Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

OracleDBAudit - Unusual user activity on multiple tables

Back
Id75024e1c-26e7-4e73-821d-95e5decdd8db
RulenameOracleDBAudit - Unusual user activity on multiple tables
DescriptionDetects when user queries many tables in short period of time.
SeverityMedium
TacticsCollection
TechniquesT1119
Required data connectorsOracleDatabaseAudit
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml
Version1.0.0
Arm template75024e1c-26e7-4e73-821d-95e5decdd8db.json
Deploy To Azure
let tbl_threshold = 10;
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where DbAction =~ 'SELECT'
| extend TableName = replace(@'[,\(\)]', '', extract(@'(?i)SELECT(.*?)FROM\s(.*?)\s', 2, Action))
| where isnotempty(TableName)
| where TableName !~ 'SELECT'
| summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)
| where tbl_count > tbl_threshold
| extend AccountCustomEntity = DstUserName
requiredDataConnectors:
- connectorId: OracleDatabaseAudit
  dataTypes:
  - Syslog
triggerOperator: gt
queryFrequency: 1h
name: OracleDBAudit - Unusual user activity on multiple tables
status: Available
queryPeriod: 1h
id: 75024e1c-26e7-4e73-821d-95e5decdd8db
description: |
    'Detects when user queries many tables in short period of time.'
severity: Medium
query: |
  let tbl_threshold = 10;
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where DbAction =~ 'SELECT'
  | extend TableName = replace(@'[,\(\)]', '', extract(@'(?i)SELECT(.*?)FROM\s(.*?)\s', 2, Action))
  | where isnotempty(TableName)
  | where TableName !~ 'SELECT'
  | summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)
  | where tbl_count > tbl_threshold
  | extend AccountCustomEntity = DstUserName  
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
relevantTechniques:
- T1119
tactics:
- Collection
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75024e1c-26e7-4e73-821d-95e5decdd8db')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75024e1c-26e7-4e73-821d-95e5decdd8db')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "OracleDBAudit - Unusual user activity on multiple tables",
        "description": "'Detects when user queries many tables in short period of time.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let tbl_threshold = 10;\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where DbAction =~ 'SELECT'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'SELECT'\n| summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)\n| where tbl_count > tbl_threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1119"
        ],
        "alertRuleTemplateName": "75024e1c-26e7-4e73-821d-95e5decdd8db",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml",
        "status": "Available"
      }
    }
  ]
}