API - BOLA

Back


Id	1b047dc3-a879-4f99-949b-d1dc867efc83
Rulename	API - BOLA
Description	42Crunch API protection against BOLA
Severity	Medium
Tactics	Exfiltration
Techniques	T1020
Required data connectors	42CrunchAPIProtection
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml
Version	1.0.1
Arm template	1b047dc3-a879-4f99-949b-d1dc867efc83.json

KQL

let loginRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_5" and URI_Path_s has "/api/login" and Status_d == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp_t desc
| summarize by Source_IP_s);
let listRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_5" and URI_Path_s has "/api/accounts/list" and Status_d == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_5" and Source_IP_s == ipAddress and URI_Path_s matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount

YAML

description: |
    '42Crunch API protection against BOLA'
kind: Scheduled
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: 42CrunchAPIProtection
  dataTypes:
  - apifirewall_log_1_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml
severity: Medium
name: API - BOLA
customDetails: 
triggerThreshold: 0
queryPeriod: 5m
query: |
  let loginRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_5" and URI_Path_s has "/api/login" and Status_d == 200;
  let ipAddress = toscalar(loginRec
  | top 1 by Timestamp_t desc
  | summarize by Source_IP_s);
  let listRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_5" and URI_Path_s has "/api/accounts/list" and Status_d == 200;
  let listCnt = (toscalar(listRec | count));
  let accountRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_5" and Source_IP_s == ipAddress and URI_Path_s matches regex "/api/accounts/\\d{6}$";
  let accountCnt = (toscalar(accountRec | count));
  let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
  accountRec | take recCount  
relevantTechniques:
- T1020
id: 1b047dc3-a879-4f99-949b-d1dc867efc83
queryFrequency: 5m
status: Available
version: 1.0.1
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: Source_IP_s
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: Hostname_s
    identifier: HostName
- entityType: Account
  fieldMappings:
  - columnName: Instance_Name_s
    identifier: FullName

ARM