Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NGINX - Multiple server errors from single IP address

Back
Idb3ae0033-552e-4c3c-b493-3edffb4473bb
RulenameNGINX - Multiple server errors from single IP address
DescriptionDetects multiple server errors from one source in short timeframe
SeverityMedium
TacticsImpact
InitialAccess
TechniquesT1498
T1190
T1133
Required data connectorsCustomLogsAma
NGINXHTTPServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXMultipleServerErrorsFromSingleIP.yaml
Version1.0.1
Arm templateb3ae0033-552e-4c3c-b493-3edffb4473bb.json
Deploy To Azure
let threshold = 100;
NGINXHTTPServer
| where tolong(HttpStatusCode) >= 500 and tolong(HttpStatusCode) <= 599 
| summarize MultipleServerErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleServerErrors > threshold
| extend IPCustomEntity = SrcIpAddr
id: b3ae0033-552e-4c3c-b493-3edffb4473bb
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXMultipleServerErrorsFromSingleIP.yaml
requiredDataConnectors:
- dataTypes:
  - NGINXHTTPServer
  connectorId: NGINXHTTPServer
- dataTypes:
  - NGINX_CL
  connectorId: CustomLogsAma
description: |
    'Detects multiple server errors from one source in short timeframe'
severity: Medium
queryPeriod: 1h
kind: Scheduled
tactics:
- Impact
- InitialAccess
queryFrequency: 1h
query: |
  let threshold = 100;
  NGINXHTTPServer
  | where tolong(HttpStatusCode) >= 500 and tolong(HttpStatusCode) <= 599 
  | summarize MultipleServerErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where MultipleServerErrors > threshold
  | extend IPCustomEntity = SrcIpAddr  
version: 1.0.1
triggerThreshold: 0
name: NGINX - Multiple server errors from single IP address
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
relevantTechniques:
- T1498
- T1190
- T1133
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3ae0033-552e-4c3c-b493-3edffb4473bb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3ae0033-552e-4c3c-b493-3edffb4473bb')]",
      "properties": {
        "alertRuleTemplateName": "b3ae0033-552e-4c3c-b493-3edffb4473bb",
        "customDetails": null,
        "description": "'Detects multiple server errors from one source in short timeframe'\n",
        "displayName": "NGINX - Multiple server errors from single IP address",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXMultipleServerErrorsFromSingleIP.yaml",
        "query": "let threshold = 100;\nNGINXHTTPServer\n| where tolong(HttpStatusCode) >= 500 and tolong(HttpStatusCode) <= 599 \n| summarize MultipleServerErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where MultipleServerErrors > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190",
          "T1498"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}