KQL To Check Azure API Spray Attacks
Query
// KQL to check Azure API spray attacks
// https://www.linkedin.com/posts/activity-7197794002526457857-Y09J/
ApiManagementGatewayLogs
| where TimeGenerated > ago(1d)
| where IsRequestSuccess == "false"
| summarize Count=count() by CallerIpAddress
| sort by Count desc
// Block the attack IPs on your Azure Application Gateway WAF
// MITRE ATT&CK Mapping
// Based on the query, the following MITRE ATT&CK techniques could be relevant:
// T1071.001 - Application Layer Protocol: Web Protocols:
// This technique involves adversaries using web protocols to communicate with systems under their control. Failed API requests could indicate attempts to exploit web protocols.
// T1078 - Valid Accounts:
// Failed requests might be due to the use of invalid or compromised accounts. This technique involves adversaries using valid accounts to gain access to systems.
// T1190 - Exploit Public-Facing Application:
// The query could help detect attempts to exploit vulnerabilities in public-facing applications, as failed requests might indicate unsuccessful exploitation attempts.
// T1040 - Network Sniffing:
// If the failed requests are part of reconnaissance activities, this technique involves adversaries capturing network traffic to gather information.Explanation
This KQL query is designed to identify potential API spray attacks on Azure by analyzing logs from the Azure API Management Gateway. Here's a simple breakdown of what the query does:
-
Data Source: It looks at logs from
ApiManagementGatewayLogs. -
Time Frame: It focuses on logs generated in the last day (
TimeGenerated > ago(1d)). -
Filter for Failures: It filters the logs to only include requests that were not successful (
IsRequestSuccess == "false"). -
Count Failed Requests: It counts the number of failed requests for each unique IP address (
summarize Count=count() by CallerIpAddress). -
Sort Results: It sorts the results in descending order based on the count of failed requests (
sort by Count desc), highlighting IP addresses with the most failed attempts.
The purpose of this query is to identify IP addresses that are potentially involved in spray attacks, where multiple login attempts are made using different credentials. These IPs can then be blocked on your Azure Application Gateway Web Application Firewall (WAF) to prevent further attacks.
Additionally, the query is mapped to several MITRE ATT&CK techniques, which are frameworks for understanding cyber adversary behavior:
- T1071.001 - Application Layer Protocol: Web Protocols: Indicates the use of web protocols for communication, where failed API requests might suggest exploitation attempts.
- T1078 - Valid Accounts: Suggests that failed requests could be due to attempts to use invalid or compromised accounts.
- T1190 - Exploit Public-Facing Application: Points to potential exploitation attempts on public-facing applications, as indicated by failed requests.
- T1040 - Network Sniffing: Implies that failed requests might be part of reconnaissance activities to gather network information.
