Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Imperva - Multiple user agents from same source

Imperva - Multiple user agents from same source

Back
Id4e8032eb-f04d-4a30-85d3-b74bf2c8f204
RulenameImperva - Multiple user agents from same source
Description‘Detects suspicious number of user agents from the same IP address.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
Version1.0.0
Arm template4e8032eb-f04d-4a30-85d3-b74bf2c8f204.json
Deploy To Azure
let threshold = 10;
ImpervaWAFCloud
| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| where d_uas >= threshold
| extend IPCustomEntity = SrcIpAddr

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
queryFrequency: 1h
name: Imperva - Multiple user agents from same source
severity: Medium
triggerThreshold: 0
query: |
  let threshold = 10;
  ImpervaWAFCloud
  | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
  | where d_uas >= threshold
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
relevantTechniques:
- T1190
- T1133
status: Available
triggerOperator: gt
queryPeriod: 1h
description: |
    ''Detects suspicious number of user agents from the same IP address.'
id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
kind: Scheduled
tactics:
- InitialAccess