let forbidden_files = dynamic(['shadow', 'passwd', 'hosts', 'id_rsa']);
OracleWebLogicServerEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File in~ (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
description: |
'Detects request to sensitive files.'
version: 1.0.3
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicRequestToSensitiveFiles.yaml
triggerOperator: gt
status: Available
id: 9cc9ed36-573f-11ec-bf63-0242ac130002
name: Oracle - Request to sensitive files
queryFrequency: 15m
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
relevantTechniques:
- T1189
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'hosts', 'id_rsa']);
OracleWebLogicServerEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File in~ (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
requiredDataConnectors:
- dataTypes:
- OracleWebLogicServer_CL
connectorId: CustomLogsAma
