Oracle suspicious command execution

let timeframe= 1h;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "oracle.exe"
| where not(FileName in~ ("conhost.exe", "oradim.exe"))
// Begin allow-list.
// End allow-list.

triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
name: Oracle suspicious command execution
relevantTechniques:
- T1210
- T1611
status: Available
version: 1.0.0
queryPeriod: 1h
kind: Scheduled
id: e6c5ff42-0f42-4cec-994a-dabb92fe36e1
query: |
  let timeframe= 1h;
  DeviceProcessEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName =~ "oracle.exe"
  | where not(FileName in~ ("conhost.exe", "oradim.exe"))
  // Begin allow-list.
  // End allow-list.  
description: |
    The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- LateralMovement
- PrivilegeEscalation