Solutions/ImpervaCloudWAF/Hunting Queries/ImpervaTopSourcesErrors.yaml (25 lines of code) (raw):
id: c359e40f-3a56-4e75-8dbb-41e5057bba64
name: Imperva - Top sources with error requests
description: |
'Query searches for top source IP addresses with protocol or network errors.'
severity: Medium
requiredDataConnectors:
- connectorId: ImpervaWAFCloudAPI
dataTypes:
- ImpervaWAFCloud
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
ImpervaWAFCloud
| where TimeGenerated > ago(24h)
| where DvcAction startswith 'REQ_BAD_'
| summarize count() by SrcIpAddr
| top 100 by count_
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity