Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Oracle - Put suspicious file

Back
Idedc2f2b4-573f-11ec-bf63-0242ac130002
RulenameOracle - Put suspicious file
DescriptionDetects PUT or POST of suspicious file
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1190
T1133
T1048
Required data connectorsCustomLogsAma
OracleWebLogicServer
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
Version1.0.2
Arm templateedc2f2b4-573f-11ec-bf63-0242ac130002.json
Deploy To Azure
OracleWebLogicServerEvent
| where HttpRequestMethod in~ ("POST", "PUT") 
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal
version: 1.0.2
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1190
- T1133
- T1048
status: Available
kind: Scheduled
triggerThreshold: 0
query: |
  OracleWebLogicServerEvent
  | where HttpRequestMethod in~ ("POST", "PUT") 
  | extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
  | where isnotempty(File)
  | where File matches regex @"([a-zA-Z0-9-_]+\.)([a-zA-Z0-9-]+\.[a-zA-Z0-9-]+)"
  | extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal  
entityMappings:
- fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: Oracle - Put suspicious file
queryPeriod: 1h
description: |
    'Detects PUT or POST of suspicious file'
requiredDataConnectors:
- dataTypes:
  - OracleWebLogicServerEvent
  connectorId: OracleWebLogicServer
- dataTypes:
  - OracleWebLogicServer_CL
  connectorId: CustomLogsAma
id: edc2f2b4-573f-11ec-bf63-0242ac130002
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml
tactics:
- InitialAccess
- Exfiltration
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edc2f2b4-573f-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "edc2f2b4-573f-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects PUT or POST of suspicious file'\n",
        "displayName": "Oracle - Put suspicious file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutSuspiciousFiles.yaml",
        "query": "OracleWebLogicServerEvent\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| extend File = extract(@\"(.*\\/)?(.*)\", 2, tostring(UrlOriginal))\n| where isnotempty(File)\n| where File matches regex @\"([a-zA-Z0-9-_]+\\.)([a-zA-Z0-9-]+\\.[a-zA-Z0-9-]+)\"\n| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1048",
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}