Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SEG - Malicious attachment not blocked

Back
Id236e872c-31d1-4b45-ac2a-fda3af465c97
RulenameCisco SEG - Malicious attachment not blocked
DescriptionDetects mails with malicious attachments which were not blocked.
SeverityHigh
TacticsInitialAccess
TechniquesT1566
Required data connectorsCiscoSEG
CiscoSEGAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml
Version1.0.1
Arm template236e872c-31d1-4b45-ac2a-fda3af465c97.json
Deploy To Azure
CiscoSEGEvent
| where NetworkDirection =~ 'Incoming'
| where SimplifiedDeviceAction =~ 'DELIVERED'
| where tostring(AdditionalFields) has 'ESAAMPVerdict'
| extend amp_verdict = extract(@'ESAAMPVerdict":"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)"', 1, tostring(AdditionalFields))
| where amp_verdict =~ 'MALICIOUS'
| extend AccountCustomEntity = DstUserName
severity: High
name: Cisco SEG - Malicious attachment not blocked
requiredDataConnectors:
- dataTypes:
  - CiscoSEGEvent
  connectorId: CiscoSEG
- dataTypes:
  - CiscoSEGEvent
  connectorId: CiscoSEGAma
id: 236e872c-31d1-4b45-ac2a-fda3af465c97
tactics:
- InitialAccess
queryFrequency: 10m
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml
description: |
    'Detects mails with malicious attachments which were not blocked.'
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1566
query: |
  CiscoSEGEvent
  | where NetworkDirection =~ 'Incoming'
  | where SimplifiedDeviceAction =~ 'DELIVERED'
  | where tostring(AdditionalFields) has 'ESAAMPVerdict'
  | extend amp_verdict = extract(@'ESAAMPVerdict":"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)"', 1, tostring(AdditionalFields))
  | where amp_verdict =~ 'MALICIOUS'
  | extend AccountCustomEntity = DstUserName  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
status: Available
version: 1.0.1
queryPeriod: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/236e872c-31d1-4b45-ac2a-fda3af465c97')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/236e872c-31d1-4b45-ac2a-fda3af465c97')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SEG - Malicious attachment not blocked",
        "description": "'Detects mails with malicious attachments which were not blocked.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSEGEvent\n| where NetworkDirection =~ 'Incoming'\n| where SimplifiedDeviceAction =~ 'DELIVERED'\n| where tostring(AdditionalFields) has 'ESAAMPVerdict'\n| extend amp_verdict = extract(@'ESAAMPVerdict\":\"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)\"', 1, tostring(AdditionalFields))\n| where amp_verdict =~ 'MALICIOUS'\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "236e872c-31d1-4b45-ac2a-fda3af465c97",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml"
      }
    }
  ]
}