Oracle WebLogic Server
Solution: OracleWebLogicServer
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-01-06 |
| Solution Folder | OracleWebLogicServer |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (57%) |
| Pre-requisites | CustomLogsAma |
The Oracle WebLogic Server solution for Microsoft Sentinel provides the capability to ingest Oracle Web Logic Server events into Microsoft Sentinel. Oracle WebLogic Server is a server for building and deploying enterprise Java EE applications with support for new features for lowering cost of operations, improving performance, enhancing scalability, and supporting the Oracle Applications portfolio.
This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| CustomLogsAma |
Data Connectors
This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):
Connectors from dependency solutions:
- Custom logs via AMA 🔶 (dependency on CustomLogsAma)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 16 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
ApacheHTTPServer_CL |
Custom logs via AMA (dependency) | - |
JBossEvent_CL |
Custom logs via AMA (dependency) | - |
JuniperIDP_CL |
Custom logs via AMA (dependency) | - |
MarkLogicAudit_CL |
Custom logs via AMA (dependency) | - |
MongoDBAudit_CL |
Custom logs via AMA (dependency) | - |
NGINX_CL |
Custom logs via AMA (dependency) | - |
OracleWebLogicServer_CL |
Custom logs via AMA (dependency), [Deprecated] Oracle WebLogic Server | Analytics, Hunting, Workbooks |
PostgreSQL_CL |
Custom logs via AMA (dependency) | - |
SecurityBridgeLogs_CL |
Custom logs via AMA (dependency) | - |
SquidProxy_CL 🔶 |
Custom logs via AMA (dependency) | - |
Tomcat_CL |
Custom logs via AMA (dependency) | Workbooks |
Ubiquiti_CL |
Custom logs via AMA (dependency) | - |
VectraStream_CL 🔶 |
Custom logs via AMA (dependency) | - |
ZPA_CL |
Custom logs via AMA (dependency) | - |
meraki_CL |
Custom logs via AMA (dependency) | - |
vcenter_CL |
Custom logs via AMA (dependency) | - |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Oracle - Command in URI | High | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Malicious user agent | High | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Multiple client errors from single IP | Medium | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Multiple server errors from single IP | Medium | Impact, InitialAccess | OracleWebLogicServer_CL |
| Oracle - Multiple user agents for single source | Medium | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Oracle WebLogic Exploit CVE-2021-2109 | High | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Private IP in URL | Medium | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Put file and get file from same IP address | Medium | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Put suspicious file | Medium | InitialAccess, Exfiltration | OracleWebLogicServer_CL |
| Oracle - Request to sensitive files | High | InitialAccess | OracleWebLogicServer_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Oracle - Abnormal request size | Exfiltration, Collection | OracleWebLogicServer_CL |
| Oracle - Critical event severity | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Error messages | DefenseEvasion | OracleWebLogicServer_CL |
| Oracle - Rare URLs requested | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Rare user agents | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Rare user agents with client errors | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Request to forbidden files | InitialAccess | OracleWebLogicServer_CL |
| Oracle - Top URLs client errors | Impact, InitialAccess | OracleWebLogicServer_CL |
| Oracle - Top URLs server errors | Impact, InitialAccess | OracleWebLogicServer_CL |
| Oracle - Top files requested by users with error | InitialAccess | OracleWebLogicServer_CL |
Workbooks
| Name | Tables Used |
|---|---|
| OracleWorkbook | OracleWebLogicServer_CLTomcat_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| OracleWebLogicServerEvent | - | OracleWebLogicServer_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.2 | 23-12-2024 | Removed Deprecated Data connector |
| 3.0.1 | 09-08-2024 | Deprecating data connectors |
| 3.0.0 | 15-12-2023 | Updated the Parser field TreadId to ThreadId |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