Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Oracle - Put file and get file from same IP address

Back
Id033e98d2-5740-11ec-bf63-0242ac130002
RulenameOracle - Put file and get file from same IP address
DescriptionDetects put or get files from one source in short timeframe'
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCustomLogsAma
OracleWebLogicServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml
Version1.0.1
Arm template033e98d2-5740-11ec-bf63-0242ac130002.json
Deploy To Azure
let p = OracleWebLogicServerEvent
| where HttpRequestMethod in~ ('POST', 'PUT')
| sort by EventStartTime asc
| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
OracleWebLogicServerEvent
| where HttpRequestMethod =~ 'GET'
| sort by EventStartTime asc
| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
| join kind=innerunique (p) on UrlOriginal, SrcIpAddr
| extend second = datetime_diff('second',get_time,post_time)
| where second between (1 .. 300)
| project second, post_time, get_time, SrcIpAddr, UrlOriginal
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)
status: Available
queryFrequency: 1h
description: |
    'Detects put or get files from one source in short timeframe' 
severity: Medium
version: 1.0.1
relevantTechniques:
- T1190
- T1133
name: Oracle - Put file and get file from same IP address
triggerThreshold: 0
kind: Scheduled
query: |
  let p = OracleWebLogicServerEvent
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | sort by EventStartTime asc
  | summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
  OracleWebLogicServerEvent
  | where HttpRequestMethod =~ 'GET'
  | sort by EventStartTime asc
  | summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
  | join kind=innerunique (p) on UrlOriginal, SrcIpAddr
  | extend second = datetime_diff('second',get_time,post_time)
  | where second between (1 .. 300)
  | project second, post_time, get_time, SrcIpAddr, UrlOriginal
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml
requiredDataConnectors:
- connectorId: OracleWebLogicServer
  dataTypes:
  - OracleWebLogicServerEvent
- connectorId: CustomLogsAma
  dataTypes:
  - OracleWebLogicServer_CL
tactics:
- InitialAccess
id: 033e98d2-5740-11ec-bf63-0242ac130002
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/033e98d2-5740-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/033e98d2-5740-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "033e98d2-5740-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects put or get files from one source in short timeframe' \n",
        "displayName": "Oracle - Put file and get file from same IP address",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml",
        "query": "let p = OracleWebLogicServerEvent\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| sort by EventStartTime asc\n| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);\nOracleWebLogicServerEvent\n| where HttpRequestMethod =~ 'GET'\n| sort by EventStartTime asc\n| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)\n| join kind=innerunique (p) on UrlOriginal, SrcIpAddr\n| extend second = datetime_diff('second',get_time,post_time)\n| where second between (1 .. 300)\n| project second, post_time, get_time, SrcIpAddr, UrlOriginal\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}