Create Malicious-Bots-Detection-Query for Azure WAF.json

Author: shabaz-github

Azure WAF/Playbook - Sentinel additional detections/Malicious-Bots-Detection-Query.json

@@ -0,0 +1,11 @@
+AzureDiagnostics
+| where Category in ("ApplicationGatewayFirewallLog", "FrontDoorWebApplicationFirewallLog")
+| where details_data_s matches regex "(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)"
+   or Message matches regex "(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)"
+   or details_message_s matches regex "(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)"
+   or details_msg_s matches regex "(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)"
+   or details_data_s matches regex "(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)"
+| extend CombinedDetails = strcat(details_data_s, " ", Message, " ", details_message_s, " ", details_msg_s)
+| summarize Count = count(), Details = make_list(CombinedDetails) by Threat = extract("(?i)(Emotet|Zeus|TrickBot|Satori|Gootkit|Qbot|Ramnit|Necurs|Andromeda|DarkComet|Hajime|Reaper|VPNFilter|Carbanak|Dridex|Kovter|ZLoader|Agent Tesla|FormBook|spider|robot|emotet|zeus|trickBot|satori|gootkit|qbot|ramnit|necurs|andromeda|darkComet|hajime|reaper|vpnfilter|carbanak|dridex|kovter|zloader|agent tesla|formbook|spider|robot)", 1, CombinedDetails)
+| project Threat, Count, Details
+| order by Count desc