Web Application attack detected

let TimeWindow   = 90d;    
let HitThreshold = 10;     
let MinSeverity  = 2;
let EnableCategoryFilter    = true;
let EnableDescriptionFilter = false;
let EnableActionFilter      = false;
let CategoriesOfInterest = dynamic([
    "access to a potentially vulnerable web application",
    "Web Application Attack"
]);
let DescriptionsOfInterest = dynamic([
    "web-application-activity",
    "web-application-attack"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
    StartTime   = min(TimeGenerated),
    EndTime     = max(TimeGenerated),
    TotalHits   = count(),
    MaxSeverity = max(Severity),
    Actions     = make_set(Action, 5),
    Signatures  = make_set(SignatureId, 20),
    Description = make_set(substring(tostring(Description), 0, 120), 3)
    by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
    StartTime,
    EndTime,
    SourceIp,
    ThreatCategory,
    TotalHits,
    MaxSeverity,
    Actions,
    Signatures,
    Description
| order by MaxSeverity desc, TotalHits desc

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Web Application attack detected.yaml
query: |
  let TimeWindow   = 90d;    
  let HitThreshold = 10;     
  let MinSeverity  = 2;
  let EnableCategoryFilter    = true;
  let EnableDescriptionFilter = false;
  let EnableActionFilter      = false;
  let CategoriesOfInterest = dynamic([
      "access to a potentially vulnerable web application",
      "Web Application Attack"
  ]);
  let DescriptionsOfInterest = dynamic([
      "web-application-activity",
      "web-application-attack"
  ]);
  let MatchActions = dynamic(["Deny", "alert"]);
  AZFWIdpsSignature
  | where TimeGenerated >= ago(TimeWindow)
  | where Severity >= MinSeverity
  | where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
  | where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
  | where (EnableActionFilter == false) or (Action in~ (MatchActions))
  | summarize
      StartTime   = min(TimeGenerated),
      EndTime     = max(TimeGenerated),
      TotalHits   = count(),
      MaxSeverity = max(Severity),
      Actions     = make_set(Action, 5),
      Signatures  = make_set(SignatureId, 20),
      Description = make_set(substring(tostring(Description), 0, 120), 3)
      by SourceIp, ThreatCategory = Category
  | where TotalHits >= HitThreshold
  | project
      StartTime,
      EndTime,
      SourceIp,
      ThreatCategory,
      TotalHits,
      MaxSeverity,
      Actions,
      Signatures,
      Description
  | order by MaxSeverity desc, TotalHits desc  
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIp
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - AZFWIdpsSignature
  connectorId: AzureFirewall
tactics:
- InitialAccess
triggerThreshold: 1
description: |
    Identifies Web application attack in Azure Firewall IDPS logs.
queryPeriod: 24h
version: 1.0.0
queryFrequency: 1h
severity: High
name: Web Application attack detected
id: 8159a8d2-13a5-49af-847b-e062c45ab92b
status: Available
relevantTechniques:
- T1190