Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3439 from socprime/imperva_cl_waf_content 

add imperva content
This commit is contained in:
NikTripathi 2021-12-23 12:39:52 +05:30 коммит произвёл GitHub
Родитель efe7caee70 0f96056ee6
Коммит 552eda23a7
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
27 изменённых файлов: 1129 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

157
.script/tests/KqlvalidationsTests/CustomTables/ImpervaWAFCloud.json Normal file
Просмотреть файл

@ -0,0 +1,157 @@
{
"name": "ImpervaWAFCloud",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "String"
},
{
"Name": "Country",
"Type": "String"
},
{
"Name": "City",
"Type": "String"
},
{
"Name": "HttpStatusCode",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "String"
},
{
"Name": "AccountName",
"Type": "String"
},
{
"Name": "RequestId",
"Type": "String"
},
{
"Name": "PoPName",
"Type": "String"
},
{
"Name": "BrowserType",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "String"
},
{
"Name": "NetworkSessionId",
"Type": "String"
},
{
"Name": "PostBody",
"Type": "String"
},
{
"Name": "QueryString",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "HttpUserAgentOriginal",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "SiteID",
"Type": "String"
},
{
"Name": "DstDomainHostname",
"Type": "String"
},
{
"Name": "DstPortNumber",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "String"
},
{
"Name": "AccountID",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocoVersion",
"Type": "String"
},
{
"Name": "HttpRequestXff",
"Type": "String"
},
{
"Name": "CaptchaSupport",
"Type": "String"
},
{
"Name": "ClientApp",
"Type": "String"
},
{
"Name": "ClientAppSig",
"Type": "String"
},
{
"Name": "CookiesSupport",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "String"
},
{
"Name": "SrcGeoLongitude",
"Type": "String"
},
{
"Name": "VisitorID",
"Type": "String"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -64,6 +64,7 @@
"ForgeRock",
"Fortinet",
"GWorkspaceRAPI",
"ImpervaWAFCloudAPI",
"ImpervaWAFGateway",
"ImportedConnector",
"InfobloxCloudDataConnector",

30
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAbnormalProtocolUsage.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 363307f6-09ba-4926-ad52-03aadfd24b5e
name: Imperva - Abnormal protocol usage
description: |
'Detects abnormal protocol usage.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs')
| where DstPortNumber !in ('80', '443')
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

30
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 427c025d-c068-4844-8205-66879e89bcfa
name: Imperva - Request from unexpected IP address to admin panel
description: |
'Detects requests from unexpected IP addresses to admin panel.'
severity: high
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where QueryString contains @'/admin'
| where ipv4_is_private(SrcIpAddr) == False
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

30
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 4d365217-f96a-437c-9c57-53594fa261c3
name: Imperva - Critical severity event not blocked
description: |
'Detects when critical severity event was not blocked.'
severity: high
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where EventSeverity =~ 'CRITICAL'
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaCommandInUri.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: 6214f187-5840-4cf7-a174-0cf9a72bfd29
name: Imperva - Possible command injection
description: |
'Detects requests with commands in URI.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where QueryString contains '%2fetc%2fpasswd' or QueryString contains '%2fetc%2fshadow' or QueryString contains 'ping' or QueryString contains 'whoami' or QueryString contains 'phpinfo' or QueryString contains '%2fbin%2fbash' or QueryString contains 'curl' or QueryString contains 'exec(' or QueryString contains 'wget' or QueryString contains 'python' or QueryString contains 'gcc' or QueryString contains 'uname' or QueryString contains 'systeminfo' or QueryString contains 'rout' or QueryString contains 'hostname' or QueryString contains 'ifconfig'
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

31
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml Executable file
Просмотреть файл

@ -0,0 +1,31 @@
id: 58300723-22e0-4096-b33a-aa9b992c3564
name: Imperva - Request from unexpected countries
description: |
'Detects request attempts from unexpected countries.'
severity: High
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let bl_country = dynamic(['CH', 'KR']);
ImpervaWAFCloud
| where Country in (bl_country)
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml Executable file
Просмотреть файл

@ -0,0 +1,34 @@
id: 7ebc9e24-319c-4786-9151-c898240463bc
name: Imperva - Forbidden HTTP request method in request
description: |
'Detects connections with unexpected HTTP request method.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
ImpervaWAFCloud
| where HttpRequestMethod in~ (bl_http_methods)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousClient.yaml Executable file
Просмотреть файл

@ -0,0 +1,34 @@
id: 2ff35ed4-b26a-4cad-93a6-f67adb00e919
name: Imperva - Malicious Client
description: |
'Detects connections from known malicious clients.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where ClientApp in~ ('VulnerabilityScanner', 'DDoSBot', 'ClickBot','CommentSpamBot','HackingTool', 'SpamBot', 'Worm')
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = QueryString
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

30
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousUA.yaml Executable file
Просмотреть файл

