Cloudflare - Unexpected client request

Back


Id	f32142b1-4bcb-45c0-92e4-2ddc18768522
Rulename	Cloudflare - Unexpected client request
Description	Detects client requests to unusual client request.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedRequest.yaml
Version	1.0.2
Arm template	f32142b1-4bcb-45c0-92e4-2ddc18768522.json

KQL

Cloudflare
| where HttpRequestMethod =~ 'GET'
| where DstBytes != 0 or SrcBytes != 0
| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/')

YAML

requiredDataConnectors:
- dataTypes:
  - Cloudflare
  connectorId: CloudflareDataConnector
queryPeriod: 1h
triggerThreshold: 0
queryFrequency: 1h
version: 1.0.2
status: Available
severity: Medium
description: |
    'Detects client requests to unusual client request.'
name: Cloudflare - Unexpected client request
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerOperator: gt
id: f32142b1-4bcb-45c0-92e4-2ddc18768522
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedRequest.yaml
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
kind: Scheduled
query: |
  Cloudflare
  | where HttpRequestMethod =~ 'GET'
  | where DstBytes != 0 or SrcBytes != 0
  | where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/')

ARM