Imperva - Request from unexpected IP address to admin panel

Back


Id	427c025d-c068-4844-8205-66879e89bcfa
Rulename	Imperva - Request from unexpected IP address to admin panel
Description	Detects requests from unexpected IP addresses to admin panel.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
Version	1.0.1
Arm template	427c025d-c068-4844-8205-66879e89bcfa.json

KQL

ImpervaWAFCloud
| where QueryString contains @'/admin'
| where ipv4_is_private(SrcIpAddr) == False
| extend IPCustomEntity = SrcIpAddr

YAML

status: Available
id: 427c025d-c068-4844-8205-66879e89bcfa
query: |
  ImpervaWAFCloud
  | where QueryString contains @'/admin'
  | where ipv4_is_private(SrcIpAddr) == False
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml
description: |
    'Detects requests from unexpected IP addresses to admin panel.'
name: Imperva - Request from unexpected IP address to admin panel
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
queryFrequency: 10m
queryPeriod: 10m
version: 1.0.1
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/427c025d-c068-4844-8205-66879e89bcfa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/427c025d-c068-4844-8205-66879e89bcfa')]",
      "properties": {
        "alertRuleTemplateName": "427c025d-c068-4844-8205-66879e89bcfa",
        "customDetails": null,
        "description": "'Detects requests from unexpected IP addresses to admin panel.'\n",
        "displayName": "Imperva - Request from unexpected IP address to admin panel",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml",
        "query": "ImpervaWAFCloud\n| where QueryString contains @'/admin'\n| where ipv4_is_private(SrcIpAddr) == False\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}