Back Id 61f995d7-8038-4ff0-ad2b-eccfd18fcc8c Rulename OCI - Discovery activity Description Detects possible discovery activity. Severity Medium Tactics Discovery Techniques T1580 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIDiscoveryActivity.yaml Version 1.0.0 Arm template 61f995d7-8038-4ff0-ad2b-eccfd18fcc8c.json
KQL let threshold = 20; OCILogs | where data_eventName_s startswith 'List' or data_eventName_s startswith 'Get' | summarize count() by data_definedTags_Oracle_Tags_CreatedBy_s, bin(TimeGenerated, 10m) | where count_ > threshold | extend AccountCustomEntity = data_definedTags_Oracle_Tags_CreatedBy_s YAML relevantTechniques: - T1580 name: OCI - Discovery activity query: | let threshold = 20; OCILogs | where data_eventName_s startswith 'List' or data_eventName_s startswith 'Get' | summarize count() by data_definedTags_Oracle_Tags_CreatedBy_s, bin(TimeGenerated, 10m) | where count_ > threshold | extend AccountCustomEntity = data_definedTags_Oracle_Tags_CreatedBy_s queryPeriod: 1h tactics: - Discovery triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: Account fieldMappings: - columnName: AccountCustomEntity identifier: Name id: 61f995d7-8038-4ff0-ad2b-eccfd18fcc8c description: | 'Detects possible discovery activity. Back Id 31b15699-0b55-4246-851e-93f9cefb6f5c Rulename OCI - Event rule deleted Description Detects when event rule was deleted. Severity High Tactics DefenseEvasion Techniques T1070 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIEventRuleDeleted.yaml Version 1.0.1 Arm template 31b15699-0b55-4246-851e-93f9cefb6f5c.json
KQL OCILogs | where data_eventName_s =~ 'DeleteRule' | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1070 name: OCI - Event rule deleted query: | OCILogs | where data_eventName_s =~ 'DeleteRule' | extend IPCustomEntity = SrcIpAddr queryPeriod: 1h tactics: - DefenseEvasion triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: IP fieldMappings: - columnName: IPCustomEntity identifier: Address id: 31b15699-0b55-4246-851e-93f9cefb6f5c description: | 'Detects when event rule was deleted. Back Id eb6e07a1-2895-4c55-9c27-ac84294f0e46 Rulename OCI - Inbound SSH connection Description Detects inbound SSH connection. Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIInboundSSHConnection.yaml Version 1.0.0 Arm template eb6e07a1-2895-4c55-9c27-ac84294f0e46.json
KQL OCILogs | where EventType contains 'vcn.flowlogs' | where data_action_s =~ 'ACCEPT' | where ipv4_is_private(DstIpAddr) | where ipv4_is_private(SrcIpAddr) == False | where DstPortNumber == 22 | extend IPCustomEntity = DstIpAddr YAML relevantTechniques: - T1190 name: OCI - Inbound SSH connection query: | OCILogs | where EventType contains 'vcn. Back Id 9c4b1b9c-6462-41ce-8f2e-ce8c104331fc Rulename OCI - Insecure metadata endpoint Description Detects insecure metadata endpoint. Severity High Tactics Discovery Techniques T1069 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIInsecureMetadataEndpoint.yaml Version 1.0.1 Arm template 9c4b1b9c-6462-41ce-8f2e-ce8c104331fc.json
KQL OCILogs | where data_request_headers_oci_original_url_s contains '/opc/v1' or data_request_headers_oci_original_url_s contains '/openstack' | where HttpStatusCode == 200 | extend IPCustomEntity = DstIpAddr YAML relevantTechniques: - T1069 name: OCI - Insecure metadata endpoint query: | OCILogs | where data_request_headers_oci_original_url_s contains '/opc/v1' or data_request_headers_oci_original_url_s contains '/openstack' | where HttpStatusCode == 200 | extend IPCustomEntity = DstIpAddr queryPeriod: 1h tactics: - Discovery triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: IP fieldMappings: - columnName: IPCustomEntity identifier: Address id: 9c4b1b9c-6462-41ce-8f2e-ce8c104331fc description: | 'Detects insecure metadata endpoint. Back Id a55b4bbe-a014-4ae9-a50d-441ba5e98b65 Rulename OCI - Instance metadata access Description Detects instance metadata access. Severity Medium Tactics Discovery Techniques T1069 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMetadataEndpointIpAccess.yaml Version 1.0.0 Arm template a55b4bbe-a014-4ae9-a50d-441ba5e98b65.json
KQL OCILogs | where EventType contains 'vcn.flowlogs' | where data_action_s =~ 'ACCEPT' | where DstIpAddr == '169.254.169.254' | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1069 name: OCI - Instance metadata access query: | OCILogs | where EventType contains 'vcn. Back Id a79cf2b9-a511-4282-ba5d-812e14b07831 Rulename OCI - Multiple instances launched Description Detects when multiple instances were launched. Severity Medium Tactics Impact Techniques T1496 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleInstancesLaunched.yaml Version 1.0.0 Arm template a79cf2b9-a511-4282-ba5d-812e14b07831.json
