Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Oracle suspicious command execution

Back
Ide6c5ff42-0f42-4cec-994a-dabb92fe36e1
RulenameOracle suspicious command execution
DescriptionThe query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
SeverityMedium
TacticsLateralMovement
PrivilegeEscalation
TechniquesT1210
T1611
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
Version1.0.0
Arm templatee6c5ff42-0f42-4cec-994a-dabb92fe36e1.json
Deploy To Azure
let timeframe= 1h;
DeviceProcessEvents
| where Timestamp >= ago(timeframe)
| where InitiatingProcessFileName =~ "oracle.exe"
| where not(FileName in~ ("conhost.exe", "oradim.exe"))
// Begin allow-list.
// End allow-list.
kind: Scheduled
status: Available
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryFrequency: 1h
version: 1.0.0
id: e6c5ff42-0f42-4cec-994a-dabb92fe36e1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml
relevantTechniques:
- T1210
- T1611
query: |
  let timeframe= 1h;
  DeviceProcessEvents
  | where Timestamp >= ago(timeframe)
  | where InitiatingProcessFileName =~ "oracle.exe"
  | where not(FileName in~ ("conhost.exe", "oradim.exe"))
  // Begin allow-list.
  // End allow-list.  
name: Oracle suspicious command execution
entityMappings:
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: AccountSid
    identifier: Sid
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: ProcessCommandLine
    identifier: CommandLine
  entityType: Process
severity: Medium
triggerThreshold: 0
tactics:
- LateralMovement
- PrivilegeEscalation
queryPeriod: 1h
description: |
    The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6c5ff42-0f42-4cec-994a-dabb92fe36e1')]",
      "properties": {
        "alertRuleTemplateName": "e6c5ff42-0f42-4cec-994a-dabb92fe36e1",
        "customDetails": null,
        "description": "The query searches process creation events that are indicative of an attacker spawning OS commands from an Oracle database.\n",
        "displayName": "Oracle suspicious command execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountSid",
                "identifier": "Sid"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/OracleSuspiciousCommandExecution.yaml",
        "query": "let timeframe= 1h;\nDeviceProcessEvents\n| where Timestamp >= ago(timeframe)\n| where InitiatingProcessFileName =~ \"oracle.exe\"\n| where not(FileName in~ (\"conhost.exe\", \"oradim.exe\"))\n// Begin allow-list.\n// End allow-list.\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1210",
          "T1611"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}