let forbidden_files = dynamic(['shadow', 'passwd', 'hosts', 'id_rsa']);
OracleWebLogicServerEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File in~ (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
entityMappings:
- fieldMappings:
- identifier: Name
columnName: FileCustomEntity
entityType: File
- fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicRequestToSensitiveFiles.yaml
queryFrequency: 15m
triggerOperator: gt
queryPeriod: 15m
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'hosts', 'id_rsa']);
OracleWebLogicServerEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File in~ (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
relevantTechniques:
- T1189
version: 1.0.3
tactics:
- InitialAccess
severity: High
name: Oracle - Request to sensitive files
requiredDataConnectors:
- dataTypes:
- OracleWebLogicServer_CL
connectorId: CustomLogsAma
triggerThreshold: 0
kind: Scheduled
status: Available
description: |
'Detects request to sensitive files.'
id: 9cc9ed36-573f-11ec-bf63-0242ac130002
