Cloudflare - XSS probing pattern in request

Back


Id	4d9d00b9-31a6-49e4-88c1-9e68277053ac
Rulename	Cloudflare - XSS probing pattern in request
Description	Detects XSS probing patterns.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareXSSProbingPattern.yaml
Version	1.0.1
Arm template	4d9d00b9-31a6-49e4-88c1-9e68277053ac.json

KQL

let s_threshold = 3;
Cloudflare
| where HttpRequestMethod in~ ('POST', 'PUT')
| extend susp_ch = countof(ClientRequestURI, '%00')
| where ClientRequestURI matches regex @'(alert\()|(alert\%28)|(String\.fromCharCode\()|(expression\(alert)' or susp_ch > s_threshold 
| extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

YAML

entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CompleteUrl
    identifier: Url
  entityType: URL
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareXSSProbingPattern.yaml
version: 1.0.1
tactics:
- InitialAccess
queryPeriod: 1h
kind: Scheduled
id: 4d9d00b9-31a6-49e4-88c1-9e68277053ac
severity: Medium
query: |
  let s_threshold = 3;
  Cloudflare
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | extend susp_ch = countof(ClientRequestURI, '%00')
  | where ClientRequestURI matches regex @'(alert\()|(alert\%28)|(String\.fromCharCode\()|(expression\(alert)' or susp_ch > s_threshold 
  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)  
triggerThreshold: 0
name: Cloudflare - XSS probing pattern in request
status: Available
description: |
    'Detects XSS probing patterns.'
relevantTechniques:
- T1190
- T1133
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
queryFrequency: 1h

ARM