Cloudflare - Client request from country in blocklist

Back


Id	40554544-6e4a-4413-8d14-bf2de939c5d9
Rulename	Cloudflare - Client request from country in blocklist
Description	Detects requests from countries which are in blocklist.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedCountry.yaml
Version	1.0.1
Arm template	40554544-6e4a-4413-8d14-bf2de939c5d9.json

KQL

let bl_countries = dynamic(['cn', 'hk']);
Cloudflare
| where SrcGeoCountry in~ (bl_countries)
| extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

YAML

description: |
    'Detects requests from countries which are in blocklist.'
triggerThreshold: 0
queryPeriod: 1h
query: |
  let bl_countries = dynamic(['cn', 'hk']);
  Cloudflare
  | where SrcGeoCountry in~ (bl_countries)
  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
relevantTechniques:
- T1190
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedCountry.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: CompleteUrl
version: 1.0.1
severity: Medium
tactics:
- InitialAccess
id: 40554544-6e4a-4413-8d14-bf2de939c5d9
kind: Scheduled
name: Cloudflare - Client request from country in blocklist
status: Available
triggerOperator: gt

ARM