@ -0,0 +1,30 @@
id: 905794a9-bc46-42b9-974d-5a2dd58110c5
name: Imperva - Malicious user agent
description: |
'Detects requests containing known malicious user agent strings.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
ImpervaWAFCloud
| where HttpUserAgentOriginal has_any ('Nikto', 'hydra', 'advanced email extractor', 'BFAC', 'brutus', 'cgichk', 'cisco-torch', 'scanner', 'datacha0s', 'dirbuster', 'grabber', 'havij', 'internet ninja', 'masscan', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'qualys was', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webvulnscan', 'xmlrpc exploit', 'WPScan', 'XSpider', 'Webster', 'fantomCrew', 'fantomBrowser')
| summarize count() by SrcIpAddr, bin(TimeGenerated, 5m)
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

31
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml Executable file
Просмотреть файл

@ -0,0 +1,31 @@
id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
name: Imperva - Multiple user agents from same source
description: |
'Detects connections with unexpected HTTP request method.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let threshold = 10;
ImpervaWAFCloud
| summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
| where d_uas >= threshold
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

31
Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml Executable file
Просмотреть файл

@ -0,0 +1,31 @@
id: 0ba78922-033c-468c-82de-2974d7b1797d
name: Imperva - Request to unexpected destination port
description: |
'Detects request attempts to unexpected destination ports.'
severity: high
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let bl_ports = dynamic(['22', '3389']);
ImpervaWAFCloud
| where DstPortNumber in (bl_ports)
| where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

27
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaDestinationBlocked.yaml Executable file
Просмотреть файл

@ -0,0 +1,27 @@
id: e360c980-b515-4c27-921c-19d411bd059d
name: Imperva - Top destinations with blocked requests
description: |
'Query searches destination IP addresses requests to which were blocked by the service.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1133
- T1498
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where DvcAction startswith 'REQ_BLOCKED'
| summarize count() by DstIpAddr
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

24
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaInsecureWebProtocolVersion.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 4cf72a93-537a-4c1f-83a3-0a5b743fe93e
name: Imperva - Applications with insecure web protocol version
description: |
'Query searches for with insecure web protocol version.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where NetworkApplicationProtocoVersion !startswith 'TLSv1.2'
| summarize count() by DstDomainHostname
| extend DomainNameCustom = DstDomainHostname
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: CustomDomainName

24
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaNonWebApplication.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 1f99e54f-0e75-474e-8232-90963207f02b
name: Imperva - Non HTTP/HTTPs applications
description: |
'Query searches for non HTTP/HTTPs applications.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where NetworkApplicationProtocol !in~ ('HTTP', 'HTTPs')
| summarize count() by DstIpAddr, NetworkApplicationProtocol
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

25
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareApplications.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 426a8b59-41ad-4022-bb01-cf914fd5687a
name: Imperva - Rare applications
description: |
'Query searches for rare application protocols.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where isnotempty(NetworkApplicationProtocol)
| summarize count() by NetworkApplicationProtocol
| top 5 by count_ asc
| extend AppCustomEntity = NetworkApplicationProtocol
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: AppCustomEntity

25
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareClientApplications.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: 4a8a88af-4f40-40bd-aca8-e016dd6960de
name: Imperva - Rare client applications
description: |
'Query searches for rare client applications used.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where isnotempty(ClientApp)
| summarize count() by ClientApp
| top 10 by count_ asc
| extend AppCustomEntity = ClientApp
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: AppCustomEntity

24
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareDstPorts.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: e68c3b84-7895-41d5-a9af-4ef776e82408
name: Imperva - Rare destination ports
description: |
'Query searches for requests for rare destination ports.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| summarize count() by DstIpAddr, DstPortNumber
| top 20 by count asc
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

24
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRequestsFromBots.yaml Executable file
Просмотреть файл

@ -0,0 +1,24 @@
id: 4cb3088c-445a-4a99-a90f-d583fe253a7d
name: Imperva - request from known bots
description: |
'Query searches for requests from known bots.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where ClientApp =~ 'Bot'
| summarize count() by SrcIpAddr, NetworkApplicationProtocol
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

27
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaSourceBlocked.yaml Executable file
Просмотреть файл

@ -0,0 +1,27 @@
id: ec5b9eb6-f43a-40fc-ae65-2af9ae1e77ae
name: Imperva - Top sources with blocked requests
description: |
'Query searches source IP addresses with blocked requests.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1133
- T1498
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where DvcAction startswith 'REQ_BLOCKED'
| summarize count() by SrcIpAddr
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

29
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopApplicationsErrors.yaml Executable file
Просмотреть файл

@ -0,0 +1,29 @@
id: 934f19a5-f4bc-47eb-a213-db918b097434
name: Imperva - Top applications with error requests
description: |
'Query searches for top applications with protocol or network errors.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where DvcAction startswith 'REQ_BAD_'
| summarize count() by DstIpAddr, DstDomainHostname
| top 10 by count_
| extend IPCustomEntity = DstIpAddr, DomainNameCustom = DstDomainHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: CustomDomainName

