Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NGINX - Put file and get file from same IP address

Back
Ide04fa38e-9fb7-438d-887a-381d5dd235e6
RulenameNGINX - Put file and get file from same IP address
DescriptionDetects put or get files from one source in short timeframe'
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCustomLogsAma
NGINXHTTPServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPutAndGetFileFromSameIP.yaml
Version1.0.1
Arm templatee04fa38e-9fb7-438d-887a-381d5dd235e6.json
Deploy To Azure
let p = NGINXHTTPServer
| where HttpRequestMethod in~ ('POST', 'PUT')
| sort by EventStartTime asc
| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
NGINXHTTPServer
| where HttpRequestMethod =~ 'GET'
| sort by EventStartTime asc
| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
| join kind=innerunique (p) on UrlOriginal, SrcIpAddr
| extend second = datetime_diff('second',get_time,post_time)
| where second between (1 .. 300)
| project second, post_time, get_time, SrcIpAddr, UrlOriginal
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)
description: |
    'Detects put or get files from one source in short timeframe' 
queryPeriod: 1h
name: NGINX - Put file and get file from same IP address
triggerThreshold: 0
tactics:
- InitialAccess
severity: Medium
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
queryFrequency: 1h
triggerOperator: gt
id: e04fa38e-9fb7-438d-887a-381d5dd235e6
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPutAndGetFileFromSameIP.yaml
version: 1.0.1
query: |
  let p = NGINXHTTPServer
  | where HttpRequestMethod in~ ('POST', 'PUT')
  | sort by EventStartTime asc
  | summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
  NGINXHTTPServer
  | where HttpRequestMethod =~ 'GET'
  | sort by EventStartTime asc
  | summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
  | join kind=innerunique (p) on UrlOriginal, SrcIpAddr
  | extend second = datetime_diff('second',get_time,post_time)
  | where second between (1 .. 300)
  | project second, post_time, get_time, SrcIpAddr, UrlOriginal
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)  
requiredDataConnectors:
- connectorId: NGINXHTTPServer
  dataTypes:
  - NGINXHTTPServer
- connectorId: CustomLogsAma
  dataTypes:
  - NGINX_CL
relevantTechniques:
- T1190
- T1133
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e04fa38e-9fb7-438d-887a-381d5dd235e6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e04fa38e-9fb7-438d-887a-381d5dd235e6')]",
      "properties": {
        "alertRuleTemplateName": "e04fa38e-9fb7-438d-887a-381d5dd235e6",
        "customDetails": null,
        "description": "'Detects put or get files from one source in short timeframe' \n",
        "displayName": "NGINX - Put file and get file from same IP address",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXPutAndGetFileFromSameIP.yaml",
        "query": "let p = NGINXHTTPServer\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| sort by EventStartTime asc\n| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);\nNGINXHTTPServer\n| where HttpRequestMethod =~ 'GET'\n| sort by EventStartTime asc\n| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)\n| join kind=innerunique (p) on UrlOriginal, SrcIpAddr\n| extend second = datetime_diff('second',get_time,post_time)\n| where second between (1 .. 300)\n| project second, post_time, get_time, SrcIpAddr, UrlOriginal\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}