Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tomcat - Multiple empty requests from same IP

Back
Id7c9a1026-4872-11ec-81d3-0242ac130003
RulenameTomcat - Multiple empty requests from same IP
DescriptionDetects multiple empty requests from same IP
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1190
T1133
T1499
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
Version1.0.2
Arm template7c9a1026-4872-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 50;
TomcatEvent
| where HttpResponseBodyBytes == 0
| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleClientErrors > threshold
| extend IPCustomEntity = SrcIpAddr
severity: Medium
relevantTechniques:
- T1190
- T1133
- T1499
requiredDataConnectors:
- datatypes:
  - Tomcat_CL
  connectorId: CustomLogsAma
status: Available
triggerThreshold: 0
description: |
    'Detects multiple empty requests from same IP'
triggerOperator: gt
name: Tomcat - Multiple empty requests from same IP
queryFrequency: 1h
version: 1.0.2
query: |
  let threshold = 50;
  TomcatEvent
  | where HttpResponseBodyBytes == 0
  | summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where MultipleClientErrors > threshold
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
tactics:
- InitialAccess
- Impact
queryPeriod: 1h
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
id: 7c9a1026-4872-11ec-81d3-0242ac130003
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "7c9a1026-4872-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects multiple empty requests from same IP'\n",
        "displayName": "Tomcat - Multiple empty requests from same IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml",
        "query": "let threshold = 50;\nTomcatEvent\n| where HttpResponseBodyBytes == 0\n| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where MultipleClientErrors > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1499"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}