let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
triggerThreshold: 0
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
requiredDataConnectors:
- datatypes:
- Tomcat_CL
connectorId: CustomLogsAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatRequestSensitiveFiles.yaml
name: Tomcat - Request to sensitive files
relevantTechniques:
- T1189
status: Available
version: 1.0.2
queryPeriod: 1h
kind: Scheduled
id: 0c851bd4-4875-11ec-81d3-0242ac130003
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
description: |
'Detects request to sensitive files.'
queryFrequency: 1h
severity: High
triggerOperator: gt
tactics:
- InitialAccess
