Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SE - Connection to known C2 server

Back
Id0f788a93-dc88-4f80-89ef-bef7cd0fef05
RulenameCisco SE - Connection to known C2 server
DescriptionThis rule is triggered when connection to known C2 is detected from host.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml
Version1.0.0
Arm template0f788a93-dc88-4f80-89ef-bef7cd0fef05.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Suspected botnet connection'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName
status: Available
id: 0f788a93-dc88-4f80-89ef-bef7cd0fef05
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected botnet connection'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml
description: |
    'This rule is triggered when connection to known C2 is detected from host.'
name: Cisco SE - Connection to known C2 server
relevantTechniques:
- T1071
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
queryFrequency: 15m
queryPeriod: 15m
version: 1.0.0
kind: Scheduled
tactics:
- CommandAndControl
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f788a93-dc88-4f80-89ef-bef7cd0fef05')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f788a93-dc88-4f80-89ef-bef7cd0fef05')]",
      "properties": {
        "alertRuleTemplateName": "0f788a93-dc88-4f80-89ef-bef7cd0fef05",
        "customDetails": null,
        "description": "'This rule is triggered when connection to known C2 is detected from host.'\n",
        "displayName": "Cisco SE - Connection to known C2 server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml",
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Suspected botnet connection'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}