Cloudflare - Unexpected URI

Back


Id	dcb797cd-a4cd-4306-897b-7991f71d7e27
Rulename	Cloudflare - Unexpected URI
Description	Detects client requests to unusual URI.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml
Version	1.0.1
Arm template	dcb797cd-a4cd-4306-897b-7991f71d7e27.json

KQL

Cloudflare
| where HttpRequestMethod =~ 'GET'
| where DstBytes != 0 or SrcBytes != 0
| where ClientRequestURI matches regex @'(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'

YAML

query: |
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | where DstBytes != 0 or SrcBytes != 0
  | where ClientRequestURI matches regex @'(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'  
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml
status: Available
description: |
    'Detects client requests to unusual URI.'
queryFrequency: 1h
name: Cloudflare - Unexpected URI
kind: Scheduled
triggerThreshold: 0
id: dcb797cd-a4cd-4306-897b-7991f71d7e27
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
severity: Medium
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
relevantTechniques:
- T1190
- T1133
tactics:
- InitialAccess

ARM