Threat Detection Queries for Azure WAF

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Introduction:

Web applications face frequent malicious attacks that exploit well-known vulnerabilities, such as Code Injection and Path Traversal Attacks. These attacks are hard to prevent in the application code, as they require constant maintenance, patching, and monitoring at multiple levels of the application architecture. A WAF solution can provide faster and centralized security by patching a known vulnerability for all web applications, rather than securing each one individually. Azure Web Application Firewall (WAF) is a cloud-native service that protects web apps from common web-hacking techniques. It can be deployed quickly to gain full visibility into the web application traffic and block malicious web attacks.

 

By integrating Azure WAF with Microsoft Sentinel (Cloud Native SIEM solution), you can automate the detection and response to threats/incidents/alerts and save time, and effort, on updating the WAF policy. This blog will show you how to build Analytic rules/detections in Sentinel for attacks such as Code Injection.

 

Azure WAF Detection Queries for Web Application Attacks:

The Azure-Network-Security GitHub Repository contains various pre-built queries that can be used for creating Analytic rules in Sentinel. These Analytic Rules will help with automated detection and response for attacks like Code Injection, Path Traversal, etc.

 

The prerequisites for setting up Analytic Rules are:

 

  • A working WAF and a Log Analytic Workspace that is configured to receive logs from the respective APP GW or AFD. This page provides the necessary steps for this configuration.
  • Additionally, Microsoft Sentinel should be enabled for the Log Analytic Workspace that is being used here.

 

The following steps need to be implemented to successfully configure an Analytic Rule in Sentinel

 

  • Navigate to Microsoft Sentinel and Select the Analytics tab. Click on Create and select “Scheduled query rule”.

          ShabazShaik_1-1691409832033.png

 

 

  • The tactics and techniques provided here are informational only and are sourced from A knowledge base of adversary tactics and techniques based on real-world observations).
  • The severity information given below is to set a severity level for the incident created because of this rule. Since these are major attacks, we are choosing High Severity here.

          ShabazShaik_2-1691409832045.png

 

  • On the Set rule logic page, enter the below prebuilt Code Injection query: This query can be found in Azure-Network-Security GitHub Repository. Likewise, you can use any other query that is available in the repository to create Analytic rules and detect respective attack patterns.

let Threshold = 3; 

 AzureDiagnostics

 | where Category == "ApplicationGatewayFirewallLog"

 | where action_s == "Matched"

 | where Message has "Injection" or Message has "File Inclusion"

 | where ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-931-APPLICATION-ATTACK-RFI" or ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-933-APPLICATION-ATTACK-PHP" or ruleGroup_s == "REQUEST-942-APPLICATION-ATTACK-SQLI" or ruleGroup_s == "REQUEST-921-PROTOCOL-ATTACK" or ruleGroup_s == "REQUEST-941-APPLICATION-ATTACK-XSS"

 | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s

 | join kind = inner(

 AzureDiagnostics

 | where Category == "ApplicationGatewayFirewallLog"

 | where action_s == "Blocked") on transactionId_g

 | extend Uri = strcat(hostname_s,requestUri_s)

 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s

 | where Total_TransactionId >= Threshold

 

           ShabazShaik_3-1691409832053.png

 

Note: It is important to make sure that the WAF logs are already in the Log Analytic Workspace before you create this Analytical rule. Otherwise, Sentinel will not recognize some of the columns in the query and you will have to add extra input like “| extend action_s = column_ifexists(“action_s”, “”), transactionId_g = column_ifexists(“transactionId_g”, “”)” for each column that gives an error. This input will create the column names manually and assign them null values. To skip this step, send the WAF logs to the workspace first.

 

  • On the Incident Settings Page, Enable the “Create incidents from alerts triggered by this analytics rule. The Alert grouping can be configured as required.
  • Optionally, you can also add any automated response to the incident if needed. The detailed information on automated response configuration can be found in this blog here.
  • Finally, Click Save on the Review and Create tab.

 

           ShabazShaik_4-1691409832064.png

 

This analytic rule enables Sentinel to create an incident based on the WAF logs that record any Code Injection attacks. The Azure WAF blocks these attacks by default, but the incident creation provides additional support for the security analyst to respond to future threats.

 

Conclusion:

In this way, we can configure Analytic Rules in Sentinel for various web application attacks using the pre-built detection queries available in the Net Sec GitHub Repository. We are also working on adding these queries directly to Sentinel Detection Templates, once added, these queries will be directly available in the Analytic Rule Templates section of Sentinel.

 

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.