diff --git a/Azure WAF/Playbook - Sentinel additional detections/Application Gateway WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json b/Azure WAF/Playbook - Sentinel additional detections/Application Gateway WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json new file mode 100644 index 00000000..b48f0758 --- /dev/null +++ b/Azure WAF/Playbook - Sentinel additional detections/Application Gateway WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json @@ -0,0 +1,23 @@ +let Threshold = 3; +AzureDiagnostics +| where Category == "ApplicationGatewayFirewallLog" +| where action_s == "Matched" +| where Message has_any ("HTTP Header Injection", "HTTP Response Splitting", "HTTP Splitting", "LDAP Injection") +| where ruleId_s startswith "921" +| where ruleGroup_s startswith "PROTOCOL-ATTACK" +| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s +| join kind = inner( + AzureDiagnostics + | where Category =~ "ApplicationGatewayFirewallLog" + | where action_s =~ "Blocked" +) on transactionId_g +| summarize + StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), + TransactionID = make_set(transactionId_g, 100), + Message = make_set(Message, 100), + Detail_Message = make_set(details_message_s, 100), + Detail_Data = make_set(details_data_s, 100), + Total_TransactionId = dcount(transactionId_g) + by clientIp_s, action_s +| where Total_TransactionId >= Threshold \ No newline at end of file diff --git a/Azure WAF/Playbook - Sentinel additional detections/Azure Front Door WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json b/Azure WAF/Playbook - Sentinel additional detections/Azure Front Door WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json new file mode 100644 index 00000000..c32e714f --- /dev/null +++ b/Azure WAF/Playbook - Sentinel additional detections/Azure Front Door WAF Detection for Protocol Attacks [HTTP] - Azure Diagnostics.json @@ -0,0 +1,21 @@ +let Threshold = 3; +AzureDiagnostics +| where Category =~ "FrontDoorWebApplicationFirewallLog" +| where action_s =~ "AnomalyScoring" +| where details_msg_s has_any ("HTTP Header Injection", "HTTP Response Splitting", "HTTP Splitting", "LDAP Injection") +| where ruleName_s has "Microsoft_DefaultRuleSet-2.1-PROTOCOL-ATTACK" +| project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s +| join kind = inner( + AzureDiagnostics + | where Category =~ "FrontDoorWebApplicationFirewallLog" + | where action_s =~ "Block" +) on trackingReference_s +| summarize + StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), + TrackingReference = make_set(trackingReference_s, 100), + Detail_Data = make_set(details_data_s, 100), + Detail_Message = make_set(details_msg_s, 100), + Total_TrackingReference = dcount(trackingReference_s) + by clientIP_s, action_s +| where Total_TrackingReference >= Threshold \ No newline at end of file diff --git a/Azure WAF/Playbook - Sentinel additional detections/Resource-Specific - Application Gateway WAF Detection for Protocol Attacks [HTTP].json b/Azure WAF/Playbook - Sentinel additional detections/Resource-Specific - Application Gateway WAF Detection for Protocol Attacks [HTTP].json new file mode 100644 index 00000000..8dff07fa --- /dev/null +++ b/Azure WAF/Playbook - Sentinel additional detections/Resource-Specific - Application Gateway WAF Detection for Protocol Attacks [HTTP].json @@ -0,0 +1,22 @@ +let Threshold = 3; +AGWFirewallLogs +| where Action == "Matched" +| where FileDetails contains "PROTOCOL-ATTACK" +| where Message startswith "HTTP" +| where RuleId startswith "921" +| project TransactionId, Hostname, RequestUri, TimeGenerated, ClientIp, Message, DetailedMessage, DetailedData +| join kind=inner ( + AGWFirewallLogs + | where Action == "Blocked" +) on TransactionId +| extend Uri = strcat(Hostname, RequestUri) +| summarize + StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), + TransactionID = make_set(TransactionId, 100), + Message = make_set(Message, 100), + Detail_Message = make_set(DetailedMessage, 100), + Detail_Data = make_set(DetailedData, 100), + Total_TransactionId = dcount(TransactionId) + by ClientIp, Uri, Action +| where Total_TransactionId >= Threshold \ No newline at end of file