Header Web Server Exposed

Back


Id	d6793fa2-c1db-4323-9bdb-a1e8d1990f5c
Rulename	Header: Web Server Exposed
Description	Header: Web Server Exposed
Severity	Informational
Tactics	Reconnaissance
Techniques	T1592
Required data connectors	HVPollingIDAzureFunctions
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/HeaderWebServerExposed.yaml
Version	1.0.3
Arm template	d6793fa2-c1db-4323-9bdb-a1e8d1990f5c.json

KQL

HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "Header: Web Server Exposed"

YAML

name: 'Header: Web Server Exposed'
entityMappings:
- fieldMappings:
  - columnName: meta_resolved_ip_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: hackerview_link_s
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: meta_host_s
    identifier: HostName
  entityType: Host
id: d6793fa2-c1db-4323-9bdb-a1e8d1990f5c
description: |
    'Header: Web Server Exposed'
triggerThreshold: 0
suppressionEnabled: false
version: 1.0.3
triggerOperator: gt
query: 'HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "Header: Web Server Exposed"'
tactics:
- Reconnaissance
suppressionDuration: 5h
kind: Scheduled
queryFrequency: 5m
severity: Informational
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - HackerViewLog_Azure_1_CL
  connectorId: HVPollingIDAzureFunctions
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/HeaderWebServerExposed.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1592

ARM