let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
name: Tomcat - Request to sensitive files
id: 0c851bd4-4875-11ec-81d3-0242ac130003
description: |
'Detects request to sensitive files.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
version: 1.0.2
triggerOperator: gt
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 1h
severity: High
queryPeriod: 1h
requiredDataConnectors:
- datatypes:
- Tomcat_CL
connectorId: CustomLogsAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatRequestSensitiveFiles.yaml
relevantTechniques:
- T1189