KQL let threshold = 5; OCILogs | where data_eventName_s =~ 'LaunchInstance' | summarize count() by SrcIpAddr, bin(TimeGenerated, 10m) | where count_ >= threshold | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1496 name: OCI - Multiple instances launched query: | let threshold = 5; OCILogs | where data_eventName_s =~ 'LaunchInstance' | summarize count() by SrcIpAddr, bin(TimeGenerated, 10m) | where count_ >= threshold | extend IPCustomEntity = SrcIpAddr queryPeriod: 1h tactics: - Impact triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: IP fieldMappings: - columnName: IPCustomEntity identifier: Address id: a79cf2b9-a511-4282-ba5d-812e14b07831 description: | 'Detects when multiple instances were launched. Back Id 252e651d-d825-480c-bdeb-8b239354577d Rulename OCI - Multiple instances terminated Description Detects when multiple instances were terminated. Severity High Tactics Impact Techniques T1529 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleInstancesTerminated.yaml Version 1.0.1 Arm template 252e651d-d825-480c-bdeb-8b239354577d.json
KQL let threshold = 5; OCILogs | where data_eventName_s =~ 'TerminateInstance' | summarize count() by SrcIpAddr, bin(TimeGenerated, 10m) | where count_ >= threshold | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1529 name: OCI - Multiple instances terminated query: | let threshold = 5; OCILogs | where data_eventName_s =~ 'TerminateInstance' | summarize count() by SrcIpAddr, bin(TimeGenerated, 10m) | where count_ >= threshold | extend IPCustomEntity = SrcIpAddr queryPeriod: 1h tactics: - Impact triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: IP fieldMappings: - columnName: IPCustomEntity identifier: Address id: 252e651d-d825-480c-bdeb-8b239354577d description: | 'Detects when multiple instances were terminated. Back Id 482c24b9-a700-4b2a-85d3-1c42110ba78c Rulename OCI - Multiple rejects on rare ports Description Detects multiple rejects on rare ports. Severity Medium Tactics Reconnaissance Techniques T1595 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIMultipleRejects.yaml Version 1.0.0 Arm template 482c24b9-a700-4b2a-85d3-1c42110ba78c.json
KQL let threshold = 50; let r_dports = OCILogs | where EventType contains 'vcn.flowlogs' | where ipv4_is_private(DstIpAddr) | where ipv4_is_private(SrcIpAddr) == False | summarize count() by DstPortNumber | top 10 by count_ asc | summarize dports = makeset(DstPortNumber) | extend k = 1; OCILogs | where EventType contains 'vcn. Back Id e087d4fb-af0b-4e08-a067-b9ba9e5f8840 Rulename OCI - SSH scanner Description Detects possible SSH scanning activity. Severity High Tactics Reconnaissance Techniques T1595 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCISSHScan.yaml Version 1.0.1 Arm template e087d4fb-af0b-4e08-a067-b9ba9e5f8840.json
KQL let threshold = 5; OCILogs | where EventType contains 'vcn.flowlogs' | where data_action_s =~ 'REJECT' | where ipv4_is_private(DstIpAddr) | where ipv4_is_private(SrcIpAddr) == False | where DstPortNumber == 22 | summarize p_count = dcount(DstIpAddr) by SrcIpAddr, bin(TimeGenerated, 5m) | where p_count > threshold | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1595 name: OCI - SSH scanner query: | let threshold = 5; OCILogs | where EventType contains 'vcn. Back Id a0b9a7ca-3e6d-4996-ae35-759df1d67a54 Rulename OCI - Unexpected user agent Description Detects unexpected user agent strings. Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors OracleCloudInfrastructureLogsConnector Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCIUnexpectedUserAgent.yaml Version 1.0.0 Arm template a0b9a7ca-3e6d-4996-ae35-759df1d67a54.json
KQL OCILogs | where isnotempty(HttpUserAgentOriginal) | where strlen(HttpUserAgentOriginal) <= 10 | extend IPCustomEntity = SrcIpAddr YAML relevantTechniques: - T1190 name: OCI - Unexpected user agent query: | OCILogs | where isnotempty(HttpUserAgentOriginal) | where strlen(HttpUserAgentOriginal) <= 10 | extend IPCustomEntity = SrcIpAddr queryPeriod: 1h tactics: - InitialAccess triggerOperator: gt requiredDataConnectors: - dataTypes: - OCILogs connectorId: OracleCloudInfrastructureLogsConnector entityMappings: - entityType: IP fieldMappings: - columnName: IPCustomEntity identifier: Address id: a0b9a7ca-3e6d-4996-ae35-759df1d67a54 description: | 'Detects unexpected user agent strings. 