Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Multiple user agents from same source

Back
Id4e8032eb-f04d-4a30-85d3-b74bf2c8f204
RulenameImperva - Multiple user agents from same source
Description‘Detects suspicious number of user agents from the same IP address.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
Version1.0.0
Arm template4e8032eb-f04d-4a30-85d3-b74bf2c8f204.json
Deploy To Azure
let threshold = 10;
ImpervaWAFCloud
| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| where d_uas >= threshold
| extend IPCustomEntity = SrcIpAddr
triggerOperator: gt
id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
queryFrequency: 1h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
severity: Medium
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml
query: |
  let threshold = 10;
  ImpervaWAFCloud
  | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
  | where d_uas >= threshold
  | extend IPCustomEntity = SrcIpAddr  
description: |
    ''Detects suspicious number of user agents from the same IP address.'
name: Imperva - Multiple user agents from same source
relevantTechniques:
- T1190
- T1133
tactics:
- InitialAccess
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e8032eb-f04d-4a30-85d3-b74bf2c8f204')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Imperva - Multiple user agents from same source",
        "description": "''Detects suspicious number of user agents from the same IP address.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let threshold = 10;\nImpervaWAFCloud\n| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where d_uas >= threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "4e8032eb-f04d-4a30-85d3-b74bf2c8f204",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}