Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update MaliciousWAFSessions.yaml 

Shain's feedback
This commit is contained in:
vaniMSTIC 2020-11-17 12:30:43 +00:00 коммит произвёл GitHub
Родитель 52a8be5ab5
Коммит 64123da594
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 8 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

15
Detections/AzureDiagnostics/MaliciousWAFSessions.yaml
Просмотреть файл

@ -1,11 +1,11 @@
id: 46ac55ae-47b8-414a-8f94-89ccd1962178
name: A potentially malicious web request was executed against a web server
description: |
Detects unobstructed Web Applicatio Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the
'Detects unobstructed Web Applicatio Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the
ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for
a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number
of blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode
variable defines what the detection thinks is a successful status code, and should be altered to fit the environment.
variable defines what the detection thinks is a successful status code, and should be altered to fit the environment.'
severity: Medium
requiredDataConnectors:
- connectorId: WAF
@ -16,7 +16,7 @@ queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exploitation
- InitialAccess
relevantTechniques:
- T1190
query: |
@ -42,9 +42,10 @@ query: |
| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)
| mv-expand TimeKey to typeof(datetime)
) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey
| where (TimeGenerated - SessionStarted) between (0min .. duration)
| summarize SuccessfulAccessLogCount = count(), make_set(userAgent_s), make_set(originalRequestUriWithArgs_s), make_set(serverStatus_s),
make_set(httpStatus_d) by SessionStarted, hostname_s, clientIP_s, SessionBlockedCount
| where (TimeGenerated - SessionStarted) between (0m .. duration)
| extend timestamp = SessionStarted, HostCustomEntity = hostname_s, IPCustomEntity = clientIP_s
| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(originalRequestUriWithArgs_s),
SuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, HostCustomEntity, IPCustomEntity, SessionBlockedCount
| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount
| sort by BlockvsSuccessRatio desc, SessionStarted asc
| sort by BlockvsSuccessRatio desc, timestamp asc
| where SessionBlockedCount > SuccessfulAccessLogCount