Cloudflare - Bad client IP

Back


Id	a7ce6135-9d55-4f14-b058-adc2e920a4fb
Rulename	Cloudflare - Bad client IP
Description	Detects requests from IP with bad reputation index.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFBadClientIp.yaml
Version	1.0.1
Arm template	a7ce6135-9d55-4f14-b058-adc2e920a4fb.json

KQL

let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
Cloudflare
| where ClientIPClass in~ (ip_reputation)
| extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)

YAML

relevantTechniques:
- T1190
- T1133
queryFrequency: 1h
description: |
    'Detects requests from IP with bad reputation index.'
triggerThreshold: 0
id: a7ce6135-9d55-4f14-b058-adc2e920a4fb
name: Cloudflare - Bad client IP
queryPeriod: 1h
query: |
  let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
  Cloudflare
  | where ClientIPClass in~ (ip_reputation)
  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)  
severity: Medium
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CompleteUrl
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFBadClientIp.yaml
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
status: Available
version: 1.0.1
tactics:
- InitialAccess
kind: Scheduled

ARM