Imperva - Request from unexpected countries

Back


Id	58300723-22e0-4096-b33a-aa9b992c3564
Rulename	Imperva - Request from unexpected countries
Description	Detects request attempts from unexpected countries.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	ImpervaWAFCloudAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml
Version	1.0.0
Arm template	58300723-22e0-4096-b33a-aa9b992c3564.json

KQL

let bl_country = dynamic(['CH', 'KR']);
ImpervaWAFCloud
| where Country in (bl_country)
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr

YAML

name: Imperva - Request from unexpected countries
query: |
  let bl_country = dynamic(['CH', 'KR']);
  ImpervaWAFCloud
  | where Country in (bl_country)
  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
  | extend IPCustomEntity = SrcIpAddr  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml
description: |
    'Detects request attempts from unexpected countries.'
version: 1.0.0
id: 58300723-22e0-4096-b33a-aa9b992c3564
kind: Scheduled
relevantTechniques:
- T1190
- T1133
severity: High
tactics:
- InitialAccess
queryPeriod: 1h

ARM