Cloudflare - Multiple error requests from single source

Back


Id	ef877d68-755f-4cf1-ac1d-f336e395667c
Rulename	Cloudflare - Multiple error requests from single source
Description	Detects multiple failure requests from single source in short timeframe.
Severity	Low
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
Version	1.0.0
Arm template	ef877d68-755f-4cf1-ac1d-f336e395667c.json

KQL

let threshold = 100;
Cloudflare
| where HttpRequestMethod =~ 'GET'
| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where err_cnt > threshold
| extend IPCustomEntity = SrcIpAddr

YAML

id: ef877d68-755f-4cf1-ac1d-f336e395667c
tactics:
- InitialAccess
queryPeriod: 1h
triggerThreshold: 0
name: Cloudflare - Multiple error requests from single source
query: |
  let threshold = 100;
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where err_cnt > threshold
  | extend IPCustomEntity = SrcIpAddr  
severity: Low
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1190
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
description: |
    'Detects multiple failure requests from single source in short timeframe.'
status: Available
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "properties": {
        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
        "customDetails": null,
        "description": "'Detects multiple failure requests from single source in short timeframe.'\n",
        "displayName": "Cloudflare - Multiple error requests from single source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml",
        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}