add imperva content

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAbnormalProtocolUsage.yaml

@@ -0,0 +1,28 @@
+id: 363307f6-09ba-4926-ad52-03aadfd24b5e
+name: Imperva - Abnormal protocol usage
+description: |
+  'Detects abnormal protocol usage.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where NetworkApplicationProtocol in~ ('HTTP', 'HTTPs')
+  | where DstPortNumber !in ('80', '443')
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAdminPanelUncommonIp.yaml

@@ -0,0 +1,28 @@
+id: 427c025d-c068-4844-8205-66879e89bcfa
+name: Imperva - Request from unexpected IP address to admin panel
+description: |
+  'Detects requests from unexpected IP addresses to admin panel.'
+severity: high
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where QueryString contains @'/admin'
+  | where ipv4_is_private(SrcIpAddr) == False
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaAttackNotBlocked.yaml

@@ -0,0 +1,28 @@
+id: 4d365217-f96a-437c-9c57-53594fa261c3
+name: Imperva - Attack detected and not blocked
+description: |
+  'Detects attacks which were not blocked.'
+severity: high
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where isnotempty(RuleName)
+  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaCommandInUri.yaml

@@ -0,0 +1,27 @@
+id: 6214f187-5840-4cf7-a174-0cf9a72bfd29
+name: Imperva - Possible command injection
+description: |
+  'Detects requests with commands in URI.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where QueryString contains '%2fetc%2fpasswd' or QueryString contains '%2fetc%2fshadow' or QueryString contains 'ping' or QueryString contains 'whoami' or QueryString contains 'phpinfo' or QueryString contains '%2fbin%2fbash' or QueryString  contains 'curl' or QueryString contains 'exec(' or QueryString contains 'wget' or QueryString contains 'python' or QueryString contains 'gcc'  or QueryString contains 'uname' or QueryString contains 'systeminfo' or QueryString contains 'rout' or QueryString contains 'hostname' or QueryString contains 'ifconfig'
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenCountry.yaml

@@ -0,0 +1,29 @@
+id: 58300723-22e0-4096-b33a-aa9b992c3564
+name: Imperva - Request from unexpected countries
+description: |
+  'Detects request attempts from unexpected countries.'
+severity: high
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  let bl_country = dynamic(['CH', 'KR']);
+  ImpervaWAFCloud
+  | where Country in (bl_ports)
+  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaForbiddenMethod.yaml

@@ -0,0 +1,32 @@
+id: 7ebc9e24-319c-4786-9151-c898240463bc
+name: Imperva - Forbidden HTTP request method in request
+description: |
+  'Detects connections with unexpected HTTP request method.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  let bl_http_methods = dynamic(['PUT', 'HEAD', 'OPTIONS', 'TRACE', 'POST']);
+  ImpervaWAFCloud
+  | where HttpRequestMethod in~ (bl_http_methods)
+  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: UrlCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMaliciousClient.yaml

@@ -0,0 +1,32 @@
+id: 2ff35ed4-b26a-4cad-93a6-f67adb00e919
+name: Imperva - Malicious Client
+description: |
+  'Detects connections from known malicious clients.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where ClientApp in~ ('VulnerabilityScanner', 'DDoSBot', ClickBot','CommentSpamBot','HackingTool', 'SpamBot', 'Worm')
+  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
+  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = QueryString
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: UrlCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMalicioussUA.yaml

