Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Oracle - Put suspicious file

Oracle - Put suspicious file

Back
Idedc2f2b4-573f-11ec-bf63-0242ac130002
RulenameOracle - Put suspicious file
DescriptionDetects PUT or POST of suspicious file
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1190
T1133
T1048
Required data connectorsCustomLogsAma
OracleWebLogicServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
Version1.0.2
Arm templateedc2f2b4-573f-11ec-bf63-0242ac130002.json
Deploy To Azure
OracleWebLogicServerEvent
| where HttpRequestMethod in~ ("POST", "PUT") 
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal

relevantTechniques:
- T1190
- T1133
- T1048
name: Oracle - Put suspicious file
requiredDataConnectors:
- dataTypes:
  - OracleWebLogicServerEvent
  connectorId: OracleWebLogicServer
- dataTypes:
  - OracleWebLogicServer_CL
  connectorId: CustomLogsAma
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: FileCustomEntity
  entityType: File
- fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: edc2f2b4-573f-11ec-bf63-0242ac130002
tactics:
- InitialAccess
- Exfiltration
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects PUT or POST of suspicious file'
query: |
  OracleWebLogicServerEvent
  | where HttpRequestMethod in~ ("POST", "PUT") 
  | extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
  | where isnotempty(File)
  | where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
  | extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "edc2f2b4-573f-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects PUT or POST of suspicious file'\n",
        "displayName": "Oracle - Put suspicious file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml",
        "query": "OracleWebLogicServerEvent\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| extend File = extract(@\"(.*\\/)?(.*)\", 2, tostring(UrlOriginal))\n| where isnotempty(File)\n| where File matches regex @\"([a-zA-Z0-9-_]+\\.)([a-zA-Z0-9-]+\\.[a-zA-Z0-9-]+)\"\n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1048",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}