Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Multiple user agents from same source

Back
Id4e8032eb-f04d-4a30-85d3-b74bf2c8f204
RulenameImperva - Multiple user agents from same source
Description‘Detects suspicious number of user agents from the same IP address.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
Version1.0.0
Arm template4e8032eb-f04d-4a30-85d3-b74bf2c8f204.json
Deploy To Azure
let threshold = 10;
ImpervaWAFCloud
| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| where d_uas >= threshold
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 1h
tactics:
- InitialAccess
queryPeriod: 1h
kind: Scheduled
relevantTechniques:
- T1190
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
description: |
    ''Detects suspicious number of user agents from the same IP address.'
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
version: 1.0.0
triggerThreshold: 0
severity: Medium
triggerOperator: gt
id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
name: Imperva - Multiple user agents from same source
query: |
  let threshold = 10;
  ImpervaWAFCloud
  | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
  | where d_uas >= threshold
  | extend IPCustomEntity = SrcIpAddr  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "properties": {
        "alertRuleTemplateName": "4e8032eb-f04d-4a30-85d3-b74bf2c8f204",
        "customDetails": null,
        "description": "''Detects suspicious number of user agents from the same IP address.'\n",
        "displayName": "Imperva - Multiple user agents from same source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml",
        "query": "let threshold = 10;\nImpervaWAFCloud\n| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where d_uas >= threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}