corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
id: f3245aa1-1ca1-471c-a0b7-97ea6b791d5d
requiredDataConnectors:
- dataTypes:
- Corelight_v2_http
- corelight_http
connectorId: Corelight
name: Corelight - Possible Webshell
version: 2.1.0
query: |
corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
entityMappings:
- fieldMappings:
- identifier: Address
columnName: id_orig_h
entityType: IP
relevantTechniques:
- T1505
tactics:
- Persistence
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
severity: Medium
kind: Scheduled
triggerOperator: gt
status: Available
description: |
'Detects post requests to unusual extensions.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightPossibleWebshell.yaml
