Cloudflare - Multiple error requests from single source

Back


Id	ef877d68-755f-4cf1-ac1d-f336e395667c
Rulename	Cloudflare - Multiple error requests from single source
Description	Detects multiple failure requests from single source in short timeframe.
Severity	Low
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
Version	1.0.0
Arm template	ef877d68-755f-4cf1-ac1d-f336e395667c.json

KQL

let threshold = 100;
Cloudflare
| where HttpRequestMethod =~ 'GET'
| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where err_cnt > threshold
| extend IPCustomEntity = SrcIpAddr

YAML

entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
queryFrequency: 1h
status: Available
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
id: ef877d68-755f-4cf1-ac1d-f336e395667c
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
version: 1.0.0
name: Cloudflare - Multiple error requests from single source
description: |
    'Detects multiple failure requests from single source in short timeframe.'
query: |
  let threshold = 100;
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where err_cnt > threshold
  | extend IPCustomEntity = SrcIpAddr  
tactics:
- InitialAccess
queryPeriod: 1h
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "properties": {
        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
        "customDetails": null,
        "description": "'Detects multiple failure requests from single source in short timeframe.'\n",
        "displayName": "Cloudflare - Multiple error requests from single source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml",
        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}