Trend Micro CAS - Threat detected and not blocked

Back


Id	c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
Rulename	Trend Micro CAS - Threat detected and not blocked
Description	Detects when threat was not blocked by CAS solution.
Severity	High
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
Version	1.0.1
Arm template	c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a.json

KQL

TrendMicroCAS
| where isnotempty(SecurityRiskName)
| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
| extend AccountCustomEntity = DstUserName

YAML

triggerOperator: gt
queryFrequency: 10m
description: |
    'Detects when threat was not blocked by CAS solution.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: TrendMicroCAS
  dataTypes:
  - TrendMicroCAS
version: 1.0.1
queryPeriod: 10m
name: Trend Micro CAS - Threat detected and not blocked
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
id: c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
query: |
  TrendMicroCAS
  | where isnotempty(SecurityRiskName)
  | where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
  | extend AccountCustomEntity = DstUserName

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "properties": {
        "alertRuleTemplateName": "c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a",
        "customDetails": null,
        "description": "'Detects when threat was not blocked by CAS solution.'\n",
        "displayName": "Trend Micro CAS - Threat detected and not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml",
        "query": "TrendMicroCAS\n| where isnotempty(SecurityRiskName)\n| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}