-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3682 from socprime/oracle_weblogic_content
analytic content for oracle weblogic
- Loading branch information
Showing
25 changed files
with
1,127 additions
and
0 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
.script/tests/KqlvalidationsTests/CustomTables/OracleWebLogicServerEvent.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| { | ||
| "Name": "OracleWebLogicServerEvent", | ||
| "Properties": [ | ||
| { | ||
| "Name": "ClientIdentity", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "DiagnosticContextId", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "DvcHostname", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "DvcTimeZone", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventMessage", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventOriginalUid", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventProduct", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventSeverity", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventStartTime", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "EventType", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "EventVendor", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpReferrerOriginal", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpRequestMethod", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpResponseBodyBytes", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpStatusCode", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpUserAgentOriginal", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "HttpVersion", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "RawTimeValue", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "SrcDvcHostname", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "SrcIpAddr", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "SrcUserName", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "Subsystem", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "TimeGenerated", | ||
| "Type": "datetime" | ||
| }, | ||
| { | ||
| "Name": "TransactionId", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "TreadId", | ||
| "Type": "String" | ||
| }, | ||
| { | ||
| "Name": "UrlOriginal", | ||
| "Type": "String" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicCommandInURI.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: 6ae36a5e-573f-11ec-bf63-0242ac130002 | ||
| name: Oracle - Command in URI | ||
| description: | | ||
| 'Detects command in URI' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| OracleWebLogicServerEvent | ||
| | where UrlOriginal contains 'cat%20/etc/passwd' or UrlOriginal contains '/etc/passwd' or UrlOriginal contains 'ping -i' or UrlOriginal contains '/usr/bin/id(' or UrlOriginal contains '%2f%75%73%72%2f%62%69%6e%2f%69%64' or UrlOriginal contains 'phpinfo()' or UrlOriginal contains '%70%68%70%69%6e%66%6f%28%29' or UrlOriginal contains ';id' or UrlOriginal contains '%3b%69%64' or UrlOriginal contains '/bin/bash -c' or UrlOriginal contains '%2f%62%69%6e%2f%62%61%73%68%20%2d%63%27' or UrlOriginal contains '/bin/bash' or UrlOriginal contains '%2f%62%69%6e%2f%62%61%73%68' or UrlOriginal contains 'sleep(' or UrlOriginal contains '%73%6c%65%65%70%28' or UrlOriginal contains 'curl' or UrlOriginal contains '%63%75%72%6c' or UrlOriginal contains '&dir' or UrlOriginal contains '%26%64%69%72' or UrlOriginal contains '& dir' or UrlOriginal =~ '%26%20%64%69%72' or UrlOriginal contains '<script>' or UrlOriginal contains '%3c%73%63%72%69%70%74%3e' or UrlOriginal contains 'eval(' or UrlOriginal contains '%65%76%61%6c%28' or UrlOriginal contains 'exec(' or UrlOriginal contains '%65%78%65%63%28' or UrlOriginal contains 'whoami' or UrlOriginal contains '%77%68%6f%61%6d%69' or UrlOriginal contains 'wget' or UrlOriginal contains 'python' or UrlOriginal contains 'gcc' or UrlOriginal contains 'uname' or UrlOriginal contains 'systeminfo' or UrlOriginal contains '%77%67%65%74' or UrlOriginal contains '%70%79%74%68%6f%6e' or UrlOriginal contains '%75%6e%61%6d%65' or UrlOriginal =~ '%73%79%73%74%65%6d%69%6e%66%6f' | ||
| | extend UrlCustomEntity = UrlOriginal | ||
| entityMappings: | ||
| - entityType: URL | ||
| fieldMappings: | ||
| - identifier: Url | ||
| columnName: UrlCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
32 changes: 32 additions & 0 deletions
32
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicDifferentUAsFromSingleIP.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| id: 44c7d12a-573f-11ec-bf63-0242ac130002 | ||
| name: Oracle - Multiple user agents for single source | ||
| description: | | ||
| 'Detects requests with different user agents from one source in short timeframe.' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| let threshold = 5; | ||
| OracleWebLogicServerEvent | ||
| | summarize makeset(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 5m) | ||
| | extend ua_count = array_length(set_HttpUserAgentOriginal) | ||
| | where ua_count > threshold | ||
| | extend IPCustomEntity = SrcIpAddr | ||
| entityMappings: | ||
| - entityType: IP | ||
| fieldMappings: | ||
| - identifier: Address | ||
