Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NGINX - Multiple user agents for single source

Back
Id83a0b48f-1cb7-4b4f-a018-23c3203a239b
RulenameNGINX - Multiple user agents for single source
DescriptionDetects requests with different user agents from one source in short timeframe.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsNGINXHTTPServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXDifferentUAsFromSingleIP.yaml
Version1.0.0
Arm template83a0b48f-1cb7-4b4f-a018-23c3203a239b.json
Deploy To Azure
let threshold = 5;
NGINXHTTPServer
| summarize makeset(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| extend ua_count = array_length(set_HttpUserAgentOriginal)
| where ua_count > threshold
| extend IPCustomEntity = SrcIpAddr
name: NGINX - Multiple user agents for single source
query: |
  let threshold = 5;
  NGINXHTTPServer
  | summarize makeset(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
  | extend ua_count = array_length(set_HttpUserAgentOriginal)
  | where ua_count > threshold
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXDifferentUAsFromSingleIP.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - NGINXHTTPServer
  connectorId: NGINXHTTPServer
version: 1.0.0
status: Available
queryPeriod: 1h
id: 83a0b48f-1cb7-4b4f-a018-23c3203a239b
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
relevantTechniques:
- T1190
- T1133
severity: Medium
description: |
    'Detects requests with different user agents from one source in short timeframe.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/83a0b48f-1cb7-4b4f-a018-23c3203a239b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/83a0b48f-1cb7-4b4f-a018-23c3203a239b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "NGINX - Multiple user agents for single source",
        "description": "'Detects requests with different user agents from one source in short timeframe.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let threshold = 5;\nNGINXHTTPServer\n| summarize makeset(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)\n| extend ua_count = array_length(set_HttpUserAgentOriginal)\n| where ua_count > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "83a0b48f-1cb7-4b4f-a018-23c3203a239b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXDifferentUAsFromSingleIP.yaml"
      }
    }
  ]
}