Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #3511 from socprime/tomcat_content 

add tomcat content
This commit is contained in:
NikTripathi 2022-04-22 12:57:36 +05:30 коммит произвёл GitHub
Родитель f526357399 bafe2bd24f
Коммит 4b730c8c76
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
26 изменённых файлов: 1112 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

77
.script/tests/KqlvalidationsTests/CustomTables/TomcatEvent.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"name": "TomcatEvent",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "ClientIdentity",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "HttpRequestMethod",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "HttpVersion",
"Type": "String"
},
{
"Name": "HttpStatusCode",
"Type": "Int32"
},
{
"Name": "HttpResponseBodyBytes",
"Type": "Double"
},
{
"Name": "HttpReferrerOriginal",
"Type": "String"
},
{
"Name": "HttpUserAgentOriginal",
"Type": "String"
},
{
"Name": "ClassName",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "EventMessage",
"Type": "String"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -8,6 +8,7 @@
"AlsidForAD",
"Armorblox",
"ApacheHTTPServer",
"ApacheTomcat",
"ARGOSCloudSecurity",
"AristaAwakeSecurity",
"ASimDnsActivityLogs",

30
Solutions/Tomcat/Analytic Rules/TomcatCommandsinRequest.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 91f59cea-486f-11ec-81d3-0242ac130003
name: Tomcat - Commands in URI
description: |
'Detects commands in URI'
severity: High
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let commands = dynamic(['cat%20/etc/passwd', '/etc/passwd', 'ping -i', '/usr/bin/id(', '%2f%75%73%72%2f%62%69%6e%2f%69%64', 'phpinfo()', '%70%68%70%69%6e%66%6f%28%29', ';id', '%3b%69%64', '/bin/bash -c', '%2f%62%69%6e%2f%62%61%73%68%20%2d%63%27', '/bin/bash', '%2f%62%69%6e%2f%62%61%73%68', 'sleep(', '%73%6c%65%65%70%28', 'curl', '%63%75%72%6c', '&dir', '%26%64%69%72', '& dir', '%26%20%64%69%72', '<script>', '%3c%73%63%72%69%70%74%3e', 'eval(', '%65%76%61%6c%28', 'exec(', '%65%78%65%63%28', 'whoami', '%77%68%6f%61%6d%69', 'wget', 'python', 'gcc', 'uname', 'systeminfo', '%70%79%74%68%6f%6e', '%75%6e%61%6d%65', '%73%79%73%74%65%6d%69%6e%66%6f']);
TomcatEvent
| where UrlOriginal has_any (commands)
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

30
Solutions/Tomcat/Analytic Rules/TomcatKnownMaliciousUserAgent.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 5e77a818-5825-4ff6-a901-80891c4774d1
name: Tomcat - Known malicious user agent
description: |
'Detects known malicious user agents'
severity: High
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let malicious_ua = dynamic(['Nikto', 'hydra', '.nasl', 'absinthe', 'advanced email extractor', 'arachni', 'autogetcontent', 'bilbo', 'BFAC', 'brutus', 'brutus/aet', 'bsqlbf', 'cgichk', 'cisco-torch', 'commix', 'core-project', 'crimscanner', 'datacha0s', 'dirbuster', 'domino hunter', 'dotdotpwn', 'email extractor', 'fhscan core', 'floodgate', 'get-minimal', 'gootkit auto-rooter scanner', 'grabber', 'grendel-scan', 'havij', 'inspath', 'internet ninja', 'jaascois', 'zmeu', 'masscan', 'metis', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'paros', 'pmafind', 'prog.customcrawler', 'qualys was', 's.t.a.l.k.e.r.', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'teh forest lobster', 'this is an exploit', 'toata dragostea', 'toata dragostea mea pentru diavola', 'uil2pn', 'vega', 'voideye', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webshag', 'webtrends security analyzer', 'webvulnscan', 'whatweb', 'whcc', 'wordpress hash grabber', 'xmlrpc exploit', 'WPScan', 'XSpider', 'SF/', 'FooBar/42', 'ScanAlert', 'Webscanner', 'Webster', 'fantomCrew', 'fantomBrowser', 'visvo', 'magereport', 'ltx71', 'websiteprotection', 'BigCliqueBOT', 'BOT for JCE']);
TomcatEvent
| where HttpUserAgentOriginal has_any (malicious_ua)
| extend MalwareCustomEntity = HttpUserAgentOriginal
entityMappings:
- entityType: Malware
fieldMappings:
- identifier: Name
columnName: MalwareCustomEntity
version: 1.0.0
kind: Scheduled