| columnName: IPCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
29 changes: 29 additions & 0 deletions
29
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicExploitCVE-2021-2109.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: 67950168-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Oracle WebLogic Exploit CVE-2021-2109 | ||
| description: | | ||
| 'Detects using Oracle WebLogic Exploit CVE-2021-2109' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - attack.t1190 | ||
| query: | | ||
| OracleWebLogicServerEvent | ||
| | where HttpRequestMethod =~ "GET" | ||
| | where UrlOriginal contains "ldap://" and UrlOriginal contains "com.bea.console.handles.JndiBindingHandle" and UrlOriginal contains "AdminServer" | ||
| | extend UrlCustomEntity = UrlOriginal | ||
| entityMappings: | ||
| - entityType: URL | ||
| fieldMappings: | ||
| - identifier: Url | ||
| columnName: UrlCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
29 changes: 29 additions & 0 deletions
29
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicKnownMaliciousUserAgents.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: 51d050ee-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Known malicious user agent | ||
| description: | | ||
| 'Detects known malicious user agents' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| OracleWebLogicServerEvent | ||
| | where HttpUserAgentOriginal contains 'Nikto' or HttpUserAgentOriginal contains '(hydra)' or HttpUserAgentOriginal contains '.nasl' or HttpUserAgentOriginal contains 'absinthe' or HttpUserAgentOriginal contains 'advanced email extractor' or HttpUserAgentOriginal contains 'arachni/' or HttpUserAgentOriginal contains 'autogetcontent' or HttpUserAgentOriginal contains 'bilbo' or HttpUserAgentOriginal contains 'BFAC' or HttpUserAgentOriginal contains 'brutus' or HttpUserAgentOriginal contains 'brutus/aet' or HttpUserAgentOriginal contains 'bsqlbf' or HttpUserAgentOriginal contains 'cgichk' or HttpUserAgentOriginal contains 'cisco-torch' or HttpUserAgentOriginal contains 'commix' or HttpUserAgentOriginal contains 'core-project/1.0' or HttpUserAgentOriginal contains 'crimscanner/' or HttpUserAgentOriginal contains 'datacha0s' or HttpUserAgentOriginal contains 'dirbuster' or HttpUserAgentOriginal contains 'domino hunter' or HttpUserAgentOriginal contains 'dotdotpwn' or HttpUserAgentOriginal contains 'email extractor' or HttpUserAgentOriginal contains 'fhscan core 1.' or HttpUserAgentOriginal contains 'floodgate' or HttpUserAgentOriginal contains 'get-minimal' or HttpUserAgentOriginal contains 'gootkit auto-rooter scanner' or HttpUserAgentOriginal contains 'grabber' or HttpUserAgentOriginal contains 'grendel-scan' or HttpUserAgentOriginal contains 'havij' or HttpUserAgentOriginal contains 'inspath' or HttpUserAgentOriginal contains 'internet ninja' or HttpUserAgentOriginal contains 'jaascois' or HttpUserAgentOriginal contains 'zmeu'or HttpUserAgentOriginal contains 'masscan' or HttpUserAgentOriginal contains 'metis' or HttpUserAgentOriginal contains 'morfeus' or HttpUserAgentOriginal contains 'mysqloit' or HttpUserAgentOriginal contains 'n-stealth' or HttpUserAgentOriginal contains 'nessus' or HttpUserAgentOriginal contains 'netsparker' or HttpUserAgentOriginal contains 'nmap nse' or HttpUserAgentOriginal contains 'nmap scripting engine' or HttpUserAgentOriginal contains 'nmap-nse' or HttpUserAgentOriginal contains 'nsauditor' or HttpUserAgentOriginal contains 'openvas' or HttpUserAgentOriginal contains 'pangolin' or HttpUserAgentOriginal contains 'paros' or HttpUserAgentOriginal contains 'pmafind' or HttpUserAgentOriginal contains 'prog.customcrawler' or HttpUserAgentOriginal contains 'qualys was' or HttpUserAgentOriginal contains 's.t.a.l.k.e.r.' or HttpUserAgentOriginal contains 'security scan' or HttpUserAgentOriginal contains 'springenwerk' or HttpUserAgentOriginal contains 'sql power injector' or HttpUserAgentOriginal contains 'sqlmap' or HttpUserAgentOriginal contains 'sqlninja' or HttpUserAgentOriginal contains 'teh forest lobster' or HttpUserAgentOriginal contains 'this is an exploit' or HttpUserAgentOriginal contains 'toata dragostea' or HttpUserAgentOriginal contains 'toata dragostea mea pentru diavola' or HttpUserAgentOriginal contains 'uil2pn' or HttpUserAgentOriginal contains 'user-agent:' or HttpUserAgentOriginal contains 'vega/' or HttpUserAgentOriginal contains 'voideye' or HttpUserAgentOriginal contains 'w3af.sf.net' or HttpUserAgentOriginal contains 'w3af.sourceforge.net' or HttpUserAgentOriginal contains 'w3af.org' or HttpUserAgentOriginal contains 'webbandit' or HttpUserAgentOriginal contains 'webinspect' or HttpUserAgentOriginal contains 'webshag' or HttpUserAgentOriginal contains 'webtrends security analyzer' or HttpUserAgentOriginal contains 'webvulnscan' or HttpUserAgentOriginal contains 'whatweb' or HttpUserAgentOriginal contains 'whcc/' or HttpUserAgentOriginal contains 'wordpress hash grabber' or HttpUserAgentOriginal contains 'xmlrpc exploit' or HttpUserAgentOriginal contains 'WPScan' or HttpUserAgentOriginal contains 'XSpider' or HttpUserAgentOriginal contains 'SF/' or HttpUserAgentOriginal contains 'FooBar/42' or HttpUserAgentOriginal contains 'ScanAlert' or HttpUserAgentOriginal contains 'Webscanner' or HttpUserAgentOriginal contains 'Webster' or HttpUserAgentOriginal contains 'fantomCrew' or HttpUserAgentOriginal contains 'fantomBrowser' or HttpUserAgentOriginal contains 'visvo' or HttpUserAgentOriginal contains 'magereport' or HttpUserAgentOriginal contains 'ltx71' or HttpUserAgentOriginal contains 'websiteprotection' or HttpUserAgentOriginal contains 'BigCliqueBOT' or HttpUserAgentOriginal contains '(BOT for JCE)' | ||
