Apache Http Server
Solution: ApacheHTTPServer
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-10-27 |
| Solution Folder | ApacheHTTPServer |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (77%) |
| Pre-requisites | CustomLogsAma |
The Apache HTTP Server solution provides the capability to ingest Apache HTTP Server events into Microsoft Sentinel. Refer to Apache Logs documentation for more information.
This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| CustomLogsAma |
Data Connectors
This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):
Connectors from dependency solutions:
- Custom logs via AMA 🔶 (dependency on CustomLogsAma)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 16 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
ApacheHTTPServer_CL |
Custom logs via AMA (dependency), [Deprecated] Apache HTTP Server | Analytics, Hunting, Workbooks |
JBossEvent_CL |
Custom logs via AMA (dependency) | - |
JuniperIDP_CL |
Custom logs via AMA (dependency) | - |
MarkLogicAudit_CL |
Custom logs via AMA (dependency) | - |
MongoDBAudit_CL |
Custom logs via AMA (dependency) | - |
NGINX_CL |
Custom logs via AMA (dependency) | - |
OracleWebLogicServer_CL |
Custom logs via AMA (dependency) | - |
PostgreSQL_CL |
Custom logs via AMA (dependency) | - |
SecurityBridgeLogs_CL |
Custom logs via AMA (dependency) | - |
SquidProxy_CL 🔶 |
Custom logs via AMA (dependency) | - |
Tomcat_CL |
Custom logs via AMA (dependency) | - |
Ubiquiti_CL |
Custom logs via AMA (dependency) | - |
VectraStream_CL 🔶 |
Custom logs via AMA (dependency) | - |
ZPA_CL |
Custom logs via AMA (dependency) | - |
meraki_CL |
Custom logs via AMA (dependency) | - |
vcenter_CL |
Custom logs via AMA (dependency) | - |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Apache - Apache 2.4.49 flaw CVE-2021-41773 | High | InitialAccess, LateralMovement | ApacheHTTPServer_CL |
| Apache - Command in URI | High | InitialAccess | ApacheHTTPServer_CL |
| Apache - Known malicious user agent | High | InitialAccess | ApacheHTTPServer_CL |
| Apache - Multiple client errors from single IP | Medium | InitialAccess | ApacheHTTPServer_CL |
| Apache - Multiple server errors from single IP | Medium | Impact, InitialAccess | ApacheHTTPServer_CL |
| Apache - Private IP in URL | Medium | InitialAccess | ApacheHTTPServer_CL |
| Apache - Put suspicious file | Medium | InitialAccess, Exfiltration | ApacheHTTPServer_CL |
| Apache - Request from private IP | Medium | Impact, InitialAccess | ApacheHTTPServer_CL |
| Apache - Request to sensitive files | Medium | InitialAccess | ApacheHTTPServer_CL |
| Apache - Requests to rare files | Medium | InitialAccess | ApacheHTTPServer_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Apache - Rare URLs requested | InitialAccess | ApacheHTTPServer_CL |
| Apache - Rare files requested | InitialAccess | ApacheHTTPServer_CL |
| Apache - Rare user agents | InitialAccess | ApacheHTTPServer_CL |
| Apache - Rare user agents with client errors | InitialAccess | ApacheHTTPServer_CL |
| Apache - Requests to unexisting files | InitialAccess | ApacheHTTPServer_CL |
| Apache - Top Top files requested | InitialAccess | ApacheHTTPServer_CL |
| Apache - Top URLs with client errors | Impact, InitialAccess | ApacheHTTPServer_CL |
| Apache - Top URLs with server errors | Impact, InitialAccess | ApacheHTTPServer_CL |
| Apache - Top files requested with errors | InitialAccess | ApacheHTTPServer_CL |
| Apache - Unexpected Post Requests | Persistence, CommandAndControl | ApacheHTTPServer_CL |
Workbooks
| Name | Tables Used |
|---|---|
| ApacheHTTPServer | ApacheHTTPServer_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| ApacheHTTPServer | - | ApacheHTTPServer_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 05-12-2024 | Removed Deprecated Data connectors |
| 3.0.0 | 13-08-2024 | Deprecating data connectors |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