Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Tomcat - Put file and get file from same IP address

Tomcat - Put file and get file from same IP address

Back
Id103d5ada-4874-11ec-81d3-0242ac130003
RulenameTomcat - Put file and get file from same IP address
DescriptionDetects put or get files from one source in short timeframe'
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatPutAndGetFileFromSameIP.yaml
Version1.0.2
Arm template103d5ada-4874-11ec-81d3-0242ac130003.json
Deploy To Azure
let p = TomcatEvent
| where HttpRequestMethod in~ ('POST', 'PUT')
| sort by EventStartTime asc
| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
TomcatEvent
| where HttpRequestMethod =~ 'GET'
| sort by EventStartTime asc
| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
| join kind=innerunique (p) on UrlOriginal, SrcIpAddr
| extend second = datetime_diff('second',get_time,post_time)
| where second between (1 .. 300)
| project second, post_time, get_time, SrcIpAddr, UrlOriginal
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)

id: 103d5ada-4874-11ec-81d3-0242ac130003
triggerThreshold: 0
description: |
    'Detects put or get files from one source in short timeframe' 
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - Tomcat_CL
queryPeriod: 1h
version: 1.0.2
severity: Medium
tactics:
- InitialAccess
queryFrequency: 1h
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
name: Tomcat - Put file and get file from same IP address
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
query: |
  let p = TomcatEvent
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | sort by EventStartTime asc
  | summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
  TomcatEvent
  | where HttpRequestMethod =~ 'GET'
  | sort by EventStartTime asc
  | summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
  | join kind=innerunique (p) on UrlOriginal, SrcIpAddr
  | extend second = datetime_diff('second',get_time,post_time)
  | where second between (1 .. 300)
  | project second, post_time, get_time, SrcIpAddr, UrlOriginal
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatPutAndGetFileFromSameIP.yaml