Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Oracle suspicious command execution

Back
Ide6c5ff42-0f42-4cec-994a-dabb92fe36e1
RulenameOracle suspicious command execution
DescriptionThe query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
SeverityMedium
TacticsLateralMovement
PrivilegeEscalation
TechniquesT1210
T1611
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
Version1.0.0
Arm templatee6c5ff42-0f42-4cec-994a-dabb92fe36e1.json
Deploy To Azure
let timeframe= 1h;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "oracle.exe"
| where not(FileName in~ ("conhost.exe", "oradim.exe"))
// Begin allow-list.
// End allow-list.
status: Available
id: e6c5ff42-0f42-4cec-994a-dabb92fe36e1
query: |
  let timeframe= 1h;
  DeviceProcessEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName =~ "oracle.exe"
  | where not(FileName in~ ("conhost.exe", "oradim.exe"))
  // Begin allow-list.
  // End allow-list.  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
description: |
    The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
name: Oracle suspicious command execution
relevantTechniques:
- T1210
- T1611
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
tactics:
- LateralMovement
- PrivilegeEscalation
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "properties": {
        "alertRuleTemplateName": "e6c5ff42-0f42-4cec-994a-dabb92fe36e1",
        "customDetails": null,
        "description": "The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.\n",
        "displayName": "Oracle suspicious command execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml",
        "query": "let timeframe= 1h;\nDeviceProcessEvents\n| where Timestamp >= ago(timeframe)\n| where InitiatingProcessFileName =~ \"oracle.exe\"\n| where not(FileName in~ (\"conhost.exe\", \"oradim.exe\"))\n// Begin allow-list.\n// End allow-list.\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1210",
          "T1611"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}