@@ -0,0 +1,28 @@
+id: 905794a9-bc46-42b9-974d-5a2dd58110c5
+name: Imperva - Malicious user agent
+description: |
+  'Detects requests containing known malicious user agent strings.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  ImpervaWAFCloud
+  | where HttpUserAgentOriginal contains 'Nikto' or HttpUserAgentOriginal contains '(hydra)' or HttpUserAgentOriginal contains 'advanced email extractor' or HttpUserAgentOriginal contains 'BFAC' or HttpUserAgentOriginal contains 'brutus' or HttpUserAgentOriginal contains 'cgichk' or HttpUserAgentOriginal contains 'cisco-torch' or HttpUserAgentOriginal contains 'scanner' or HttpUserAgentOriginal contains 'datacha0s' or HttpUserAgentOriginal contains 'dirbuster' or  HttpUserAgentOriginal contains 'grabber' or HttpUserAgentOriginal contains 'havij' or HttpUserAgentOriginal contains 'internet ninja' HttpUserAgentOriginal contains 'masscan' or HttpUserAgentOriginal contains 'morfeus' or HttpUserAgentOriginal contains 'mysqloit' or HttpUserAgentOriginal contains 'n-stealth' or HttpUserAgentOriginal contains 'nessus' or HttpUserAgentOriginal contains 'netsparker' or HttpUserAgentOriginal contains 'nmap nse' or HttpUserAgentOriginal contains 'nmap scripting engine' or HttpUserAgentOriginal contains 'nmap-nse' or HttpUserAgentOriginal contains 'nsauditor' or HttpUserAgentOriginal contains 'openvas' or HttpUserAgentOriginal contains 'pangolin' or HttpUserAgentOriginal contains 'qualys was' or HttpUserAgentOriginal contains 'security scan' or HttpUserAgentOriginal contains 'springenwerk' or HttpUserAgentOriginal contains 'sql power injector' or HttpUserAgentOriginal contains 'sqlmap' or HttpUserAgentOriginal contains 'sqlninja' or HttpUserAgentOriginal contains 'w3af.sf.net' or HttpUserAgentOriginal contains 'w3af.sourceforge.net' or HttpUserAgentOriginal contains 'w3af.org' or HttpUserAgentOriginal contains 'webbandit' or HttpUserAgentOriginal contains 'webinspect' or HttpUserAgentOriginal contains 'webvulnscan' or HttpUserAgentOriginal contains 'xmlrpc exploit' or HttpUserAgentOriginal contains 'WPScan' or HttpUserAgentOriginal contains 'XSpider' or HttpUserAgentOriginal contains 'Webster' or HttpUserAgentOriginal contains 'fantomCrew' or HttpUserAgentOriginal contains 'fantomBrowser'
+  | summarize count() by SrcIpAddr, bin(TimeGenerated, 5m)
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaMultipleUAsSource.yaml

@@ -0,0 +1,29 @@
+id: 4e8032eb-f04d-4a30-85d3-b74bf2c8f204
+name: Imperva - Multiple user agents from same source
+description: |
+  'Detects connections with unexpected HTTP request method.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  let threshold = 10;
+  ImpervaWAFCloud
+  | summarize d_uas = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m)
+  | where d_uas >= threshold
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Analytic Rules/ImpervaSuspiciousDstPort.yaml

@@ -0,0 +1,29 @@
+id: 0ba78922-033c-468c-82de-2974d7b1797d
+name: Imperva - Request to unexpected destination port
+description: |
+  'Detects request attempts to unexpected destination ports.'
+severity: high
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+  - T1133
+query: |
+  let bl_ports = dynamic(['22', '3389']);
+  ImpervaWAFCloud
+  | where DstPortNumber in (bl_ports)
+  | where DvcAction !startswith 'REQ_BLOCKED' or DvcAction !startswith 'REQ_BAD_'
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaDestinationBlocked.yaml

@@ -0,0 +1,27 @@
+id: e360c980-b515-4c27-921c-19d411bd059d
+name: Imperva - Top destinations with blocked requests
+description: |
+  'Query searches destination IP addresses requests to which were blocked by the service.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+  - Impact
+relevantTechniques:
+  - T1190
+  - T1133
+  - T1498
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where DvcAction startswith 'REQ_BLOCKED'
+  | summarize count() by DstIpAddr
+  | extend IPCustomEntity = DstIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaInsecureWebProtocolVersion.yaml

@@ -0,0 +1,24 @@
+id: 4cf72a93-537a-4c1f-83a3-0a5b743fe93e
+name: Imperva - Applications with insecure web protocol version
+description: |
+  'Query searches for with insecure web protocol version.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where NetworkApplicationProtocoVersion !startswith 'TLSv1.2'
+  | summarize count() by DstDomainHostname
+  | extend DomainNameCustom = DstDomainHostname
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: CustomDomainName

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaNonWebApplication.yaml

@@ -0,0 +1,24 @@
+id: 1f99e54f-0e75-474e-8232-90963207f02b
+name: Imperva - Non HTTP/HTTPs applications
+description: |
+  'Query searches for non HTTP/HTTPs applications.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where NetworkApplicationProtocol !in~ ('HTTP', 'HTTPs')
+  | summarize count() by DstIpAddr, NetworkApplicationProtocol
+  | extend IPCustomEntity = DstIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareApplications.yaml

@@ -0,0 +1,25 @@
+id: 426a8b59-41ad-4022-bb01-cf914fd5687a
+name: Imperva - Rare applications
+description: |
+  'Query searches for rare application protocols.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where isnotempty(NetworkApplicationProtocol)
+  | summarize count() by NetworkApplicationProtocol
+  | top 5 by count_ asc
+  | extend AppCustomEntity = NetworkApplicationProtocol
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: AppCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareClientApplications.yaml

