This alert detects when there are more than usual WAF requests blocked. WAF (web application firewall) is a system to allow/block access to web applications from certain locations by unsecured methods. A WAF can block thousands of requests per hour, this alert is configured to alert when there are more than 50 requests than the usual number of blocked requests in the system. Note that the system takes 7 days to take a baseline snapshot of your regular environment and only than start to alert on incoming logs. You can fine-tune this alert according the requested threshold and your network behaviour and volumes. Impact A blocked request could indicate an attacker trying to access the system. More than usual number of block requests might indicate a bruteforce or DDoS attack against your web applications or internet facing endpoints. If a request was successful after a series of unsuccessful attempts it might indicate a compromise of your environment. Mitigation Investigate the time frame of the blocked requests, the originating IP and the types of ports and URLs the request tried to access and decide if it was a legitimate or malicious activity. If there is a concern that the system was compromised, further investigate the resource that the attacker tried to access and start an IR process to identify any possible breach. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when an Azure WAF policy was deleted. WAF (web application firewall) is a system to allow/block access to web applications from certain locations by unsecured methods. Impact A WAF policy that was deleted should be reviewed and validated as it could indicate an attacker removing WAF defences and exposing the system to external vulnerabilities and access (as C2 communication). Mitigation Investigate what policy was deleted and decide if it was a legitimate or malicious activity. Revert changes if needed and investigate further the user who committed the action. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure WAF policy was disabled. WAF (web application firewall) is a system to allow/block access to web applications from certain locations by unsecured methods. Impact A WAF policy that was disabled should be reviewed and validated as it could indicate an attacker removing WAF defences and exposing the system to external vulnerabilities and access (as C2 communication). Mitigation Investigate what policy that was disabled and decide if it was a legitimate or malicious activity. Revert changes if needed and investigate further the user who committed the action. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure WAF policy was created or modified. WAF (web application firewall) is a system to allow/block access to web applications from certain locations by unsecured methods. Impact Unauthorized WAF control changes could indicate attacker activity and the exposing of customer applications to attacks. Mitigation Investigate what was the policy change - what was denied, allowed created or changed and decide if it was a legitimate or malicious activity. Revert changes if needed and investigate further. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as: Account compromise, Privilege escalation, Data breach, Resource exhaustion, Weakened security posture. Mitigation If the the aggregated logs show actual login URLs that match your web applications login, check if the requests intercepted by the WAF. If not, consider blocking the offending IP. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when a successful HTTP GET request (2XX response) targets a URL that ends with a set of specific file extension (such as txt files) that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the mentioned file extensions). File extensions can be added/removed and match condition can be tuned to lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for individuals and organizations, which can result in a data and privacy breach. Mitigation Investigate URLs and confirm whether they are legitimate and part of the web application normal operation and purpose. If not, consider blocking the client IP on the Azure WAF MITRE Tactic: TA0009 MITRE Technique: T1048

This alert detects when a Cross Site Scripting (XSS) attack may take place, based on triggered Azure WAF rules that contain a certain set of keywords that represent XSS attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted by the Azure WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when a Remote Code Execution (RCE) attack may take place, based on triggered Azure WAF rules that contain a certain set of keywords that represent RCE attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted by the Azure WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

This alert fires when logs containing triggered Azure WAF rules have any mention of a CVE over a determined period of time in the context of a single IP address. Impact Depending on mentioned CVE, requires investigation. Mitigation Validate the requests intercepted by the Azure WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and response codes.

This alert detects when a SQL Injection (SQLi) attack may take place, based on triggered Azure WAF rules that contain a certain set of keywords that represent SQLi attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted by the Azure WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

Trigers when an Azure Web Application Firewall (WAF) logs a request from an IP address. Impact Logs WAF requests from an IP address. Mitigation Look into the IP and varify all the activities made with the same IP. Then decide if that IP needs to be in Blocked or Logged. Mitre tactic: TA0001 Mitre technique: T1190

Trigers when an Azure Web Application Firewall (WAF) blocks a request from an IP address. Impact Alerts on WAF blocking requests from an IP address. Mitigation Look into the IP and varify all the activities made with the same IP. Mitre tactic: TA0001 Mitre technique: T1190