Cloudflare - Multiple user agents for single source

Back


Id	fc50076a-0275-43d5-b9dd-38346c061f67
Rulename	Cloudflare - Multiple user agents for single source
Description	Detects requests with different user agents from one source in short timeframe.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml
Version	1.0.1
Arm template	fc50076a-0275-43d5-b9dd-38346c061f67.json

KQL

let threshold = 10;
Cloudflare
| where isnotempty(HttpUserAgentOriginal)
| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
| where d_ua > threshold

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  let threshold = 10;
  Cloudflare
  | where isnotempty(HttpUserAgentOriginal)
  | summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
  | where d_ua > threshold  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
kind: Scheduled
relevantTechniques:
- T1190
- T1133
description: |
    'Detects requests with different user agents from one source in short timeframe.'
name: Cloudflare - Multiple user agents for single source
version: 1.0.1
id: fc50076a-0275-43d5-b9dd-38346c061f67
severity: Medium

ARM