Merge pull request Azure#13138 from Azure/v-sabiraj-updatingrules

v-dvedak · web-flow · commit 605b5b9d1d05 · 2025-12-08T12:27:34.000+05:30
Improve URL entity mapping in Cloudflare analytic rules
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareBadClientIp.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareBadClientIp.yaml
@@ -21,16 +21,15 @@ query: |
   let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);
   Cloudflare
   | where ClientIPClass in~ (ip_reputation)
-  | extend IPCustomEntity = SrcIpAddr
-  | extend UrlCustomEntity = ClientRequestURI
+  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: UrlCustomEntity
-version: 1.0.0
+        columnName: CompleteUrl
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareEmptyUA.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareEmptyUA.yaml
@@ -20,11 +20,10 @@ relevantTechniques:
 query: |
   Cloudflare
   | where isempty(HttpUserAgentOriginal)
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
+        columnName: SrcIpAddr
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleErrorsSource.yaml
@@ -23,11 +23,10 @@ query: |
   | where HttpRequestMethod =~ 'GET'
   | summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)
   | where err_cnt > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
+        columnName: SrcIpAddr
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareMultipleUAs.yaml
@@ -23,11 +23,10 @@ query: |
   | where isnotempty(HttpUserAgentOriginal)
   | summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)
   | where d_ua > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
+        columnName: SrcIpAddr
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedCountry.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedCountry.yaml
@@ -21,16 +21,15 @@ query: |
   let bl_countries = dynamic(['cn', 'hk']);
   Cloudflare
   | where SrcGeoCountry in~ (bl_countries)
-  | extend IPCustomEntity = SrcIpAddr
-  | extend UrlCustomEntity = ClientRequestURI
+  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: UrlCustomEntity
-version: 1.0.0
+        columnName: CompleteUrl
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedPost.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedPost.yaml
@@ -25,11 +25,10 @@ query: |
   | where DstBytes != 0 or SrcBytes != 0
   | extend fe = extract(@'.*(\.\w+)$', 1, ClientRequestURI)
   | where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
+        columnName: SrcIpAddr
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedRequest.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedRequest.yaml
@@ -21,12 +21,11 @@ query: |
   Cloudflare
   | where HttpRequestMethod =~ 'GET'
   | where DstBytes != 0 or SrcBytes != 0
-  | where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') 
-  | extend IPCustomEntity = SrcIpAddr
+  | where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/')
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.1
+        columnName: SrcIpAddr
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareUnexpectedUrl.yaml
@@ -22,11 +22,10 @@ query: |
   | where HttpRequestMethod =~ 'GET'
   | where DstBytes != 0 or SrcBytes != 0
   | where ClientRequestURI matches regex @'(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
+        columnName: SrcIpAddr
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareWafThreatAllowed.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareWafThreatAllowed.yaml
@@ -21,16 +21,15 @@ query: |
   Cloudflare
   | where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)
   | where WAFAction =~ 'Allow'
-  | extend IPCustomEntity = SrcIpAddr
-  | extend UrlCustomEntity = ClientRequestURI
+  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: UrlCustomEntity
-version: 1.0.0
+        columnName: CompleteUrl
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Analytic Rules/CloudflareXSSProbingPattern.yaml b/Solutions/Cloudflare/Analytic Rules/CloudflareXSSProbingPattern.yaml
@@ -22,17 +22,16 @@ query: |
   Cloudflare
   | where HttpRequestMethod in~ ('POST', 'PUT')
   | extend susp_ch = countof(ClientRequestURI, '%00')
-  | where ClientRequestURI matches regex @'(alert\()|(alert\%28)|(String\.fromCharCode\()|(expression\(alert)' or susp_ch > s_threshold
-  | extend IPCustomEntity = SrcIpAddr
-  | extend UrlCustomEntity = ClientRequestURI
+  | where ClientRequestURI matches regex @'(alert\()|(alert\%28)|(String\.fromCharCode\()|(expression\(alert)' or susp_ch > s_threshold 
+  | extend CompleteUrl = strcat(HttpRequestHeaderHost,ClientRequestPath)
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: UrlCustomEntity
-version: 1.0.0
+        columnName: CompleteUrl
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Cloudflare/Package/3.0.2.zip b/Solutions/Cloudflare/Package/3.0.2.zip
diff --git a/Solutions/Cloudflare/Package/mainTemplate.json b/Solutions/Cloudflare/Package/mainTemplate.json
