Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Request from unexpected IP address to admin panel

Back
Id427c025d-c068-4844-8205-66879e89bcfa
RulenameImperva - Request from unexpected IP address to admin panel
DescriptionDetects requests from unexpected IP addresses to admin panel.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
Version1.0.1
Arm template427c025d-c068-4844-8205-66879e89bcfa.json
Deploy To Azure
ImpervaWAFCloud
| where QueryString contains @'/admin'
| where ipv4_is_private(SrcIpAddr) == False
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
queryFrequency: 10m
status: Available
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
id: 427c025d-c068-4844-8205-66879e89bcfa
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
version: 1.0.1
name: Imperva - Request from unexpected IP address to admin panel
description: |
    'Detects requests from unexpected IP addresses to admin panel.'
query: |
  ImpervaWAFCloud
  | where QueryString contains @'/admin'
  | where ipv4_is_private(SrcIpAddr) == False
  | extend IPCustomEntity = SrcIpAddr  
tactics:
- InitialAccess
queryPeriod: 10m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/427c025d-c068-4844-8205-66879e89bcfa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/427c025d-c068-4844-8205-66879e89bcfa')]",
      "properties": {
        "alertRuleTemplateName": "427c025d-c068-4844-8205-66879e89bcfa",
        "customDetails": null,
        "description": "'Detects requests from unexpected IP addresses to admin panel.'\n",
        "displayName": "Imperva - Request from unexpected IP address to admin panel",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml",
        "query": "ImpervaWAFCloud\n| where QueryString contains @'/admin'\n| where ipv4_is_private(SrcIpAddr) == False\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}