Apache - Put suspicious file
| Id | c5d69e46-3b00-11ec-8d3d-0242ac130003 |
| Rulename | Apache - Put suspicious file |
| Description | Detects PUT or POST of suspicious file |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1190 T1133 T1048 |
| Required data connectors | CustomLogsAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml |
| Version | 1.0.2 |
| Arm template | c5d69e46-3b00-11ec-8d3d-0242ac130003.json |
ApacheHTTPServer
| where HttpRequestMethod in~ ("POST", "PUT")
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
name: Apache - Put suspicious file
relevantTechniques:
- T1190
- T1133
- T1048
id: c5d69e46-3b00-11ec-8d3d-0242ac130003
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml
requiredDataConnectors:
- datatypes:
- ApacheHTTPServer_CL
connectorId: CustomLogsAma
version: 1.0.2
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: Name
columnName: FileCustomEntity
entityType: File
- fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
entityType: URL
queryFrequency: 1h
status: Available
query: |
ApacheHTTPServer
| where HttpRequestMethod in~ ("POST", "PUT")
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
tactics:
- InitialAccess
- Exfiltration
kind: Scheduled
description: |
'Detects PUT or POST of suspicious file'
triggerOperator: gt