Imperva - Request from unexpected IP address to admin panel

Back


Id	427c025d-c068-4844-8205-66879e89bcfa
Rulename	Imperva - Request from unexpected IP address to admin panel
Description	Detects requests from unexpected IP addresses to admin panel.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
Version	1.0.1
Arm template	427c025d-c068-4844-8205-66879e89bcfa.json

KQL

ImpervaWAFCloud
| where QueryString contains @'/admin'
| where ipv4_is_private(SrcIpAddr) == False
| extend IPCustomEntity = SrcIpAddr

YAML

relevantTechniques:
- T1190
- T1133
name: Imperva - Request from unexpected IP address to admin panel
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: 427c025d-c068-4844-8205-66879e89bcfa
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
queryPeriod: 10m
kind: Scheduled
queryFrequency: 10m
severity: High
status: Available
description: |
    'Detects requests from unexpected IP addresses to admin panel.'
query: |
  ImpervaWAFCloud
  | where QueryString contains @'/admin'
  | where ipv4_is_private(SrcIpAddr) == False
  | extend IPCustomEntity = SrcIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/427c025d-c068-4844-8205-66879e89bcfa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/427c025d-c068-4844-8205-66879e89bcfa')]",
      "properties": {
        "alertRuleTemplateName": "427c025d-c068-4844-8205-66879e89bcfa",
        "customDetails": null,
        "description": "'Detects requests from unexpected IP addresses to admin panel.'\n",
        "displayName": "Imperva - Request from unexpected IP address to admin panel",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml",
        "query": "ImpervaWAFCloud\n| where QueryString contains @'/admin'\n| where ipv4_is_private(SrcIpAddr) == False\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}