| | extend MalwareCustomEntity = HttpUserAgentOriginal | ||
| entityMappings: | ||
| - entityType: Malware | ||
| fieldMappings: | ||
| - identifier: Name | ||
| columnName: MalwareCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
32 changes: 32 additions & 0 deletions
32
...s/OracleWebLogicServer/Analytic Rules/OracleWebLogicMultipleClientErrorsFromSingleIP.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| id: 41775080-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Multiple client errors from single IP | ||
| description: | | ||
| 'Detects multiple client errors from one source in short timeframe' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| let threshold = 100; | ||
| OracleWebLogicServerEvent | ||
| | where tolong(HttpStatusCode) >= 400 and tolong(HttpStatusCode) <= 499 | ||
| | summarize MultipleClientErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m) | ||
| | where MultipleClientErrors > threshold | ||
| | extend IPCustomEntity = SrcIpAddr | ||
| entityMappings: | ||
| - entityType: IP | ||
| fieldMappings: | ||
| - identifier: Address | ||
| columnName: IPCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
34 changes: 34 additions & 0 deletions
34
...WebLogicServer/Analytic Rules/OracleWebLogicMultipleServerErrorsRequestsFromSingleIP.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| id: 268f4fde-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Multiple server errors from single IP | ||
| description: | | ||
| 'Detects multiple server errors from one source in short timeframe' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - Impact | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1498 | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| let threshold = 100; | ||
| OracleWebLogicServerEvent | ||
| | where tolong(HttpStatusCode) >= 500 and tolong(HttpStatusCode) <= 599 | ||
| | summarize MultipleServerErrors = count() by SrcIpAddr, bin(TimeGenerated, 5m) | ||
| | where MultipleServerErrors > threshold | ||
| | extend IPCustomEntity = SrcIpAddr | ||
| entityMappings: | ||
| - entityType: IP | ||
| fieldMappings: | ||
| - identifier: Address | ||
| columnName: IPCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
29 changes: 29 additions & 0 deletions
29
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPrivateIpInUrl.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: 153ce6d8-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Private IP in URL | ||
| description: | | ||
| 'Detects requests to unusual URL' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| OracleWebLogicServerEvent | ||
| | where UrlOriginal matches regex @'(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})' | ||
| | extend UrlCustomEntity = UrlOriginal | ||
| entityMappings: | ||
| - entityType: URL | ||
| fieldMappings: | ||
| - identifier: Url | ||
| columnName: UrlCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
43 changes: 43 additions & 0 deletions
43
Solutions/OracleWebLogicServer/Analytic Rules/OracleWebLogicPutAndGetFileFromSameIP.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| id: 033e98d2-5740-11ec-bf63-0242ac130002 | ||
| name: Oracle - Put file and get file from same IP address | ||
| description: | | ||
| 'Detects put or get files from one source in short timeframe' | ||
| severity: Medium | ||
| requiredDataConnectors: | ||
| - connectorId: OracleWebLogicServer | ||
| dataTypes: | ||
| - OracleWebLogicServerEvent | ||
| queryFrequency: 1h | ||
| queryPeriod: 1h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1190 | ||
| - T1133 | ||
| query: | | ||
| let p = OracleWebLogicServerEvent | ||
| | where HttpRequestMethod in~ ('POST', 'PUT') | ||
| | sort by EventStartTime asc | ||
| | summarize post_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal); | ||
| OracleWebLogicServerEvent | ||
| | where HttpRequestMethod =~ 'GET' | ||
| | sort by EventStartTime asc | ||
| | summarize get_time=min(EventStartTime) by SrcIpAddr, tostring(UrlOriginal) | ||
| | join kind=innerunique (p) on UrlOriginal, SrcIpAddr | ||
| | extend second = datetime_diff('second',get_time,post_time) | ||
| | where second between (1 .. 300) | ||
| | project second, post_time, get_time, SrcIpAddr, UrlOriginal | ||
| | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = tostring(UrlOriginal) | ||
| entityMappings: | ||
| - entityType: IP | ||
| fieldMappings: | ||
| - identifier: Address | ||
| columnName: IPCustomEntity | ||
| - entityType: URL | ||
| fieldMappings: | ||
| - identifier: Url | ||
| columnName: UrlCustomEntity | ||
| version: 1.0.0 | ||
| kind: Scheduled |
Oops, something went wrong.