MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1020 Automated Exfiltration |
Rule body kusto
id: 1b047dc3-a879-4f99-949b-d1dc867efc83
name: API - BOLA
description: |
'42Crunch API protection against BOLA'
severity: Medium
requiredDataConnectors:
- connectorId: 42CrunchAPIProtection
dataTypes:
- FortyTwoCrunchAPIProtection
- connectorId: FortyTwoCrunchAPIProtection
dataTypes:
- FortyTwoCrunchAPIProtection
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
let listCnt = (toscalar(listRec | count));
let accountRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$";
let accountCnt = (toscalar(accountRec | count));
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
accountRec | take recCount
customDetails:
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InstanceName
version: 3.0.1
kind: Scheduled
Stages and Predicates
Let binding: loginRec
let loginRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/login" and Status == 200;
Let binding: ipAddress
let ipAddress = toscalar(loginRec
| top 1 by Timestamp desc
| summarize by SourceIp);
Derived from loginRec.
Let binding: listRec
let listRec = FortyTwoCrunchAPIProtection
| where TimeGenerated >= ago(5m)
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
| where UriPath has "/api/accounts/list" and Status == 200;
Let binding: listCnt
let listCnt = (toscalar(listRec | count));
Derived from listRec.
Let binding: accountCnt
let accountCnt = (toscalar(accountRec | count));
Derived from accountRec.
Let binding: recCount
let recCount = iff((toscalar(listRec | count) == 0) and (accountCnt > 5), accountCnt, 0);
Derived from listRec, accountCnt.
The stages below define let accountRec (the rule's main pipeline source).
Stage 1: source
FortyTwoCrunchAPIProtection
Stage 2: where
| where TimeGenerated >= ago(5m)
Stage 3: project-away
| project-away NonBlockingMode, SourcePort, DestinationPort, Query, ApiId, RequestHeader, ResponseHeader, Errors, EventType, Uuid
Stage 4: where
| where SourceIp == ipAddress and UriPath matches regex "/api/accounts/\\d{6}$"
References ipAddress (defined above).
The stages below run on accountRec (the outer pipeline).
Stage 5: take
accountRec
| take recCount
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.