API - BOLA
| Id | 1b047dc3-a879-4f99-949b-d1dc867efc83 |
| Rulename | API - BOLA |
| Description | 42Crunch API protection against BOLA |
| Severity | Medium |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | 42CrunchAPIProtection FortyTwoCrunchAPIProtection |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml |
| Version | 3.0.1 |
| Arm template | 1b047dc3-a879-4f99-949b-d1dc867efc83.json |
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount
name: API - BOLA
requiredDataConnectors:
- dataTypes:
- FortyTwoCrunchAPIProtection
connectorId: 42CrunchAPIProtection
- dataTypes:
- FortyTwoCrunchAPIProtection
connectorId: FortyTwoCrunchAPIProtection
queryPeriod: 5m
relevantTechniques:
- T1020
tactics:
- Exfiltration
id: 1b047dc3-a879-4f99-949b-d1dc867efc83
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml
kind: Scheduled
query: |
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIp
entityType: IP
- fieldMappings:
- identifier: HostName
columnName: Hostname
entityType: Host
- fieldMappings:
- identifier: FullName
columnName: InstanceName
entityType: Account
version: 3.0.1
triggerOperator: gt
description: |
'42Crunch API protection against BOLA'
triggerThreshold: 0
queryFrequency: 5m
status: Available
severity: Medium
customDetails: