Cloudflare - Unexpected POST requests

Cloudflare
| where HttpRequestMethod in~ ('POST', 'PUT')
| where tostring(HttpStatusCode) startswith '2'
| where DstBytes != 0 or SrcBytes != 0
| extend fe = extract(@'.*(\.\w+)$', 1, ClientRequestURI)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
| extend IPCustomEntity = SrcIpAddr

tactics:
- Persistence
- CommandAndControl
query: |
  Cloudflare
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | where tostring(HttpStatusCode) startswith '2'
  | where DstBytes != 0 or SrcBytes != 0
  | extend fe = extract(@'.*(\.\w+)$', 1, ClientRequestURI)
  | where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
name: Cloudflare - Unexpected POST requests
kind: Scheduled
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedPost.yaml
triggerThreshold: 0
description: |
    'Detects post requests to unusual extensions.'
version: 1.0.0
status: Available
queryFrequency: 1h
severity: Medium
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerOperator: gt
id: 7313352a-09f6-4a84-88bd-6f17f1cbeb8f
relevantTechniques:
- T1505
- T1071