Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. API - Anomaly Detection

API - Anomaly Detection

Back
Id2c59e609-e0a0-4e8e-adc5-ab4224be8a36
RulenameAPI - Anomaly Detection
Description42Crunch API protection anomaly detection
SeverityLow
TacticsReconnaissance
TechniquesT1593
T1589
Required data connectors42CrunchAPIProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml
Version1.0.1
Arm template2c59e609-e0a0-4e8e-adc5-ab4224be8a36.json
Deploy To Azure
let infoRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/info" and Status_d == 200;
let timestamp = toscalar(infoRec | top 1 by Timestamp_t desc | summarize by Timestamp_t);
let activityRec = apifirewall_log_1_CL
  | where Timestamp_t < timestamp and TimeGenerated >= ago(5m)
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/activity" and Status_d == 200;
activityRec

name: API - Anomaly Detection
id: 2c59e609-e0a0-4e8e-adc5-ab4224be8a36
description: |
    '42Crunch API protection anomaly detection'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Source_IP_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Hostname_s
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: Instance_Name_s
    identifier: FullName
  entityType: Account
version: 1.0.1
triggerOperator: gt
query: |
  let infoRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/info" and Status_d == 200;
  let timestamp = toscalar(infoRec | top 1 by Timestamp_t desc | summarize by Timestamp_t);
  let activityRec = apifirewall_log_1_CL
    | where Timestamp_t < timestamp and TimeGenerated >= ago(5m)
    | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
    | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/activity" and Status_d == 200;
  activityRec  
tactics:
- Reconnaissance
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml
severity: Low
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - apifirewall_log_1_CL
  connectorId: 42CrunchAPIProtection
status: Available
customDetails: 
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1593
- T1589