Cloudflare - Bad client IP

Back


Id	a7ce6135-9d55-4f14-b058-adc2e920a4fa
Rulename	Cloudflare - Bad client IP
Description	Detects requests from IP with bad reputation index.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareBadClientIp.yaml
Version	1.0.1
Arm template	a7ce6135-9d55-4f14-b058-adc2e920a4fa.json

KQL

let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
Cloudflare
| where ClientIPClass in~ (ip_reputation)
| extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

YAML

name: Cloudflare - Bad client IP
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
status: Available
queryFrequency: 1h
id: a7ce6135-9d55-4f14-b058-adc2e920a4fa
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
relevantTechniques:
- T1190
- T1133
description: |
    'Detects requests from IP with bad reputation index.'
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: CompleteUrl
    identifier: Url
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareBadClientIp.yaml
queryPeriod: 1h
severity: Medium
query: |
  let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
  Cloudflare
  | where ClientIPClass in~ (ip_reputation)
  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

ARM