Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Oracle suspicious command execution

Back
Ide6c5ff42-0f42-4cec-994a-dabb92fe36e1
RulenameOracle suspicious command execution
DescriptionThe query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
SeverityMedium
TacticsLateralMovement
PrivilegeEscalation
TechniquesT1210
T1611
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
Version1.0.0
Arm templatee6c5ff42-0f42-4cec-994a-dabb92fe36e1.json
Deploy To Azure
let timeframe= 1h;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "oracle.exe"
| where not(FileName in~ ("conhost.exe", "oradim.exe"))
// Begin allow-list.
// End allow-list.
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  entityType: Host
- fieldMappings:
  - identifier: Sid
    columnName: AccountSid
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine
  entityType: Process
relevantTechniques:
- T1210
- T1611
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
id: e6c5ff42-0f42-4cec-994a-dabb92fe36e1
triggerOperator: gt
kind: Scheduled
query: |
  let timeframe= 1h;
  DeviceProcessEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName =~ "oracle.exe"
  | where not(FileName in~ ("conhost.exe", "oradim.exe"))
  // Begin allow-list.
  // End allow-list.  
tactics:
- LateralMovement
- PrivilegeEscalation
triggerThreshold: 0
queryFrequency: 1h
status: Available
description: |
    The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
name: Oracle suspicious command execution
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "properties": {
        "alertRuleTemplateName": "e6c5ff42-0f42-4cec-994a-dabb92fe36e1",
        "customDetails": null,
        "description": "The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.\n",
        "displayName": "Oracle suspicious command execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml",
        "query": "let timeframe= 1h;\nDeviceProcessEvents\n| where Timestamp >= ago(timeframe)\n| where InitiatingProcessFileName =~ \"oracle.exe\"\n| where not(FileName in~ (\"conhost.exe\", \"oradim.exe\"))\n// Begin allow-list.\n// End allow-list.\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1210",
          "T1611"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}