Cloudflare - Multiple user agents for single source

Back


Id	fc50076a-0275-43d5-b9dd-38346c061f68
Rulename	Cloudflare - Multiple user agents for single source
Description	Detects requests with different user agents from one source in short timeframe.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CloudflareDataConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFMultipleUAs.yaml
Version	1.0.1
Arm template	fc50076a-0275-43d5-b9dd-38346c061f68.json

KQL

let threshold = 10;
Cloudflare
| where isnotempty(HttpUserAgentOriginal)
| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
| where d_ua > threshold

YAML

kind: Scheduled
severity: Medium
description: |
    'Detects requests with different user agents from one source in short timeframe.'
triggerThreshold: 0
status: Available
query: |
  let threshold = 10;
  Cloudflare
  | where isnotempty(HttpUserAgentOriginal)
  | summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
  | where d_ua > threshold  
relevantTechniques:
- T1190
- T1133
version: 1.0.1
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
requiredDataConnectors:
- connectorId: CloudflareDataConnector
  dataTypes:
  - Cloudflare
queryPeriod: 1h
tactics:
- InitialAccess
name: Cloudflare - Multiple user agents for single source
queryFrequency: 1h
id: fc50076a-0275-43d5-b9dd-38346c061f68
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloudflare CCF/Analytic Rules/CloudflareCCFMultipleUAs.yaml

ARM