@@ -0,0 +1,25 @@
+id: 4a8a88af-4f40-40bd-aca8-e016dd6960de
+name: Imperva - Rare client applications
+description: |
+  'Query searches for rare client applications used.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where isnotempty(ClientApp)
+  | summarize count() by ClientApp
+  | top 10 by count_ asc
+  | extend AppCustomEntity = ClientApp
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: AppCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRareDstPorts.yaml

@@ -0,0 +1,24 @@
+id: e68c3b84-7895-41d5-a9af-4ef776e82408
+name: Imperva - Rare destination ports
+description: |
+  'Query searches for requests for rare destination ports.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | summarize count() by DstIpAddr, DstPortNumber
+  | top 20 by count asc
+  | extend IPCustomEntity = DstIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaRequestsFromBots.yaml

@@ -0,0 +1,24 @@
+id: 4cb3088c-445a-4a99-a90f-d583fe253a7d
+name: Imperva - request from known bots
+description: |
+  'Query searches for requests from known bots.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where ClientApp =~ 'Bot'
+  | summarize count() by SrcIpAddr, NetworkApplicationProtocol
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaSourceBlocked.yaml

@@ -0,0 +1,27 @@
+id: ec5b9eb6-f43a-40fc-ae65-2af9ae1e77ae
+name: Imperva - Top sources with blocked requests
+description: |
+  'Query searches source IP addresses with blocked requests.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+  - Impact
+relevantTechniques:
+  - T1190
+  - T1133
+  - T1498
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where DvcAction startswith 'REQ_BLOCKED'
+  | summarize count() by SrcIpAddr
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopApplicationsErrors.yaml

@@ -0,0 +1,29 @@
+id: 934f19a5-f4bc-47eb-a213-db918b097434
+name: Imperva - Top applications with error requests
+description: |
+  'Query searches for top applications with protocol or network errors.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where DvcAction startswith 'REQ_BAD_'
+  | summarize count() by DstIpAddr, DstDomainHostname
+  | top 10 by count_
+  | extend IPCustomEntity = DstIpAddr, DomainNameCustom = DstDomainHostname
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: CustomDomainName

Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml

@@ -0,0 +1,25 @@
+id: c359e40f-3a56-4e75-8dbb-41e5057bba64
+name: Imperva - Top sources with error requests
+description: |
+  'Query searches for top source IP addresses with protocol or network errors.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ImpervaWAFCloudAPI
+    dataTypes:
+      - ImpervaWAFCloud
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  ImpervaWAFCloud
+  | where TimeGenerated > ago(24h)
+  | where DvcAction startswith 'REQ_BAD_'
+  | summarize count() by SrcIpAddr
+  | top 100 by count_
+  | extend IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity

