Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Apache - Known malicious user agent

Apache - Known malicious user agent

Back
Ide9edfe1c-3afd-11ec-8d3d-0242ac130003
RulenameApache - Known malicious user agent
DescriptionDetects known malicious user agents
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApacheKnownMaliciousUserAgents.yaml
Version1.0.3
Arm templatee9edfe1c-3afd-11ec-8d3d-0242ac130003.json
Deploy To Azure
let mal_uas = dynamic(['Metasploit', '360Spider', '404checker', 'AllSubmitter', 'BackDoorBot', 'CATExplorador', 'Nikto', 'havij']);
ApacheHTTPServer
| where HttpUserAgentOriginal has_any (mal_uas)
| extend IPCustomEntity = SrcIpAddr

queryPeriod: 10m
query: |
  let mal_uas = dynamic(['Metasploit', '360Spider', '404checker', 'AllSubmitter', 'BackDoorBot', 'CATExplorador', 'Nikto', 'havij']);
  ApacheHTTPServer
  | where HttpUserAgentOriginal has_any (mal_uas)
  | extend IPCustomEntity = SrcIpAddr  
name: Apache - Known malicious user agent
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApacheKnownMaliciousUserAgents.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - ApacheHTTPServer_CL
description: |
    'Detects known malicious user agents'
kind: Scheduled
version: 1.0.3
status: Available
severity: High
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: e9edfe1c-3afd-11ec-8d3d-0242ac130003