Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Application Gateway WAF - XSS Detection

Back
Idd2bc08fa-030a-4eea-931a-762d27c6a042
RulenameApplication Gateway WAF - XSS Detection
DescriptionIdentifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure’s requirement.

References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1189
T1203
T0853
Required data connectorsWAF
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureWAF/AppGwWAF-XSSDetection.yaml
Version1.0.1
Arm templated2bc08fa-030a-4eea-931a-762d27c6a042.json
Deploy To Azure
let Threshold = 1;  
 AzureDiagnostics
 | where Category == "ApplicationGatewayFirewallLog"
 | where action_s == "Matched"
 | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
 | join kind = inner(
 AzureDiagnostics
 | where Category == "ApplicationGatewayFirewallLog"
 | where action_s == "Blocked"
 | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score
 | where Blocked_Reason contains "XSS" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g
 | extend Uri = strcat(hostname_s,requestUri_s)
 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore
 | where Total_TransactionId >= Threshold
metadata:
  categories:
    domains:
    - Security - Threat Protection
    - Platform
  author:
    name: shabaz-github
  support:
    tier: Community
  source:
    kind: Community
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureWAF/AppGwWAF-XSSDetection.yaml
entityMappings:
- fieldMappings:
  - columnName: Uri
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: clientIp_s
    identifier: Address
  entityType: IP
id: d2bc08fa-030a-4eea-931a-762d27c6a042
name: Application Gateway WAF - XSS Detection
query: |
  let Threshold = 1;  
   AzureDiagnostics
   | where Category == "ApplicationGatewayFirewallLog"
   | where action_s == "Matched"
   | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
   | join kind = inner(
   AzureDiagnostics
   | where Category == "ApplicationGatewayFirewallLog"
   | where action_s == "Blocked"
   | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score
   | where Blocked_Reason contains "XSS" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g
   | extend Uri = strcat(hostname_s,requestUri_s)
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore
   | where Total_TransactionId >= Threshold  
tags:
- Cross Site Scripting
queryPeriod: 6h
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1189
- T1203
- T0853
queryFrequency: 6h
requiredDataConnectors:
- dataTypes:
  - AzureDiagnostics
  connectorId: WAF
description: |
  'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.
   References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)'  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d2bc08fa-030a-4eea-931a-762d27c6a042')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d2bc08fa-030a-4eea-931a-762d27c6a042')]",
      "properties": {
        "alertRuleTemplateName": "d2bc08fa-030a-4eea-931a-762d27c6a042",
        "customDetails": null,
        "description": "'Identifies a match for XSS attack in the Application gateway WAF logs. The Threshold value in the query can be changed as per your infrastructure's requirement.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)'\n",
        "displayName": "Application Gateway WAF - XSS Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Uri",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "clientIp_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureWAF/AppGwWAF-XSSDetection.yaml",
        "query": "let Threshold = 1;  \n AzureDiagnostics\n | where Category == \"ApplicationGatewayFirewallLog\"\n | where action_s == \"Matched\"\n | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\n | join kind = inner(\n AzureDiagnostics\n | where Category == \"ApplicationGatewayFirewallLog\"\n | where action_s == \"Blocked\"\n | parse Message with MessageText 'Total Inbound Score: ' TotalInboundScore ' - SQLI=' SQLI_Score ',XSS=' XSS_Score ',RFI=' RFI_Score ',LFI=' LFI_Score ',RCE=' RCE_Score ',PHPI=' PHPI_Score ',HTTP=' HTTP_Score ',SESS=' SESS_Score '): ' Blocked_Reason '; individual paranoia level scores:' Paranoia_Score\n | where Blocked_Reason contains \"XSS\" and toint(TotalInboundScore) >=15 and toint(XSS_Score) >= 10 and toint(SQLI_Score) <= 5) on transactionId_g\n | extend Uri = strcat(hostname_s,requestUri_s)\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s, SQLI_Score, XSS_Score, TotalInboundScore\n | where Total_TransactionId >= Threshold\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "tags": [
          "Cross Site Scripting"
        ],
        "techniques": [
          "T1189",
          "T1203"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}