Cloudflare - Bad client IP

Back


Id	a7ce6135-9d55-4f14-b058-adc2e920a4fb
Rulename	Cloudflare - Bad client IP
Description	Detects requests from IP with bad reputation index.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFBadClientIp.yaml
Version	1.0.1
Arm template	a7ce6135-9d55-4f14-b058-adc2e920a4fb.json

KQL

let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
Cloudflare
| where ClientIPClass in~ (ip_reputation)
| extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

YAML

name: Cloudflare - Bad client IP
query: |
  let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
  Cloudflare
  | where ClientIPClass in~ (ip_reputation)
  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: CompleteUrl
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFBadClientIp.yaml
description: |
    'Detects requests from IP with bad reputation index.'
version: 1.0.1
id: a7ce6135-9d55-4f14-b058-adc2e920a4fb
kind: Scheduled
relevantTechniques:
- T1190
- T1133
severity: Medium
tactics:
- InitialAccess
queryPeriod: 1h

ARM