Merge pull request #8784 from shabaz-github/master

Added 5 New Analytic Rule Detections for Azure WAF

Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/AFD-WAF-Code-Injection.yaml

@@ -0,0 +1,53 @@
+id: ded8168e-c806-4772-af30-10576e0a7529
+name: AFD WAF - Code Injection 
+description: | 
+  'Identifies a match for a Code Injection based attack in the AFD WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.
+  References: https://owasp.org/www-community/attacks/Code_Injection'
+severity: High 
+status: Available
+requiredDataConnectors: 
+  - connectorId: WAF
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 6h 
+queryPeriod: 6h 
+triggerOperator: gt 
+triggerThreshold: 0 
+tactics: 
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1548
+  - T1203
+  - T1190
+  - T1548
+tags:
+  - Code Injection
+query:  | 
+ let Threshold = 3;
+ AzureDiagnostics
+ | where Category =~ "FrontDoorWebApplicationFirewallLog"
+ | where action_s =~ "AnomalyScoring"
+ | where details_msg_s has "Injection" or details_msg_s has "File Inclusion"
+ | parse details_data_s with MessageText "Matched Data:" MatchedData "AND " * "table_name FROM " TableName " " *
+ | project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData
+ | join kind = inner(
+ AzureDiagnostics
+ | where Category =~ "FrontDoorWebApplicationFirewallLog"
+ | where action_s =~ "Block") on trackingReference_s
+ | summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s
+ | where Total_TrackingReference >= Threshold
+# The Threshold value above can be changed as per your infrastructure's requirement
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URI_s
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: clientIP_s 
+version: 1.0.1
+kind: Scheduled

Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/AFD-WAF-Path-Traversal-Attack.yaml

@@ -0,0 +1,55 @@
+id: a4d99328-e4e6-493d-b0d5-57e6f9ddae77
+name: AFD WAF - Path Traversal Attack 
+description: | 
+  'Identifies a match for a Path Traversal based attack in the AFD WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.
+  References: https://owasp.org/www-community/attacks/Path_Traversal'
+severity: High 
+status: Available 
+requiredDataConnectors: 
+  - connectorId: WAF
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 6h 
+queryPeriod: 6h 
+triggerOperator: gt 
+triggerThreshold: 0 
+tactics: 
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+  - PrivilegeEscalation
+  - Discovery
+relevantTechniques:
+  - T1548
+  - T1203
+  - T1190
+  - T1548
+  - T1087
+tags:
+  - Path Traversal
+query:  | 
+ let Threshold = 3;
+ AzureDiagnostics
+ | where Category =~ "FrontDoorWebApplicationFirewallLog"
+ | where action_s =~ "AnomalyScoring"
+ | where details_msg_s has "Path Traversal Attack"
+ | parse details_data_s with MessageText "Matched Data:" MatchedData "AND " * "table_name FROM " TableName " " *
+ | project trackingReference_s, host_s, requestUri_s, TimeGenerated, clientIP_s, details_matches_s, details_msg_s, details_data_s, TableName, MatchedData
+ | join kind = inner(
+ AzureDiagnostics
+ | where Category =~ "FrontDoorWebApplicationFirewallLog"
+ | where action_s =~ "Block") on trackingReference_s
+ | summarize URI_s = make_set(requestUri_s,100), Table = make_set(TableName,100), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TrackingReference = make_set(trackingReference_s,100), Matched_Data = make_set(MatchedData,100), Detail_Data = make_set(details_data_s,100), Detail_Message = make_set(details_msg_s,100), Total_TrackingReference = dcount(trackingReference_s) by clientIP_s, host_s, action_s
+ | where Total_TrackingReference >= Threshold
+# The Threshold value above can be changed as per your infrastructure's requirement
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URI_s
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: clientIP_s 
+version: 1.0.1
+kind: Scheduled

Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-Code-Injection.yaml

@@ -0,0 +1,54 @@
+id: 912a18fc-6165-446b-8740-81ae6c3f75ee
+name: App GW WAF - Code Injection 
+description: | 
+  'Identifies a match for a Code Injection based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.
+  References: https://owasp.org/www-community/attacks/Code_Injection'
+severity: High 
+status: Available 
+requiredDataConnectors: 
+  - connectorId: WAF
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 6h 
+queryPeriod: 6h 
+triggerOperator: gt 
+triggerThreshold: 0 
+tactics: 
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1548
+  - T1203
+  - T1190
+  - T1548
+tags:
+  - Code Injection
+query:  | 
+ let Threshold = 3;  
+ AzureDiagnostics
+ | where Category == "ApplicationGatewayFirewallLog"
+ | where action_s == "Matched"
+ | where Message has "Injection" or Message has "File Inclusion"
+ | where ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-931-APPLICATION-ATTACK-RFI" or ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-933-APPLICATION-ATTACK-PHP" or ruleGroup_s == "REQUEST-942-APPLICATION-ATTACK-SQLI" or ruleGroup_s == "REQUEST-921-PROTOCOL-ATTACK" or ruleGroup_s == "REQUEST-941-APPLICATION-ATTACK-XSS"
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | join kind = inner(
+ AzureDiagnostics
+ | where Category == "ApplicationGatewayFirewallLog"
+ | where action_s == "Blocked") on transactionId_g
+ | extend Uri = strcat(hostname_s,requestUri_s)
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | where Total_TransactionId >= Threshold
+# The Threshold value above can be changed as per your infrastructure's requirement
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Uri
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: clientIp_s 
+version: 1.0.1
+kind: Scheduled

Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-Path-Traversal-Attack.yaml

@@ -0,0 +1,56 @@
+id: b6c3a8a6-d22c-4882-9c57-abc01690938b
+name: App GW WAF - Path Traversal Attack 
+description: | 
+  'Identifies a match for a Path Traversal based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.
+  References: https://owasp.org/www-community/attacks/Path_Traversal'
+severity: High
+status: Available 
+requiredDataConnectors: 
+  - connectorId: WAF
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 6h 
+queryPeriod: 6h 
+triggerOperator: gt 
+triggerThreshold: 0 
+tactics: 
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+  - PrivilegeEscalation
+  - Discovery
+relevantTechniques:
+  - T1548
+  - T1203
+  - T1190
+  - T1548
+  - T1087
+tags:
+  - Path Traversal
+query:  | 
+ let Threshold = 3;  
+ AzureDiagnostics
+ | where Category == "ApplicationGatewayFirewallLog"
+ | where action_s == "Matched"
+ | where Message has "Path Traversal Attack"
+ | where ruleGroup_s == "REQUEST-930-APPLICATION-ATTACK-LFI"
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | join kind = inner(
+ AzureDiagnostics
+ | where Category == "ApplicationGatewayFirewallLog"
+ | where action_s == "Blocked") on transactionId_g
+ | extend Uri = strcat(hostname_s,requestUri_s)
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | where Total_TransactionId >= Threshold
+# The Threshold value above can be changed as per your infrastructure's requirement
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Uri
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: clientIp_s 
+version: 1.0.1
+kind: Scheduled

Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-Scanner-detection.yaml

@@ -0,0 +1,57 @@
+id: 9b8dd8fd-f192-42eb-84f6-541920400a7a
+name: App Gateway WAF - Scanner Detection 
+description: | 
+  'Identifies a match for a Scanner detection user agent based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.
+  References: https://owasp.org/www-community/Vulnerability_Scanning_Tools'
+severity: High 
+status: Available 
+requiredDataConnectors: 
+  - connectorId: WAF
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 6h 
+queryPeriod: 6h 
+triggerOperator: gt 
+triggerThreshold: 0 
+tactics: 
+  - DefenseEvasion
+  - Execution
+  - InitialAccess
+  - Reconnaissance
+  - Discovery
+relevantTechniques:
+  - T1548
+  - T1203
+  - T1190
+  - T1595
+  - T1046
+tags:
+  - Scanner Detection
+query:  | 
+  let Threshold = 3;
+  AzureDiagnostics
+  | where Category == "ApplicationGatewayFirewallLog"
+  | where action_s == "Matched"
+  | where Message contains "Found User-Agent associated with security scanner"
+  | where ruleGroup_s == "REQUEST-913-SCANNER-DETECTION"
+  | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+  | join kind = inner(
+  AzureDiagnostics
+  | where Category == "ApplicationGatewayFirewallLog"
+  | where action_s == "Blocked"
+  ) on transactionId_g
+  | extend Uri = strcat(hostname_s,requestUri_s)
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g), Message = make_set(Message), Detail_Message = make_set(details_message_s), Detail_Data = make_set(details_data_s), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+  | where Total_TransactionId >= Threshold
+# The Threshold value above can be changed as per your infrastructure's requirement
+entityMappings:
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: Uri
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: clientIp_s 
+version: 1.0.1
+kind: Scheduled