Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Multiple user agents from same source

Back
Id4e8032eb-f04d-4a30-85d3-b74bf2c8f204
RulenameImperva - Multiple user agents from same source
Description‘Detects suspicious number of user agents from the same IP address.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
Version1.0.0
Arm template4e8032eb-f04d-4a30-85d3-b74bf2c8f204.json
Deploy To Azure
let threshold = 10;
ImpervaWAFCloud
| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| where d_uas >= threshold
| extend IPCustomEntity = SrcIpAddr
status: Available
queryFrequency: 1h
description: |
    ''Detects suspicious number of user agents from the same IP address.'
severity: Medium
version: 1.0.0
relevantTechniques:
- T1190
- T1133
name: Imperva - Multiple user agents from same source
triggerThreshold: 0
kind: Scheduled
query: |
  let threshold = 10;
  ImpervaWAFCloud
  | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
  | where d_uas >= threshold
  | extend IPCustomEntity = SrcIpAddr  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
tactics:
- InitialAccess
id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "properties": {
        "alertRuleTemplateName": "4e8032eb-f04d-4a30-85d3-b74bf2c8f204",
        "customDetails": null,
        "description": "''Detects suspicious number of user agents from the same IP address.'\n",
        "displayName": "Imperva - Multiple user agents from same source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml",
        "query": "let threshold = 10;\nImpervaWAFCloud\n| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where d_uas >= threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}