Introduction:
Web applications face frequent malicious attacks that exploit well-known vulnerabilities, such as Code Injection and Path Traversal Attacks. These attacks are hard to prevent in the application code, as they require constant maintenance, patching, and monitoring at multiple levels of the application architecture. A WAF solution can provide faster and centralized security by patching a known vulnerability for all web applications, rather than securing each one individually. Azure Web Application Firewall (WAF) is a cloud-native service that protects web apps from common web-hacking techniques. It can be deployed quickly to gain full visibility into the web application traffic and block malicious web attacks.
By integrating Azure WAF with Microsoft Sentinel (Cloud Native SIEM solution), you can automate the detection and response to threats/incidents/alerts and save time, and effort, on updating the WAF policy. This blog will show you how to build Analytic rules/detections in Sentinel for attacks such as Code Injection.
Azure WAF Detection Queries for Web Application Attacks:
The Azure-Network-Security GitHub Repository now contains the following pre-built queries that can be used for creating Analytic rules in Sentinel. These Analytic Rules will help with automated detection and response for attacks like Code Injection, Path Traversal and scanner-based attacks.
Setting up Analytic Rules in Sentinel for Web Application Attacks:
The prerequisites for setting up Analytic Rules are:
The following steps need to be implemented to successfully configure an Analytic Rule in Sentinel
let Threshold = 3;
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where action_s == "Matched"
| where Message has "Injection" or Message has "File Inclusion"
| where ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-931-APPLICATION-ATTACK-RFI" or ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-933-APPLICATION-ATTACK-PHP" or ruleGroup_s == "REQUEST-942-APPLICATION-ATTACK-SQLI" or ruleGroup_s == "REQUEST-921-PROTOCOL-ATTACK" or ruleGroup_s == "REQUEST-941-APPLICATION-ATTACK-XSS"
| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
| join kind = inner(
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where action_s == "Blocked") on transactionId_g
| extend Uri = strcat(hostname_s,requestUri_s)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
| where Total_TransactionId >= Threshold
Note: It is important to make sure that the WAF logs are already in the Log Analytic Workspace before you create this Analytical rule. Otherwise, Sentinel will not recognize some of the columns in the query and you will have to add extra input like “| extend action_s = column_ifexists(“action_s”, “”), transactionId_g = column_ifexists(“transactionId_g”, “”)” for each column that gives an error. This input will create the column names manually and assign them null values. To skip this step, send the WAF logs to the workspace first.
This analytic rule enables Sentinel to create an incident based on the WAF logs that record any Code Injection attacks. The Azure WAF blocks these attacks by default, but the incident creation provides additional support for the security analyst to respond to future threats.
Conclusion:
In this way, we can configure Analytic Rules in Sentinel for various web application attacks using the pre-built detection queries available in the Net Sec GitHub Repository. We are also working on adding these queries directly to Sentinel Detection Templates, once added, these queries will be directly available in the Analytic Rule Templates section of Sentinel.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.