Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Tomcat - Multiple empty requests from same IP

Back
Id7c9a1026-4872-11ec-81d3-0242ac130003
RulenameTomcat - Multiple empty requests from same IP
DescriptionDetects multiple empty requests from same IP
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT1190
T1133
T1499
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
Version1.0.2
Arm template7c9a1026-4872-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 50;
TomcatEvent
| where HttpResponseBodyBytes == 0
| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleClientErrors > threshold
| extend IPCustomEntity = SrcIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml
query: |
  let threshold = 50;
  TomcatEvent
  | where HttpResponseBodyBytes == 0
  | summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where MultipleClientErrors > threshold
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects multiple empty requests from same IP'
severity: Medium
requiredDataConnectors:
- datatypes:
  - Tomcat_CL
  connectorId: CustomLogsAma
name: Tomcat - Multiple empty requests from same IP
triggerThreshold: 0
tactics:
- InitialAccess
- Impact
version: 1.0.2
relevantTechniques:
- T1190
- T1133
- T1499
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
id: 7c9a1026-4872-11ec-81d3-0242ac130003
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c9a1026-4872-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "7c9a1026-4872-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects multiple empty requests from same IP'\n",
        "displayName": "Tomcat - Multiple empty requests from same IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml",
        "query": "let threshold = 50;\nTomcatEvent\n| where HttpResponseBodyBytes == 0\n| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where MultipleClientErrors > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1499"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}