WAF Detection for Protocol Attacks

Files Added:
Application Gateway WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics. Json
Azure Front Door WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics. Json
Resource-Specific - Application Gateway WAF Detection for Protocol Attacks [HTTP].Json

Author: andrewmathuj

Azure WAF/Playbook - Sentinel additional detections/Application Gateway WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json

@@ -0,0 +1,23 @@
+let Threshold = 3;
+AzureDiagnostics
+| where Category == "ApplicationGatewayFirewallLog"
+| where action_s == "Matched"
+| where Message has_any ("HTTP Header Injection", "HTTP Response Splitting", "HTTP Splitting", "LDAP Injection")
+| where ruleId_s startswith "921"
+| where ruleGroup_s startswith "PROTOCOL-ATTACK"
+| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+| join kind = inner(
+    AzureDiagnostics
+    | where Category =~ "ApplicationGatewayFirewallLog"
+    | where action_s =~ "Blocked"
+) on transactionId_g
+| summarize 
+    StartTime = min(TimeGenerated),
+    EndTime = max(TimeGenerated),
+    TransactionID = make_set(transactionId_g, 100),
+    Message = make_set(Message, 100),
+    Detail_Message = make_set(details_message_s, 100),
+    Detail_Data = make_set(details_data_s, 100),
+    Total_TransactionId = dcount(transactionId_g)
+  by clientIp_s, action_s
+| where Total_TransactionId >= Threshold

Azure WAF/Playbook - Sentinel additional detections/Azure Front Door WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json

@@ -0,0 +1,21 @@
+let Threshold = 3;
+AzureDiagnostics
+| where Category =~ "FrontDoorWebApplicationFirewallLog"
+| where action_s =~ "AnomalyScoring"
+| where details_msg_s has_any ("HTTP Header Injection", "HTTP Response Splitting", "HTTP Splitting", "LDAP Injection")
+| where ruleName_s has "Microsoft_DefaultRuleSet-2.1-PROTOCOL-ATTACK"
+| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s
+| join kind = inner(
+    AzureDiagnostics
+    | where Category =~ "FrontDoorWebApplicationFirewallLog"
+    | where action_s =~ "Block"
+) on trackingReference_s
+| summarize 
+    StartTime = min(TimeGenerated),
+    EndTime = max(TimeGenerated),
+    TrackingReference = make_set(trackingReference_s, 100),
+    Detail_Data = make_set(details_data_s, 100),
+    Detail_Message = make_set(details_msg_s, 100),
+    Total_TrackingReference = dcount(trackingReference_s)
+  by clientIP_s, action_s
+| where Total_TrackingReference >= Threshold

Azure WAF/Playbook - Sentinel additional detections/Resource-Specific - Application Gateway WAF Detection for Protocol Attacks [HTTP].json

@@ -0,0 +1,22 @@
+let Threshold = 3;
+AGWFirewallLogs
+| where Action == "Matched"
+| where FileDetails contains "PROTOCOL-ATTACK"
+| where Message startswith "HTTP"
+| where RuleId startswith "921"
+| project TransactionId, Hostname, RequestUri, TimeGenerated, ClientIp, Message, DetailedMessage, DetailedData
+| join kind=inner (
+    AGWFirewallLogs
+    | where Action == "Blocked"
+) on TransactionId
+| extend Uri = strcat(Hostname, RequestUri)
+| summarize
+    StartTime = min(TimeGenerated),
+    EndTime = max(TimeGenerated),
+    TransactionID = make_set(TransactionId, 100),
+    Message = make_set(Message, 100),
+    Detail_Message = make_set(DetailedMessage, 100),
+    Detail_Data = make_set(DetailedData, 100),
+    Total_TransactionId = dcount(TransactionId)
+ by ClientIp, Uri, Action
+| where Total_TransactionId >= Threshold