Cloudflare - Multiple error requests from single source

Back


Id	ef877d68-755f-4cf1-ac1d-f336e395667c
Rulename	Cloudflare - Multiple error requests from single source
Description	Detects multiple failure requests from single source in short timeframe.
Severity	Low
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
Version	1.0.0
Arm template	ef877d68-755f-4cf1-ac1d-f336e395667c.json

KQL

let threshold = 100;
Cloudflare
| where HttpRequestMethod =~ 'GET'
| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where err_cnt > threshold
| extend IPCustomEntity = SrcIpAddr

YAML

kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
description: |
    'Detects multiple failure requests from single source in short timeframe.'
severity: Low
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1190
- T1133
status: Available
tactics:
- InitialAccess
name: Cloudflare - Multiple error requests from single source
id: ef877d68-755f-4cf1-ac1d-f336e395667c
query: |
  let threshold = 100;
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where err_cnt > threshold
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "properties": {
        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
        "customDetails": null,
        "description": "'Detects multiple failure requests from single source in short timeframe.'\n",
        "displayName": "Cloudflare - Multiple error requests from single source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml",
        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}