32
Solutions/Tomcat/Analytic Rules/TomcatMultipleClientErrorsFromSingleIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: 4fa66058-4870-11ec-81d3-0242ac130003
name: Tomcat - Multiple client errors from single IP address
description: |
'Detects multiple client errors from one source in short timeframe'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let threshold = 100;
TomcatEvent
| where HttpStatusCode >= 400 and HttpStatusCode <= 499
| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleClientErrors > threshold
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/Tomcat/Analytic Rules/TomcatMultipleEmptyRequestsFromSameIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: 7c9a1026-4872-11ec-81d3-0242ac130003
name: Tomcat - Multiple empty requests from same IP
description: |
'Detects multiple empty requests from same IP'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Impact
relevantTechniques:
- T1190
- T1133
- T1499
query: |
let threshold = 50;
TomcatEvent
| where HttpResponseBodyBytes == 0
| summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleClientErrors > threshold
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/Tomcat/Analytic Rules/TomcatMultipleServerErrorsFromSingleIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: de9df79c-4872-11ec-81d3-0242ac130003
name: Tomcat - Multiple server errors from single IP address
description: |
'Detects multiple server errors from one source in short timeframe'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
- InitialAccess
relevantTechniques:
- T1498
- T1190
- T1133
query: |
let threshold = 100;
TomcatEvent
| where HttpStatusCode >= 500 and HttpStatusCode <= 599
| summarize MultipleServerErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m)
| where MultipleServerErrors > threshold
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

43
Solutions/Tomcat/Analytic Rules/TomcatPutAndGetFileFromSameIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,43 @@
id: 103d5ada-4874-11ec-81d3-0242ac130003
name: Tomcat - Put file and get file from same IP address
description: |
'Detects put or get files from one source in short timeframe'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let p = TomcatEvent
| where HttpRequestMethod in~ ('POST', 'PUT')
| sort by EventStartTime asc
| summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal);
TomcatEvent
| where HttpRequestMethod =~ 'GET'
| sort by EventStartTime asc
| summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal)
| join kind=innerunique (p) on UrlOriginal, SrcIpAddr
| extend second = datetime_diff('second',get_time,post_time)
| where second between (1 .. 300)
| project second, post_time, get_time, SrcIpAddr, UrlOriginal
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal)
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/Tomcat/Analytic Rules/TomcatRequestFromLocalhostIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: a45dd6ea-4874-11ec-81d3-0242ac130003
name: Tomcat - Request from localhost IP address
description: |
'Detects request from localhost IP address.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where SrcIpAddr == "127.0.0.1"
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| extend IPCustomEntity = SrcIpAddr, FileCustomEntity = File
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

34
Solutions/Tomcat/Analytic Rules/TomcatRequestSensitiveFiles.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: 0c851bd4-4875-11ec-81d3-0242ac130003
name: Tomcat - Request to sensitive files
description: |
'Detects request to sensitive files.'
severity: High
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1189
query: |
let forbidden_files = dynamic(['shadow', 'passwd', 'id_rsa']);
TomcatEvent
| extend File = extract(@'(.*\/)?(.*)', 2, tostring(UrlOriginal))
| where File in (forbidden_files)
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

29
Solutions/Tomcat/Analytic Rules/TomcatSQLiPattern.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: ce84741e-4875-11ec-81d3-0242ac130003
name: Tomcat - Sql injection patterns
description: |
'Detects possible sql injection patterns'
severity: High
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let commands = dynamic(["1/*'*/", "1'||'asd'||'", "'1'='1", "1' or '1'='1", "1 or 1=1", "1=1", "1/*!1111'*/", "'or''='"]);
TomcatEvent
| where UrlOriginal has_any (commands)
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
version: 1.0.0
kind: Scheduled

