Cloudflare - Unexpected URI

Back


Id	dcb797cd-a4cd-4306-897b-7991f71d7e27
Rulename	Cloudflare - Unexpected URI
Description	Detects client requests to unusual URI.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml
Version	1.0.0
Arm template	dcb797cd-a4cd-4306-897b-7991f71d7e27.json

KQL

Cloudflare
| where HttpRequestMethod =~ 'GET'
| where DstBytes != 0 or SrcBytes != 0
| where ClientRequestURI matches regex @'(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
| extend IPCustomEntity = SrcIpAddr

YAML

description: |
    'Detects client requests to unusual URI.'
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml
triggerOperator: gt
status: Available
id: dcb797cd-a4cd-4306-897b-7991f71d7e27
name: Cloudflare - Unexpected URI
queryFrequency: 1h
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
relevantTechniques:
- T1190
- T1133
query: |
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | where DstBytes != 0 or SrcBytes != 0
  | where ClientRequestURI matches regex @'(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector

ARM