Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Forbidden HTTP request method in request

Back
Id7ebc9e24-319c-4786-9151-c898240463bc
RulenameImperva - Forbidden HTTP request method in request
DescriptionDetects connections with unexpected HTTP request method.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
Version1.0.0
Arm template7ebc9e24-319c-4786-9151-c898240463bc.json
Deploy To Azure
let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
ImpervaWAFCloud
| where HttpRequestMethod in~ (bl_http_methods)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
query: |
  let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
  ImpervaWAFCloud
  | where HttpRequestMethod in~ (bl_http_methods)
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal  
description: |
    'Detects connections with unexpected HTTP request method.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
name: Imperva - Forbidden HTTP request method in request
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.0
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
id: 7ebc9e24-319c-4786-9151-c898240463bc
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "properties": {
        "alertRuleTemplateName": "7ebc9e24-319c-4786-9151-c898240463bc",
        "customDetails": null,
        "description": "'Detects connections with unexpected HTTP request method.'\n",
        "displayName": "Imperva - Forbidden HTTP request method in request",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml",
        "query": "let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);\nImpervaWAFCloud\n| where HttpRequestMethod in~ (bl_http_methods)\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}