45
Solutions/Tomcat/Analytic Rules/TomcatServerErrorsAfterMultipleRequestsFromSameIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
id: 875da588-4875-11ec-81d3-0242ac130003
name: Tomcat - Server errors after multiple requests from same IP
description: |
'Detects server errors after multiple requests from same IP address.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
- InitialAccess
relevantTechniques:
- T1498
- T1190
- T1133
query: |
let multi_errors = TomcatEvent
| where toint(HttpStatusCode) >= 500 and toint(HttpStatusCode) <= 599
| sort by EventStartTime asc
| summarize MultipleServerErrors = count() by SrcIpAddr, bin(EventStartTime, 5m)
| where MultipleServerErrors > 10;
let error_time_table = TomcatEvent
| where toint(HttpStatusCode) >= 500 and toint(HttpStatusCode) <= 599
| summarize error_time=min(EventStartTime) by SrcIpAddr
| join kind=innerunique (multi_errors) on SrcIpAddr;
TomcatEvent
| where toint(HttpStatusCode) >= 100 and toint(HttpStatusCode) <= 399
| summarize success_time=max(EventStartTime) by SrcIpAddr
| join kind=innerunique (error_time_table) on SrcIpAddr
| extend time_between_error_and_success = datetime_diff('second', error_time, success_time)
| where time_between_error_and_success between (1 .. 300)
| project time_between_error_and_success, error_time, success_time, SrcIpAddr
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

25
Solutions/Tomcat/Hunting Queries/Tomcat403RequestsFiles.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 72ae8a54-4879-11ec-81d3-0242ac130003
name: Tomcat - Request to forbidden file
description: |
'Query shows request to forbidden files.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where HttpStatusCode == 403
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| extend FileCustomEntity = File
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity

36
Solutions/Tomcat/Hunting Queries/TomcatAbnormalRequestSize.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: d5e1eb24-487a-11ec-81d3-0242ac130003
name: Tomcat - Abnormal request size
description: |
'Query shows abnormal request size.'
severity: Low
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- Exfiltration
- Collection
relevantTechniques:
- T1530
- T1537
query: |
let Average_Body_Bytes = TomcatEvent
| where TimeGenerated > ago(30d)
| summarize Avg_Size = avg(HttpResponseBodyBytes)
| extend K = 1;
TomcatEvent
| where TimeGenerated > ago(24h)
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| extend K = 1
| join kind=inner Average_Body_Bytes on K
| where tolong(HttpResponseBodyBytes) > Avg_Size
| extend FileCustomEntity = File, UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity

25
Solutions/Tomcat/Hunting Queries/TomcatERRORs.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 7be944be-487f-11ec-81d3-0242ac130003
name: Tomcat - Catalina errors
description: |
'Query shows errors events.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
TomcatEvent
| where TimeGenerated > ago(24d)
| where EventType =~ 'ErrorLog'
| where EventMessage has "error"
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

27
Solutions/Tomcat/Hunting Queries/TomcatRareFilesRequested.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: c2e8ad40-4880-11ec-81d3-0242ac130003
name: Tomcat - Rare files requested
description: |
'Query shows rare files requested'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| summarize RareFiles = count() by File
| top 20 by RareFiles asc
| extend FileCustomEntity = File
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity

25
Solutions/Tomcat/Hunting Queries/TomcatRareURLsRequested.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: ed6686b4-4880-11ec-81d3-0242ac130003
name: Tomcat - Rare URLs requested
description: |
'Query shows rare URLs requested.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| summarize count() by tostring(UrlOriginal)
| top 20 by count_ asc
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

28
Solutions/Tomcat/Hunting Queries/TomcatTopFilesWithErrorRequests.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 191bd49e-4881-11ec-81d3-0242ac130003
name: Tomcat - Top files with error requests
description: |
'Query shows list of files with error requests.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where HttpStatusCode >= 400 and HttpStatusCode <= 599
| extend File = extract(@"(.*\/)?(.*)", 2, tostring(UrlOriginal))
| where isnotempty(File)
| summarize TotalFile = count() by File
| top 20 by TotalFile desc
| extend FileCustomEntity = File
entityMappings:
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileCustomEntity

