Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. API - Anomaly Detection

API - Anomaly Detection

Back
Id2c59e609-e0a0-4e8e-adc5-ab4224be8a36
RulenameAPI - Anomaly Detection
Description42Crunch API protection anomaly detection
SeverityLow
TacticsReconnaissance
TechniquesT1593
T1589
Required data connectors42CrunchAPIProtection
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml
Version1.0.1
Arm template2c59e609-e0a0-4e8e-adc5-ab4224be8a36.json
Deploy To Azure
let infoRec = apifirewall_log_1_CL
| where TimeGenerated >= ago(5m) 
| project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
| where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/info" and Status_d == 200;
let timestamp = toscalar(infoRec | top 1 by Timestamp_t desc | summarize by Timestamp_t);
let activityRec = apifirewall_log_1_CL
  | where Timestamp_t < timestamp and TimeGenerated >= ago(5m)
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/activity" and Status_d == 200;
activityRec

eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Source_IP_s
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Hostname_s
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Instance_Name_s
requiredDataConnectors:
- dataTypes:
  - apifirewall_log_1_CL
  connectorId: 42CrunchAPIProtection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch API Protection/Analytic Rules/APIAnomalyDetection.yaml
customDetails: 
name: API - Anomaly Detection
relevantTechniques:
- T1593
- T1589
status: Available
version: 1.0.1
queryPeriod: 5m
kind: Scheduled
id: 2c59e609-e0a0-4e8e-adc5-ab4224be8a36
query: |
  let infoRec = apifirewall_log_1_CL
  | where TimeGenerated >= ago(5m) 
  | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
  | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/info" and Status_d == 200;
  let timestamp = toscalar(infoRec | top 1 by Timestamp_t desc | summarize by Timestamp_t);
  let activityRec = apifirewall_log_1_CL
    | where Timestamp_t < timestamp and TimeGenerated >= ago(5m)
    | project-away Non_blocking_mode_b, Source_Port_d, Destination_Port_d, Query_s, API_ID_g, Request_Header_s, Response_Header_s, Errors_s, Type, UUID_g
    | where Instance_Name_s == "Instance_4" and URI_Path_s has "/api/users/activity" and Status_d == 200;
  activityRec  
description: |
    '42Crunch API protection anomaly detection'
queryFrequency: 5m
severity: Low
triggerOperator: gt
tactics:
- Reconnaissance