Oracle - Put suspicious file

Back


Id	edc2f2b4-573f-11ec-bf63-0242ac130002
Rulename	Oracle - Put suspicious file
Description	Detects PUT or POST of suspicious file
Severity	Medium
Tactics	InitialAccess Exfiltration
Techniques	T1190 T1133 T1048
Required data connectors	OracleWebLogicServer
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
Version	1.0.1
Arm template	edc2f2b4-573f-11ec-bf63-0242ac130002.json

KQL

OracleWebLogicServerEvent
| where HttpRequestMethod in~ ("POST", "PUT") 
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal

YAML

entityMappings:
- entityType: File
  fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
requiredDataConnectors:
- dataTypes:
  - OracleWebLogicServerEvent
  connectorId: OracleWebLogicServer
queryPeriod: 1h
query: |
  OracleWebLogicServerEvent
  | where HttpRequestMethod in~ ("POST", "PUT") 
  | extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
  | where isnotempty(File)
  | where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
  | extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal  
description: |
    'Detects PUT or POST of suspicious file'
version: 1.0.1
name: Oracle - Put suspicious file
relevantTechniques:
- T1190
- T1133
- T1048
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
kind: Scheduled
status: Available
queryFrequency: 1h
severity: Medium
tactics:
- InitialAccess
- Exfiltration
triggerOperator: gt
id: edc2f2b4-573f-11ec-bf63-0242ac130002
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "edc2f2b4-573f-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects PUT or POST of suspicious file'\n",
        "displayName": "Oracle - Put suspicious file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml",
        "query": "OracleWebLogicServerEvent\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| extend File = extract(@\"(.*\\/)?(.*)\", 2, tostring(UrlOriginal))\n| where isnotempty(File)\n| where File matches regex @\"([a-zA-Z0-9-_]+\\.)([a-zA-Z0-9-]+\\.[a-zA-Z0-9-]+)\"\n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1048",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}