Header Web Server Exposed

Back


Id	d6793fa2-c1db-4323-9bdb-a1e8d1990f5c
Rulename	Header: Web Server Exposed
Description	Header: Web Server Exposed
Severity	Informational
Tactics	Reconnaissance
Techniques	T1592
Required data connectors	HVPollingIDAzureFunctions
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/HeaderWebServerExposed.yaml
Version	1.0.3
Arm template	d6793fa2-c1db-4323-9bdb-a1e8d1990f5c.json

KQL

HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "Header: Web Server Exposed"

YAML

eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: HVPollingIDAzureFunctions
  dataTypes:
  - HackerViewLog_Azure_1_CL
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/HeaderWebServerExposed.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1592
queryPeriod: 5m
name: 'Header: Web Server Exposed'
suppressionEnabled: false
version: 1.0.3
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: meta_resolved_ip_s
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: hackerview_link_s
    identifier: Url
- entityType: Host
  fieldMappings:
  - columnName: meta_host_s
    identifier: HostName
queryFrequency: 5m
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
description: |
    'Header: Web Server Exposed'
tactics:
- Reconnaissance
severity: Informational
suppressionDuration: 5h
query: 'HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "Header: Web Server Exposed"'
id: d6793fa2-c1db-4323-9bdb-a1e8d1990f5c

ARM