Apache - Put suspicious file
| Id | c5d69e46-3b00-11ec-8d3d-0242ac130003 |
| Rulename | Apache - Put suspicious file |
| Description | Detects PUT or POST of suspicious file |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1190 T1133 T1048 |
| Required data connectors | CustomLogsAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml |
| Version | 1.0.2 |
| Arm template | c5d69e46-3b00-11ec-8d3d-0242ac130003.json |
ApacheHTTPServer
| where HttpRequestMethod in~ ("POST", "PUT")
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
queryPeriod: 1h
query: |
ApacheHTTPServer
| where HttpRequestMethod in~ ("POST", "PUT")
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
name: Apache - Put suspicious file
entityMappings:
- fieldMappings:
- columnName: FileCustomEntity
identifier: Name
entityType: File
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
datatypes:
- ApacheHTTPServer_CL
description: |
'Detects PUT or POST of suspicious file'
kind: Scheduled
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1190
- T1133
- T1048
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Exfiltration
id: c5d69e46-3b00-11ec-8d3d-0242ac130003