25
Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml Executable file
Просмотреть файл

@ -0,0 +1,25 @@
id: c359e40f-3a56-4e75-8dbb-41e5057bba64
name: Imperva - Top sources with error requests
description: |
'Query searches for top source IP addresses with protocol or network errors.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where DvcAction startswith 'REQ_BAD_'
| summarize count() by SrcIpAddr
| top 100 by count_
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

Двоичные данные
Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 230 KiB

Двоичные данные
Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudBlack02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 248 KiB

Двоичные данные
Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 240 KiB

Двоичные данные
Solutions/ImpervaCloudWAF/Workbooks/Images/ImpervaWAFCloudWhite02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 224 KiB

407
Solutions/ImpervaCloudWAF/Workbooks/Imperva WAF Cloud Overview.json Normal file
Просмотреть файл

@ -0,0 +1,407 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **ImpervaWAFCloud** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ImpervaWAFCloud-parser)"
},
"name": "text - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Sets the time name for analysis",
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events Over Time",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"graphSettings": {
"type": 0
}
},
"customWidth": "60",
"name": "query - 12",
"styleSettings": {
"maxWidth": "55"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Total Http status code result\r\nImpervaWAFCloud\r\n| where isnotempty(HttpStatusCode)\r\n| extend HttpStatus = case( \r\n HttpStatusCode startswith \"2\", \"Success\", \r\n HttpStatusCode startswith \"4\", \"Client Error\",\r\n HttpStatusCode startswith \"5\", \"Server Error\",\r\n \"Unknown\")\r\n| summarize TotalHttpStatus = count() by HttpStatus",
"size": 3,
"title": "HTTP Status Codes",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 0",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr) ",
"size": 3,
"title": "Unique IP Addresses",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname) \r\n| summarize dcount(DstDomainHostname)",
"size": 3,
"title": "Unique Domains",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| count",
"size": 3,
"title": "Total blocked requests",
"noDataMessage": "0",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 2"
}
]
},
"customWidth": "10",
"name": "group - 9",
"styleSettings": {
"maxWidth": "100",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP=SrcIpAddr\r\n| top 10 by count_ ",
"size": 3,
"title": "Top 10 Sources",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "34",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP = SrcIpAddr\r\n| top 10 by count_ desc ",
"size": 3,
"title": "Top Source IP addresses with blocked requests",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "33",
"name": "query - 3",
"styleSettings": {
"margin": "10",
"padding": "10"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(Country)\r\n| summarize count() by Country\r\n| top 10 by count_ desc ",
"size": 3,
"title": "Top Source IP addresses with client error",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"sortBy": [
{
"itemKey": "TotalEvents",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "TotalEvents",
"sortOrder": 2
}
]
},
"customWidth": "33",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname)\r\n| summarize TotalEvents = count() by DstDomainHostname\r\n| top 10 by TotalEvents desc",
"size": 3,
"title": "Top destination hosts",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "30",
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| extend File = extract(@\".*\\/([a-zA-Z0-9-._]*)\", 1, tostring(QueryString))\r\n| where isnotempty(File)\r\n| sort by TimeGenerated desc \r\n| project File, strcat(iff(HttpStatusCode startswith \"4\" or HttpStatusCode startswith \"5\", '❌', '✅')), HttpStatusCode\r\n| project-rename Result = Column1, FileName=File",
"size": 0,
"title": "Latest files accessed",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 50,
"filter": true
}
},
"customWidth": "35",
"name": "query - 12",
"styleSettings": {
"maxWidth": "33"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\r\n| where isnotempty(ClientApp)\r\n| summarize count() by ClientApp",
"size": 3,
"title": "Client application types",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"rowLimit": 10
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "SrcIpAddr",
"formatter": 1
},
"centerContent": {
"columnMatch": "LargeRequest",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "30",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ImpervaWAFCloud\n| where isnotempty(SrcIpAddr)\n| summarize by SrcIpAddr, SrcGeoLatitude, SrcGeoLongitude",
"size": 3,
"title": "Attack Map",
"color": "redBright",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"gridSettings": {
"filter": true
},
"mapSettings": {
"locInfo": "LatLong",
"latitude": "SrcGeoLatitude",
"longitude": "SrcGeoLongitude",
"sizeSettings": "SrcIpAddr",
"sizeAggregation": "Count",
"defaultSize": 20,
"labelSettings": "SrcIpAddr",
"legendMetric": "SrcIpAddr",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "SrcIpAddr",
"colorAggregation": "Count",
"type": "heatmap",
"heatmapPalette": "greenRed"
}
}
},
"name": "query - 11"
}
],
"fromTemplateId": "sentinel-ImpervaWAFCloudWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}