28
Solutions/Tomcat/Hunting Queries/TomcatTopURLsClientErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 60725e58-4881-11ec-81d3-0242ac130003
name: Tomcat - Top URLs client errors
description: |
'Query shows URLs list with client errors.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- Impact
- InitialAccess
relevantTechniques:
- T1498
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where HttpStatusCode >= 400 and HttpStatusCode <= 499
| summarize TopUrls = count() by (tostring(UrlOriginal))
| top 20 by TopUrls desc
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

28
Solutions/Tomcat/Hunting Queries/TomcatTopURLsServerErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 919725a4-4881-11ec-81d3-0242ac130003
name: Tomcat - Top URLs server errors
description: |
'Query shows URLs list with server errors.'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- Impact
- InitialAccess
relevantTechniques:
- T1498
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where HttpStatusCode >= 500 and HttpStatusCode <= 599
| summarize TopUrls = count() by tostring(UrlOriginal)
| top 20 by TopUrls desc
| extend UrlCustomEntity = UrlOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

25
Solutions/Tomcat/Hunting Queries/TomcatUncommonUAs.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: d214c244-4881-11ec-81d3-0242ac130003
name: Tomcat - Uncommon user agent strings
description: |
'Query searches uncommon user agent strings.'
severity: Low
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
let ua_length = 20;
TomcatEvent
| where TimeGenerated > ago(24h)
| where strlen(HttpUserAgentOriginal) < ua_length
| extend UrlCustomEntity = HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

27
Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 033d672c-4882-11ec-81d3-0242ac130003
name: Tomcat - Rare user agents with client errors
description: |
'Query shows rare user agent strings with client errors'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where isnotempty(HttpUserAgentOriginal)
| where HttpStatusCode >= 400 and HttpStatusCode <= 499
| summarize UAs = count() by (tostring(HttpUserAgentOriginal))
| top 20 by UAs asc
| extend UrlCustomEntity = HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

27
Solutions/Tomcat/Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 2be563f0-4882-11ec-81d3-0242ac130003
name: Tomcat - Rare user agents with server errors
description: |
'Query shows rare user agent strings with server errors'
severity: Medium
requiredDataConnectors:
- connectorId: ApacheTomcat
dataTypes:
- TomcatEvent
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
query: |
TomcatEvent
| where TimeGenerated > ago(24h)
| where isnotempty(HttpUserAgentOriginal)
| where HttpStatusCode >= 500 and HttpStatusCode <= 599
| summarize UAs = count() by tostring(HttpUserAgentOriginal)
| top 20 by UAs asc
| extend UrlCustomEntity = HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity

Двоичные данные
Solutions/Tomcat/Workbooks/Images/TomcatBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 420 KiB

Двоичные данные
Solutions/Tomcat/Workbooks/Images/TomcatWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 433 KiB

