Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cloudflare - Multiple error requests from single source

Back
Idef877d68-755f-4cf1-ac1d-f336e395667c
RulenameCloudflare - Multiple error requests from single source
DescriptionDetects multiple failure requests from single source in short timeframe.
SeverityLow
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCloudflareDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
Version1.0.0
Arm templateef877d68-755f-4cf1-ac1d-f336e395667c.json
Deploy To Azure
let threshold = 100;
Cloudflare
| where HttpRequestMethod =~ 'GET'
| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where err_cnt > threshold
| extend IPCustomEntity = SrcIpAddr
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
description: |
    'Detects multiple failure requests from single source in short timeframe.'
triggerOperator: gt
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
queryFrequency: 1h
triggerThreshold: 0
tactics:
- InitialAccess
query: |
  let threshold = 100;
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
  | where err_cnt > threshold
  | extend IPCustomEntity = SrcIpAddr  
status: Available
kind: Scheduled
relevantTechniques:
- T1190
- T1133
version: 1.0.0
id: ef877d68-755f-4cf1-ac1d-f336e395667c
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: Cloudflare - Multiple error requests from single source
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef877d68-755f-4cf1-ac1d-f336e395667c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cloudflare - Multiple error requests from single source",
        "description": "'Detects multiple failure requests from single source in short timeframe.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml"
      }
    }
  ]
}