Imperva - Critical severity event not blocked

Back


Id	4d365217-f96a-437c-9c57-53594fa261c3
Rulename	Imperva - Critical severity event not blocked
Description	Detects when critical severity event was not blocked.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml
Version	1.0.1
Arm template	4d365217-f96a-437c-9c57-53594fa261c3.json

KQL

ImpervaWAFCloud
| where EventSeverity =~ 'CRITICAL'
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr

YAML

query: |
  ImpervaWAFCloud
  | where EventSeverity =~ 'CRITICAL'
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | extend IPCustomEntity = SrcIpAddr  
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml
status: Available
description: |
    'Detects when critical severity event was not blocked.'
queryFrequency: 10m
name: Imperva - Critical severity event not blocked
kind: Scheduled
triggerThreshold: 0
id: 4d365217-f96a-437c-9c57-53594fa261c3
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
severity: High
queryPeriod: 10m
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
relevantTechniques:
- T1190
- T1133
tactics:
- InitialAccess

ARM