Azure-Sentinel

// Name: Squid malformed requests
//
// Id: edbeec9f-86b9-475d-8a42-cc7b95ad2baa
//
//
// Description: Malformed web requests are sometimes used for Reconnaissance to detect the presence of network security devices.
// Hunting for a large number of requests from a single source may assist in locating compromised hosts. Note: internal sites may
// be detected by this query and may need excluding on a individual basis. This query presumes the default squid log format is
// being used.
//
// DataConnector: #Syslog; DataTypes: #Squid
//
// Tactics: #Discovery
//
Syslog
| where ProcessName contains "squid"
| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)",3,SyslogMessage), 
         SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage), 
         Status = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))",1,SyslogMessage), 
         HTTP_Status_Code = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})",8,SyslogMessage),
         User = extract("(CONNECT |GET )([^ ]* )([^ ]+)",3,SyslogMessage),
         RemotePort = extract("(CONNECT |GET )([^ ]*)(:)([0-9]*)",4,SyslogMessage),
         Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)",3,SyslogMessage),
         Bytes = toint(extract("([A-Z]+\\/[0-9]{3} )([0-9]+)",2,SyslogMessage)),
         contentType = extract("([a-z/]+$)",1,SyslogMessage)
| extend TLD = extract("\\.[a-z]*$",0,Domain)
| where Domain !contains '.' and isnotempty(Domain)
| summarize badRequestCount = count() by Domain, SourceIP, User
| order by badRequestCount desc
| extend AccountCustomEntity = User, IPCustomEntity = SourceIP
cloudflare/Azure-Sentinel

Branches

Tags

Clone

Hunting Queries/Syslog/squid_malformed_requests.txt
