinUrl.yaml
Version	1.0.1
Arm template	1aa6bfed-f11b-402f-9007-0dccc1152ede.json

KQL

NGINXHTTPServer
| where UrlOriginal matches regex @'(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
| extend UrlCustomEntity = UrlOriginal

YAML

relevantTechniques:
- T1190
- T1133
name: NGINX - Private IP address in URL
requiredDataConnectors:
- dataTypes:
  - NGINXHTTPServer
  connectorId: NGINXHTTPServer
- dataTypes:
  - NGINX_CL
  connectorId: CustomLogsAma
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
  entityType: URL
triggerThreshold: 0
id: 1aa6bfed-f11b-402f-9007-0dccc1152ede
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPrivateIPinUrl.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects requests to unusual URL'
query: |
  NGINXHTTPServer
  | where UrlOriginal matches regex @'(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
  | extend UrlCustomEntity = UrlOriginal  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1aa6bfed-f11b-402f-9007-0dccc1152ede')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1aa6bfed-f11b-402f-9007-0dccc1152ede')]",
      "properties": {
        "alertRuleTemplateName": "1aa6bfed-f11b-402f-9007-0dccc1152ede",
        "customDetails": null,
        "description": "'Detects requests to unusual URL'\n",
        "displayName": "NGINX - Private IP address in URL",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPrivateIPinUrl.yaml",
        "query": "NGINXHTTPServer\n| where UrlOriginal matches regex @'(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}