Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tomcat - Multiple empty requests from same IP

Back
Id7c9a1026-4872-11ec-81d3-0242ac130003
RulenameTomcat - Multiple empty requests from same IP
DescriptionDetects multiple empty requests from same IP
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1190
T1133
T1499
Required data connectorsApacheTomcat
CustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
Version1.0.1
Arm template7c9a1026-4872-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 50;
TomcatEvent
| where HttpResponseBodyBytes == 0
| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleClientErrors > threshold
| extend IPCustomEntity = SrcIpAddr
kind: Scheduled
relevantTechniques:
- T1190
- T1133
- T1499
description: |
    'Detects multiple empty requests from same IP'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- InitialAccess
- Impact
name: Tomcat - Multiple empty requests from same IP
requiredDataConnectors:
- connectorId: ApacheTomcat
  dataTypes:
  - TomcatEvent
- connectorId: CustomLogsAma
  datatypes:
  - Tomcat_CL
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
version: 1.0.1
id: 7c9a1026-4872-11ec-81d3-0242ac130003
query: |
  let threshold = 50;
  TomcatEvent
  | where HttpResponseBodyBytes == 0
  | summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where MultipleClientErrors > threshold
  | extend IPCustomEntity = SrcIpAddr  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "7c9a1026-4872-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects multiple empty requests from same IP'\n",
        "displayName": "Tomcat - Multiple empty requests from same IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml",
        "query": "let threshold = 50;\nTomcatEvent\n| where HttpResponseBodyBytes == 0\n| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where MultipleClientErrors > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1499"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}