Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Forbidden HTTP request method in request

Back
Id7ebc9e24-319c-4786-9151-c898240463bc
RulenameImperva - Forbidden HTTP request method in request
DescriptionDetects connections with unexpected HTTP request method.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
Version1.0.0
Arm template7ebc9e24-319c-4786-9151-c898240463bc.json
Deploy To Azure
let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
ImpervaWAFCloud
| where HttpRequestMethod in~ (bl_http_methods)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
name: Imperva - Forbidden HTTP request method in request
query: |
  let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
  ImpervaWAFCloud
  | where HttpRequestMethod in~ (bl_http_methods)
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - ImpervaWAFCloud
  connectorId: ImpervaWAFCloudAPI
version: 1.0.0
status: Available
queryPeriod: 1h
id: 7ebc9e24-319c-4786-9151-c898240463bc
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
  entityType: URL
relevantTechniques:
- T1190
- T1133
severity: Medium
description: |
    'Detects connections with unexpected HTTP request method.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Imperva - Forbidden HTTP request method in request",
        "description": "'Detects connections with unexpected HTTP request method.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);\nImpervaWAFCloud\n| where HttpRequestMethod in~ (bl_http_methods)\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "7ebc9e24-319c-4786-9151-c898240463bc",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "UrlCustomEntity"
              }
            ],
            "entityType": "URL"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml"
      }
    }
  ]
}