API - BOLA
| Id | 1b047dc3-a879-4f99-949b-d1dc867efc83 |
| Rulename | API - BOLA |
| Description | 42Crunch API protection against BOLA |
| Severity | Medium |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | 42CrunchAPIProtection FortyTwoCrunchAPIProtection |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml |
| Version | 3.0.1 |
| Arm template | 1b047dc3-a879-4f99-949b-d1dc867efc83.json |
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InstanceName
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
- FortyTwoCrunchAPIProtection
connectorId: 42CrunchAPIProtection
- dataTypes:
- FortyTwoCrunchAPIProtection
connectorId: FortyTwoCrunchAPIProtection
id: 1b047dc3-a879-4f99-949b-d1dc867efc83
severity: Medium
status: Available
customDetails:
query: |
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIBOLA.yaml
kind: Scheduled
queryPeriod: 5m
version: 3.0.1
name: API - BOLA
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: SingleAlert
relevantTechniques:
- T1020
description: |
'42Crunch API protection against BOLA'
triggerThreshold: 0
triggerOperator: gt