Cloudflare - Multiple user agents for single source

Back


Id	fc50076a-0275-43d5-b9dd-38346c061f67
Rulename	Cloudflare - Multiple user agents for single source
Description	Detects requests with different user agents from one source in short timeframe.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml
Version	1.0.1
Arm template	fc50076a-0275-43d5-b9dd-38346c061f67.json

KQL

let threshold = 10;
Cloudflare
| where isnotempty(HttpUserAgentOriginal)
| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
| where d_ua > threshold

YAML

id: fc50076a-0275-43d5-b9dd-38346c061f67
query: |
  let threshold = 10;
  Cloudflare
  | where isnotempty(HttpUserAgentOriginal)
  | summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
  | where d_ua > threshold  
description: |
    'Detects requests with different user agents from one source in short timeframe.'
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
tactics:
- InitialAccess
status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
kind: Scheduled
name: Cloudflare - Multiple user agents for single source
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml
version: 1.0.1
relevantTechniques:
- T1190
- T1133
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0

ARM