Solutions/ImpervaCloudWAF/Workbooks/Imperva WAF Cloud Overview.json

@@ -0,0 +1,407 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **ImpervaWAFCloud** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ImpervaWAFCloud-parser)"
+      },
+      "name": "text - 8"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "description": "Sets the time name for analysis",
+            "value": {
+              "durationMs": 7776000000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
+        "size": 0,
+        "title": "Events Over Time",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "timechart",
+        "graphSettings": {
+          "type": 0
+        }
+      },
+      "customWidth": "60",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "55"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "//Total Http status code  result\r\nImpervaWAFCloud\r\n| where isnotempty(HttpStatusCode)\r\n| extend HttpStatus = case( \r\n    HttpStatusCode startswith \"2\", \"Success\", \r\n    HttpStatusCode startswith \"4\", \"Client Error\",\r\n    HttpStatusCode startswith \"5\", \"Server Error\",\r\n    \"Unknown\")\r\n| summarize TotalHttpStatus = count() by HttpStatus",
+        "size": 3,
+        "title": "HTTP Status Codes",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "30",
+      "name": "query - 0",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "items": [
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize dcount(SrcIpAddr) ",
+                    "size": 3,
+                    "title": "Unique IP Addresses",
+                    "timeContext": {
+                      "durationMs": 7776000000
+                    },
+                    "timeContextFromParameter": "TimeRange",
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "visualization": "card",
+                    "textSettings": {
+                      "style": "bignumber"
+                    }
+                  },
+                  "name": "query - 0"
+                }
+              ]
+            },
+            "name": "group - 1"
+          },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "items": [
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname) \r\n| summarize dcount(DstDomainHostname)",
+                    "size": 3,
+                    "title": "Unique Domains",
+                    "timeContext": {
+                      "durationMs": 7776000000
+                    },
+                    "timeContextFromParameter": "TimeRange",
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "visualization": "card",
+                    "textSettings": {
+                      "style": "bignumber"
+                    }
+                  },
+                  "name": "query - 0"
+                }
+              ]
+            },
+            "name": "group - 2"
+          },
+          {
+            "type": 12,
+            "content": {
+              "version": "NotebookGroup/1.0",
+              "groupType": "editable",
+              "items": [
+                {
+                  "type": 3,
+                  "content": {
+                    "version": "KqlItem/1.0",
+                    "query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| count",
+                    "size": 3,
+                    "title": "Total blocked requests",
+                    "noDataMessage": "0",
+                    "timeContext": {
+                      "durationMs": 7776000000
+                    },
+                    "timeContextFromParameter": "TimeRange",
+                    "queryType": 0,
+                    "resourceType": "microsoft.operationalinsights/workspaces",
+                    "visualization": "card",
+                    "textSettings": {
+                      "style": "bignumber"
+                    }
+                  },
+                  "name": "query - 0"
+                }
+              ]
+            },
+            "name": "group - 2"
+          }
+        ]
+      },
+      "customWidth": "10",
+      "name": "group - 9",
+      "styleSettings": {
+        "maxWidth": "100",
+        "showBorder": true
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP=SrcIpAddr\r\n| top 10 by count_ ",
+        "size": 3,
+        "title": "Top 10 Sources",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "34",
+      "name": "query - 1"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| where DvcAction startswith 'REQ_BLOCKED'\r\n| summarize count() by SrcIpAddr\r\n| project-rename SourceIP = SrcIpAddr\r\n| top 10 by count_ desc ",
+        "size": 3,
+        "title": "Top Source IP addresses with blocked requests",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "33",
+      "name": "query - 3",
+      "styleSettings": {
+        "margin": "10",
+        "padding": "10"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| where isnotempty(Country)\r\n| summarize count() by Country\r\n| top 10 by count_ desc ",
+        "size": 3,
+        "title": "Top Source IP addresses with client error",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "gridSettings": {
+          "sortBy": [
+            {
+              "itemKey": "TotalEvents",
+              "sortOrder": 2
+            }
+          ]
+        },
+        "sortBy": [
+          {
+            "itemKey": "TotalEvents",
+            "sortOrder": 2
+          }
+        ]
+      },
+      "customWidth": "33",
+      "name": "query - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| where isnotempty(DstDomainHostname)\r\n| summarize TotalEvents = count() by DstDomainHostname\r\n| top 10 by TotalEvents desc",
+        "size": 3,
+        "title": "Top destination hosts",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "30",
+      "name": "query - 8"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| extend File = extract(@\".*\\/([a-zA-Z0-9-._]*)\", 1, tostring(QueryString))\r\n| where isnotempty(File)\r\n| sort by TimeGenerated desc \r\n| project File, strcat(iff(HttpStatusCode startswith \"4\" or HttpStatusCode startswith \"5\", '❌', '✅')), HttpStatusCode\r\n| project-rename Result = Column1, FileName=File",
+        "size": 0,
+        "title": "Latest files accessed",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "gridSettings": {
+          "rowLimit": 50,
+          "filter": true
+        }
+      },
+      "customWidth": "35",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "33"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\r\n| where isnotempty(ClientApp)\r\n| summarize count() by ClientApp",
+        "size": 3,
+        "title": "Client application types",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "gridSettings": {
+          "rowLimit": 10
+        },
+        "graphSettings": {
+          "type": 0,
+          "topContent": {
+            "columnMatch": "SrcIpAddr",
+            "formatter": 1
+          },
+          "centerContent": {
+            "columnMatch": "LargeRequest",
+            "formatter": 1,
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        },
+        "chartSettings": {
+          "showMetrics": false,
+          "showLegend": true
+        }
+      },
+      "customWidth": "30",
+      "name": "query - 7"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "ImpervaWAFCloud\n| where isnotempty(SrcIpAddr)\n| summarize by SrcIpAddr, SrcGeoLatitude, SrcGeoLongitude",
+        "size": 3,
+        "title": "Attack Map",
+        "color": "redBright",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "map",
+        "gridSettings": {
+          "filter": true
+        },
+        "mapSettings": {
+          "locInfo": "LatLong",
+          "latitude": "SrcGeoLatitude",
+          "longitude": "SrcGeoLongitude",
+          "sizeSettings": "SrcIpAddr",
+          "sizeAggregation": "Count",
+          "defaultSize": 20,
+          "labelSettings": "SrcIpAddr",
+          "legendMetric": "SrcIpAddr",
+          "legendAggregation": "Count",
+          "itemColorSettings": {
+            "nodeColorField": "SrcIpAddr",
+            "colorAggregation": "Count",
+            "type": "heatmap",
+            "heatmapPalette": "greenRed"
+          }
+        }
+      },
+      "name": "query - 11"
+    }
+  ],
+  "fromTemplateId": "sentinel-ImpervaWAFCloudWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}