Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Apache - Command in URI

Apache - Command in URI

Back
Id54da6a42-3b00-11ec-8d3d-0242ac130003
RulenameApache - Command in URI
DescriptionDetects command in URI
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApacheCommandInURI.yaml
Version1.0.3
Arm template54da6a42-3b00-11ec-8d3d-0242ac130003.json
Deploy To Azure
let cmd_list = dynamic(['whoami', 'dpkg', 'useradd', 'sudo', 'cat']);
ApacheHTTPServer
| where UrlOriginal has_any (cmd_list)
| extend UrlCustomEntity = UrlOriginal

description: |
    'Detects command in URI'
version: 1.0.3
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApacheCommandInURI.yaml
triggerOperator: gt
status: Available
id: 54da6a42-3b00-11ec-8d3d-0242ac130003
name: Apache - Command in URI
queryFrequency: 15m
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
relevantTechniques:
- T1190
- T1133
query: |
  let cmd_list = dynamic(['whoami', 'dpkg', 'useradd', 'sudo', 'cat']);
  ApacheHTTPServer
  | where UrlOriginal has_any (cmd_list)
  | extend UrlCustomEntity = UrlOriginal  
requiredDataConnectors:
- datatypes:
  - ApacheHTTPServer_CL
  connectorId: CustomLogsAma