Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Critical severity event not blocked

Back
Id4d365217-f96a-437c-9c57-53594fa261c3
RulenameImperva - Critical severity event not blocked
DescriptionDetects when critical severity event was not blocked.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml
Version1.0.1
Arm template4d365217-f96a-437c-9c57-53594fa261c3.json
Deploy To Azure
ImpervaWAFCloud
| where EventSeverity =~ 'CRITICAL'
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
queryPeriod: 10m
version: 1.0.1
triggerOperator: gt
tactics:
- InitialAccess
queryFrequency: 10m
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
query: |
  ImpervaWAFCloud
  | where EventSeverity =~ 'CRITICAL'
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | extend IPCustomEntity = SrcIpAddr  
relevantTechniques:
- T1190
- T1133
severity: High
status: Available
kind: Scheduled
id: 4d365217-f96a-437c-9c57-53594fa261c3
name: Imperva - Critical severity event not blocked
description: |
    'Detects when critical severity event was not blocked.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d365217-f96a-437c-9c57-53594fa261c3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d365217-f96a-437c-9c57-53594fa261c3')]",
      "properties": {
        "alertRuleTemplateName": "4d365217-f96a-437c-9c57-53594fa261c3",
        "customDetails": null,
        "description": "'Detects when critical severity event was not blocked.'\n",
        "displayName": "Imperva - Critical severity event not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml",
        "query": "ImpervaWAFCloud\n| where EventSeverity =~ 'CRITICAL'\n| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}