Main Menu 
F5Telemetry_ASM_CL
| where isnotempty(StagedSigName)
| where RequestStatus =~ "passed"
| where ResponseCode startswith "2"
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleSignatures = make_set(StagedSigName, 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 15m)
| where EventCount >= 3


F5Telemetry_ASM_CL
| where StagedSigName has_any (
    "Java code injection","JSP Expression Language Injection","OGNL Injection",
    "PrimeFaces Expression Language Injection","Apache Tomcat Remote Code Execution"
)
   or SigName has_any (
    "Java code injection","JSP Expression Language Injection","OGNL Injection",
    "PrimeFaces Expression Language Injection","Apache Tomcat Remote Code Execution"
)
| where RequestStatus =~ "passed"
| where ResponseCode startswith "2"
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, RequestURL, DestinationIP, bin(TimeGenerated, 15m)


F5Telemetry_ASM_CL
| where AttackType has "SQL-Injection"
    or StagedSigName has "SQL-INJ"
    or SigName has "SQL-INJ"
| where RequestStatus =~ "passed"
| where ResponseCode startswith "2"
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 15m)


F5Telemetry_ASM_CL
| where StagedSigName has_any (
    "Directory Traversal","temp dir access","web.config",
    "WinSCP","passwd","Trace.axd"
)
   or SigName has_any (
    "Directory Traversal","temp dir access","web.config",
    "WinSCP","passwd","Trace.axd"
)
| where RequestStatus =~ "passed"
| where ResponseCode startswith "2"
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 15m)
| where EventCount >= 2



F5Telemetry_ASM_CL
| where AttackType has_any (
    "SQL-Injection","Server Side Code Injection","Command Execution",
    "Path Traversal","Cross Site Scripting","Trojan/Backdoor/Spyware"
)
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    DistinctAttackTypes = dcount(AttackType),
    DistinctSignatures = dcount(coalesce(StagedSigName, SigName)),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, bin(TimeGenerated, 30m)
| where DistinctAttackTypes >= 3
| where DistinctSignatures >= 5
| where EventCount >= 10



F5Telemetry_ASM_CL
| where isnotempty(StagedSigName) or isnotempty(SigName)
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    DistinctSignatures = dcount(coalesce(StagedSigName, SigName)),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 10m)
| where EventCount >= 50
    and DistinctSignatures >= 10


let failures =
    F5Telemetry_ASM_CL
    | where ResponseCode startswith "4"
    | where not(YB_ONE_KNOWN_IP(SourceIP))
    | extend Method = extract(@"^(\w+)", 1, Request)
    | summarize FailCount = count() by SourceIP, bin(TimeGenerated, 15m);

let successes =
    F5Telemetry_ASM_CL
    | where ResponseCode startswith "2"
    | where not(YB_ONE_KNOWN_IP(SourceIP))
    | extend Method = extract(@"^(\w+)", 1, Request)
    | summarize SuccessCount = count() by SourceIP, bin(TimeGenerated, 15m);

failures
| join kind=inner successes on SourceIP, TimeGenerated
| extend
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10)
| where FailCount >= 10 and SuccessCount >= 3


F5Telemetry_ASM_CL
| where UserAgent has_any ("curl","python","sqlmap","nikto","burp")
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleURLs = make_set(RequestURL, 20),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, UserAgent, bin(TimeGenerated, 15m)
| where EventCount >= 5


F5Telemetry_ASM_CL
| where RequestURL has_any ("/admin","/config","/debug","/backup","/login")
| where not(YB_ONE_KNOWN_IP(SourceIP))
| extend Method = extract(@"^(\w+)", 1, Request)
| summarize
    EventCount = count(),
    SampleURLs = make_set(RequestURL, 20),
    SampleMethods = make_set(Method, 10),
    SampleUserAgents = make_set(UserAgent, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 30m)
| where EventCount >= 10

F5Telemetry_ASM_CL
| extend Method = extract(@"^(\w+)", 1, Request)
| where Method in ("PUT","DELETE","TRACE","OPTIONS")
| where not(YB_ONE_KNOWN_IP(SourceIP))
| summarize
    EventCount = count(),
    SampleMethods = make_set(Method, 10),
    SampleURLs = make_set(RequestURL, 20),
    SampleSignatures = make_set(coalesce(StagedSigName, SigName), 20),
    SampleUserAgents = make_set(UserAgent, 10),
    AttackTypes = make_set(AttackType, 10)
    by SourceIP, DestinationIP, bin(TimeGenerated, 30m)
| where EventCount >= 5
LinkedIn
X
Facebook

Related Articles

Leave a Comment

Your email address will not be published. Required fields are marked *

Copyright © 2025 Yakubu Bello - Cyber Security Expert

Linkedin Youtube Twitter