Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

OracleDBAudit - Unusual user activity on multiple tables

Back
Id75024e1c-26e7-4e73-821d-95e5decdd8db
RulenameOracleDBAudit - Unusual user activity on multiple tables
DescriptionDetects when user queries many tables in short period of time.
SeverityMedium
TacticsCollection
TechniquesT1119
Required data connectorsOracleDatabaseAudit
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml
Version1.0.0
Arm template75024e1c-26e7-4e73-821d-95e5decdd8db.json
Deploy To Azure
let tbl_threshold = 10;
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where DbAction =~ 'SELECT'
| extend TableName = replace(@'[,\(\)]', '', extract(@'(?i)SELECT(.*?)FROM\s(.*?)\s', 2, Action))
| where isnotempty(TableName)
| where TableName !~ 'SELECT'
| summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)
| where tbl_count > tbl_threshold
| extend AccountCustomEntity = DstUserName
version: 1.0.0
status: Available
queryFrequency: 1h
requiredDataConnectors:
- connectorId: OracleDatabaseAudit
  dataTypes:
  - Syslog
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
kind: Scheduled
queryPeriod: 1h
severity: Medium
query: |
  let tbl_threshold = 10;
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where DbAction =~ 'SELECT'
  | extend TableName = replace(@'[,\(\)]', '', extract(@'(?i)SELECT(.*?)FROM\s(.*?)\s', 2, Action))
  | where isnotempty(TableName)
  | where TableName !~ 'SELECT'
  | summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)
  | where tbl_count > tbl_threshold
  | extend AccountCustomEntity = DstUserName  
triggerOperator: gt
id: 75024e1c-26e7-4e73-821d-95e5decdd8db
description: |
    'Detects when user queries many tables in short period of time.'
triggerThreshold: 0
name: OracleDBAudit - Unusual user activity on multiple tables
relevantTechniques:
- T1119
tactics:
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75024e1c-26e7-4e73-821d-95e5decdd8db')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75024e1c-26e7-4e73-821d-95e5decdd8db')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "OracleDBAudit - Unusual user activity on multiple tables",
        "description": "'Detects when user queries many tables in short period of time.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let tbl_threshold = 10;\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where DbAction =~ 'SELECT'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !~ 'SELECT'\n| summarize tbl_count = dcount(TableName) by DstUserName, bucket = bin(TimeGenerated, 5m)\n| where tbl_count > tbl_threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1119"
        ],
        "alertRuleTemplateName": "75024e1c-26e7-4e73-821d-95e5decdd8db",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSelectOnManyTables.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}