Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Apache - Put suspicious file

Back
Idc5d69e46-3b00-11ec-8d3d-0242ac130003
RulenameApache - Put suspicious file
DescriptionDetects PUT or POST of suspicious file
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1190
T1133
T1048
Required data connectorsApacheHTTPServer
CustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml
Version1.0.1
Arm templatec5d69e46-3b00-11ec-8d3d-0242ac130003.json
Deploy To Azure
ApacheHTTPServer
| where HttpRequestMethod in~ ("POST", "PUT") 
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
queryPeriod: 1h
version: 1.0.1
tactics:
- InitialAccess
- Exfiltration
queryFrequency: 1h
id: c5d69e46-3b00-11ec-8d3d-0242ac130003
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - ApacheHTTPServer
  connectorId: ApacheHTTPServer
- datatypes:
  - ApacheHTTPServer_CL
  connectorId: CustomLogsAma
severity: Medium
entityMappings:
- entityType: File
  fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
triggerThreshold: 0
relevantTechniques:
- T1190
- T1133
- T1048
query: |
  ApacheHTTPServer
  | where HttpRequestMethod in~ ("POST", "PUT") 
  | extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
  | where isnotempty(File)
  | where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
  | extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal  
kind: Scheduled
name: Apache - Put suspicious file
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml
description: |
    'Detects PUT or POST of suspicious file'
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5d69e46-3b00-11ec-8d3d-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5d69e46-3b00-11ec-8d3d-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "c5d69e46-3b00-11ec-8d3d-0242ac130003",
        "customDetails": null,
        "description": "'Detects PUT or POST of suspicious file'\n",
        "displayName": "Apache - Put suspicious file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePutSuspiciousFiles.yaml",
        "query": "ApacheHTTPServer\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| extend File = extract(@\"(.*\\/)?(.*)\", 2, tostring(UrlOriginal))\n| where isnotempty(File)\n| where File matches regex @\"([a-zA-Z0-9-_]+\\.)([a-zA-Z0-9-]+\\.[a-zA-Z0-9-]+)\"\n| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1048",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}