OracleWebLogicServerEvent
| where HttpRequestMethod =~ "GET"
| where UrlOriginal has_all ("ldap://", "com.bea.console.handles.JndiBindingHandle", "AdminServer")
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicExploitCVE-2021-2109.yaml
version: 1.0.3
tactics:
- InitialAccess
queryPeriod: 10m
kind: Scheduled
id: 67950168-5740-11ec-bf63-0242ac130002
severity: High
query: |
OracleWebLogicServerEvent
| where HttpRequestMethod =~ "GET"
| where UrlOriginal has_all ("ldap://", "com.bea.console.handles.JndiBindingHandle", "AdminServer")
| extend UrlCustomEntity = UrlOriginal
triggerThreshold: 0
name: Oracle - Oracle WebLogic Exploit CVE-2021-2109
status: Available
description: |
'Detects exploitation of Oracle WebLogic vulnerability CVE-2021-2109'
relevantTechniques:
- T1190
requiredDataConnectors:
- connectorId: CustomLogsAma
dataTypes:
- OracleWebLogicServer_CL
queryFrequency: 10m
