Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Oracle suspicious command execution

Oracle suspicious command execution

Back
Ide6c5ff42-0f42-4cec-994a-dabb92fe36e1
RulenameOracle suspicious command execution
DescriptionThe query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
SeverityMedium
TacticsLateralMovement
PrivilegeEscalation
TechniquesT1210
T1611
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
Version1.0.0
Arm templatee6c5ff42-0f42-4cec-994a-dabb92fe36e1.json
Deploy To Azure
let timeframe= 1h;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "oracle.exe"
| where not(FileName in~ ("conhost.exe", "oradim.exe"))
// Begin allow-list.
// End allow-list.

relevantTechniques:
- T1210
- T1611
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
triggerOperator: gt
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 1h
query: |
  let timeframe= 1h;
  DeviceProcessEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName =~ "oracle.exe"
  | where not(FileName in~ ("conhost.exe", "oradim.exe"))
  // Begin allow-list.
  // End allow-list.  
version: 1.0.0
description: |
    The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
tactics:
- LateralMovement
- PrivilegeEscalation
severity: Medium
name: Oracle suspicious command execution
queryFrequency: 1h
triggerThreshold: 0
status: Available
id: e6c5ff42-0f42-4cec-994a-dabb92fe36e1

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "properties": {
        "alertRuleTemplateName": "e6c5ff42-0f42-4cec-994a-dabb92fe36e1",
        "customDetails": null,
        "description": "The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.\n",
        "displayName": "Oracle suspicious command execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml",
        "query": "let timeframe= 1h;\nDeviceProcessEvents\n| where Timestamp >= ago(timeframe)\n| where InitiatingProcessFileName =~ \"oracle.exe\"\n| where not(FileName in~ (\"conhost.exe\", \"oradim.exe\"))\n// Begin allow-list.\n// End allow-list.\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1210",
          "T1611"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}