Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Imperva - Forbidden HTTP request method in request

Back
Id7ebc9e24-319c-4786-9151-c898240463bc
RulenameImperva - Forbidden HTTP request method in request
DescriptionDetects connections with unexpected HTTP request method.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsImpervaWAFCloudAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
Version1.0.0
Arm template7ebc9e24-319c-4786-9151-c898240463bc.json
Deploy To Azure
let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
ImpervaWAFCloud
| where HttpRequestMethod in~ (bl_http_methods)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
description: |
    'Detects connections with unexpected HTTP request method.'
queryPeriod: 1h
name: Imperva - Forbidden HTTP request method in request
triggerThreshold: 0
tactics:
- InitialAccess
severity: Medium
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
queryFrequency: 1h
triggerOperator: gt
id: 7ebc9e24-319c-4786-9151-c898240463bc
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml
version: 1.0.0
query: |
  let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
  ImpervaWAFCloud
  | where HttpRequestMethod in~ (bl_http_methods)
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal  
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
  dataTypes:
  - ImpervaWAFCloud
relevantTechniques:
- T1190
- T1133
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ebc9e24-319c-4786-9151-c898240463bc')]",
      "properties": {
        "alertRuleTemplateName": "7ebc9e24-319c-4786-9151-c898240463bc",
        "customDetails": null,
        "description": "'Detects connections with unexpected HTTP request method.'\n",
        "displayName": "Imperva - Forbidden HTTP request method in request",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml",
        "query": "let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);\nImpervaWAFCloud\n| where HttpRequestMethod in~ (bl_http_methods)\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}