Oracle - Put file and get file from same IP address

Back


Id	033e98d2-5740-11ec-bf63-0242ac130002
Rulename	Oracle - Put file and get file from same IP address
Description	Detects put or get files from one source in short timeframe'
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml
Version	1.0.2
Arm template	033e98d2-5740-11ec-bf63-0242ac130002.json

KQL

let p = OracleWebLogicServerEvent
| where HttpRequestMethod in~ ('POST', 'PUT')
| sort by EventStartTime asc
| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
OracleWebLogicServerEvent
| where HttpRequestMethod =~ 'GET'
| sort by EventStartTime asc
| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
| join kind=innerunique (p) on UrlOriginal, SrcIpAddr
| extend second = datetime_diff('second',get_time,post_time)
| where second between (1 .. 300)
| project second, post_time, get_time, SrcIpAddr, UrlOriginal
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)

YAML

description: |
    'Detects put or get files from one source in short timeframe' 
queryPeriod: 1h
query: |
  let p = OracleWebLogicServerEvent
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | sort by EventStartTime asc
  | summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
  OracleWebLogicServerEvent
  | where HttpRequestMethod =~ 'GET'
  | sort by EventStartTime asc
  | summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
  | join kind=innerunique (p) on UrlOriginal, SrcIpAddr
  | extend second = datetime_diff('second',get_time,post_time)
  | where second between (1 .. 300)
  | project second, post_time, get_time, SrcIpAddr, UrlOriginal
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)  
tactics:
- InitialAccess
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml
severity: Medium
requiredDataConnectors:
- dataTypes:
  - OracleWebLogicServer_CL
  connectorId: CustomLogsAma
name: Oracle - Put file and get file from same IP address
kind: Scheduled
relevantTechniques:
- T1190
- T1133
triggerThreshold: 0
id: 033e98d2-5740-11ec-bf63-0242ac130002
triggerOperator: gt
queryFrequency: 1h
version: 1.0.2
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/033e98d2-5740-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/033e98d2-5740-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "033e98d2-5740-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects put or get files from one source in short timeframe' \n",
        "displayName": "Oracle - Put file and get file from same IP address",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml",
        "query": "let p = OracleWebLogicServerEvent\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| sort by EventStartTime asc\n| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);\nOracleWebLogicServerEvent\n| where HttpRequestMethod =~ 'GET'\n| sort by EventStartTime asc\n| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)\n| join kind=innerunique (p) on UrlOriginal, SrcIpAddr\n| extend second = datetime_diff('second',get_time,post_time)\n| where second between (1 .. 300)\n| project second, post_time, get_time, SrcIpAddr, UrlOriginal\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}