Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cloudflare - Multiple error requests from single source

Back
Idef877d68-755f-4cf1-ac1d-f336e395667c
RulenameCloudflare - Multiple error requests from single source
DescriptionDetects multiple failure requests from single source in short timeframe.
SeverityLow
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCloudflareDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
Version1.0.0
Arm templateef877d68-755f-4cf1-ac1d-f336e395667c.json
Deploy To Azure
let threshold = 100;
Cloudflare
| where HttpRequestMethod =~ 'GET'
| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where err_cnt > threshold
| extend IPCustomEntity = SrcIpAddr
name: Cloudflare - Multiple error requests from single source
query: |
  let threshold = 100;
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where err_cnt > threshold
  | extend IPCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
version: 1.0.0
status: Available
queryPeriod: 1h
id: ef877d68-755f-4cf1-ac1d-f336e395667c
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
relevantTechniques:
- T1190
- T1133
severity: Low
description: |
    'Detects multiple failure requests from single source in short timeframe.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cloudflare - Multiple error requests from single source",
        "description": "'Detects multiple failure requests from single source in short timeframe.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml"
      }
    }
  ]
}