Application Gateway WAF - XSS Detection

let Threshold = 1;  
 AzureDiagnostics
 | where Category == "ApplicationGatewayFirewallLog"
 | where action_s == "Matched"
 | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
 | join kind = inner(
 AzureDiagnostics
 | where Category == "ApplicationGatewayFirewallLog"
 | where action_s == "Blocked"
 | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score
 | where Blocked_Reason contains "XSS" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g
 | extend Uri = strcat(hostname_s,requestUri_s)
 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore
 | where Total_TransactionId >= Threshold

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureWAF/AppGwWAF-XSSDetection.yaml
tags:
- Cross Site Scripting
queryPeriod: 6h
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: Uri
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: clientIp_s
  entityType: IP
version: 1.0.1
queryFrequency: 6h
triggerOperator: gt
kind: Scheduled
id: d2bc08fa-030a-4eea-931a-762d27c6a042
tactics:
- InitialAccess
- Execution
query: |
  let Threshold = 1;  
   AzureDiagnostics
   | where Category == "ApplicationGatewayFirewallLog"
   | where action_s == "Matched"
   | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
   | join kind = inner(
   AzureDiagnostics
   | where Category == "ApplicationGatewayFirewallLog"
   | where action_s == "Blocked"
   | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score
   | where Blocked_Reason contains "XSS" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g
   | extend Uri = strcat(hostname_s,requestUri_s)
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore
   | where Total_TransactionId >= Threshold  
requiredDataConnectors:
- connectorId: WAF
  dataTypes:
  - AzureDiagnostics
triggerThreshold: 0
description: |
  'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.
   References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)'  
name: Application Gateway WAF - XSS Detection
severity: High
relevantTechniques:
- T1189
- T1203
- T0853
metadata:
  source:
    kind: Community
  support:
    tier: Community
  author:
    name: shabaz-github
  categories:
    domains:
    - Security - Threat Protection
    - Platform