let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
queryPeriod: 1h
description: |
'Detects request to sensitive files.'
kind: Scheduled
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
tactics:
- InitialAccess
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatRequestSensitiveFiles.yaml
id: 0c851bd4-4875-11ec-81d3-0242ac130003
version: 1.0.2
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
triggerThreshold: 0
status: Available
relevantTechniques:
- T1189
name: Tomcat - Request to sensitive files
severity: High
requiredDataConnectors:
- datatypes:
- Tomcat_CL
connectorId: CustomLogsAma
queryFrequency: 1h
