Cisco SE - Connection to known C2 server

Back


Id	0f788a93-dc88-4f80-89ef-bef7cd0fef05
Rulename	Cisco SE - Connection to known C2 server
Description	This rule is triggered when connection to known C2 is detected from host.
Severity	High
Tactics	CommandAndControl
Techniques	T1071
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml
Version	1.0.0
Arm template	0f788a93-dc88-4f80-89ef-bef7cd0fef05.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Suspected botnet connection'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
tactics:
- CommandAndControl
triggerOperator: gt
description: |
    'This rule is triggered when connection to known C2 is detected from host.'
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
relevantTechniques:
- T1071
version: 1.0.0
id: 0f788a93-dc88-4f80-89ef-bef7cd0fef05
kind: Scheduled
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected botnet connection'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml
queryFrequency: 15m
severity: High
name: Cisco SE - Connection to known C2 server
queryPeriod: 15m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f788a93-dc88-4f80-89ef-bef7cd0fef05')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f788a93-dc88-4f80-89ef-bef7cd0fef05')]",
      "properties": {
        "alertRuleTemplateName": "0f788a93-dc88-4f80-89ef-bef7cd0fef05",
        "customDetails": null,
        "description": "'This rule is triggered when connection to known C2 is detected from host.'\n",
        "displayName": "Cisco SE - Connection to known C2 server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEC2Connection.yaml",
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Suspected botnet connection'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}