388
Solutions/Tomcat/Workbooks/Tomcat.json Normal file
Просмотреть файл

@ -0,0 +1,388 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "**NOTE**: This data connector depends on a parser based on Kusto Function **TomcatEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ApacheTomcat-parser) "
},
"name": "text - 8"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"description": "Sets the time name for analysis",
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 3600000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events Over Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"graphSettings": {
"type": 0
}
},
"customWidth": "60",
"name": "query - 12",
"styleSettings": {
"maxWidth": "55"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Total Http status code result\r\nTomcatEvent\r\n| where isnotempty( HttpStatusCode)\r\n| extend HttpStatus = case(\r\n HttpStatusCode startswith \"1\", \"Informational\", \r\n HttpStatusCode startswith \"2\", \"Success\", \r\n HttpStatusCode startswith \"3\", \"Redirect\",\r\n HttpStatusCode startswith \"4\", \"Client Error\",\r\n HttpStatusCode startswith \"5\", \"Server Error\",\r\n \"Unknown\")\r\n| summarize TotalHttpStatus = count() by HttpStatus",
"size": 3,
"title": "HTTP Status Codes",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 0",
"styleSettings": {
"maxWidth": "30"
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| where isnotempty( SrcIpAddr)\r\n| summarize dcount(SrcIpAddr) ",
"size": 3,
"title": "Unique IP Addresses",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| where HttpStatusCode >= 500 and HttpStatusCode <= 599 \r\n| count",
"size": 3,
"title": "Total Server Errors",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| where HttpStatusCode >= 400 and HttpStatusCode <= 499 \r\n| count",
"size": 3,
"title": "Total Client Errors",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "query - 0"
}
]
},
"name": "group - 2"
}
]
},
"customWidth": "10",
"name": "group - 9",
"styleSettings": {
"maxWidth": "100",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top IP requested\r\nTomcatEvent\r\n| summarize TotalRequests = count() by SrcIpAddr\r\n| project-rename SourceIP=SrcIpAddr\r\n| top 10 by TotalRequests desc ",
"size": 3,
"title": "Top 10 Sources",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "34",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top IP requested with server error\r\nTomcatEvent\r\n| where HttpStatusCode >= 500 and HttpStatusCode <600\r\n| summarize TotalEvents = count() by SrcIpAddr\r\n| project-rename SourceIP = SrcIpAddr\r\n| top 10 by TotalEvents desc ",
"size": 3,
"title": "Top Source IP addresses with server error",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "33",
"name": "query - 3",
"styleSettings": {
"margin": "10",
"padding": "10"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top IP requested with client error\r\nTomcatEvent\r\n| where HttpStatusCode >= 400 and HttpStatusCode <500\r\n| summarize TotalEvents = count() by SrcIpAddr\r\n| project-rename SourceIP = SrcIpAddr\r\n| top 10 by SourceIP desc ",
"size": 3,
"title": "Top Source IP addresses with client error",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"gridSettings": {
"sortBy": [
{
"itemKey": "TotalEvents",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "TotalEvents",
"sortOrder": 2
}
]
},
"customWidth": "33",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Top file requested\r\nTomcatEvent\r\n| extend File = extract(@\".*\\/([a-zA-Z0-9-._]*)\", 1, tostring(UrlOriginal))\r\n| where isnotempty(File)\r\n| summarize TotalEvents = count() by File\r\n| top 10 by TotalEvents desc",
"size": 3,
"title": "Top files requested",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| extend File = extract(@\".*\\/([a-zA-Z0-9-._]*)\", 1, tostring(UrlOriginal))\r\n| where isnotempty(File)\r\n| sort by TimeGenerated desc \r\n| project File, strcat(iff(HttpStatusCode startswith \"4\" or HttpStatusCode startswith \"5\", '❌', '✅')), HttpStatusCode\r\n| project-rename Result = Column1, FileName=File",
"size": 0,
"title": "Latest files accessed",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 50,
"filter": true
}
},
"customWidth": "35",
"name": "query - 12",
"styleSettings": {
"maxWidth": "33"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "TomcatEvent\r\n| where TimeGenerated > ago(40d)\r\n| where HttpStatusCode >= 400 and HttpStatusCode <= 599 \r\n| where UrlOriginal != '/'\r\n| summarize TotalEvents = count() by tostring(UrlOriginal)\r\n| top 10 by TotalEvents desc ",
"size": 3,
"title": "Top URLs with Error",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"customWidth": "35",
"name": "query - 10",
"styleSettings": {
"maxWidth": "100"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Average_Body_Bytes = TomcatEvent\r\n| summarize Avg_ByUrl = avg(tolong(HttpResponseBodyBytes))\r\n| extend K = 1;\r\nTomcatEvent\r\n| extend K = 1\r\n| join kind=inner Average_Body_Bytes on K\r\n| where HttpResponseBodyBytes > Avg_ByUrl*1.5\r\n| order by tolong(HttpResponseBodyBytes)\r\n| summarize RequestSize=max(tolong(HttpResponseBodyBytes)) by SrcIpAddr\r\n| project-rename SourceIP=SrcIpAddr\r\n",
"size": 3,
"title": "Top sources with large request size",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"rowLimit": 10
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "SrcIpAddr",
"formatter": 1
},
"centerContent": {
"columnMatch": "LargeRequest",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"showMetrics": false,
"showLegend": true
}
},
"customWidth": "30",
"name": "query - 7"
}
],
"fromTemplateId": "sentinel-TomcatWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}