Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SEG - Malicious attachment not blocked

Back
Id236e872c-31d1-4b45-ac2a-fda3af465c97
RulenameCisco SEG - Malicious attachment not blocked
DescriptionDetects mails with malicious attachments which were not blocked.
SeverityHigh
TacticsInitialAccess
TechniquesT1566
Required data connectorsCefAma
CiscoSEG
CiscoSEGAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml
Version1.0.2
Arm template236e872c-31d1-4b45-ac2a-fda3af465c97.json
Deploy To Azure
CiscoSEGEvent
| where NetworkDirection =~ 'Incoming'
| where SimplifiedDeviceAction =~ 'DELIVERED'
| where tostring(AdditionalFields) has 'ESAAMPVerdict'
| extend amp_verdict = extract(@'ESAAMPVerdict":"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)"', 1, tostring(AdditionalFields))
| where amp_verdict =~ 'MALICIOUS'
| extend AccountCustomEntity = DstUserName
id: 236e872c-31d1-4b45-ac2a-fda3af465c97
name: Cisco SEG - Malicious attachment not blocked
triggerOperator: gt
status: Available
query: |
  CiscoSEGEvent
  | where NetworkDirection =~ 'Incoming'
  | where SimplifiedDeviceAction =~ 'DELIVERED'
  | where tostring(AdditionalFields) has 'ESAAMPVerdict'
  | extend amp_verdict = extract(@'ESAAMPVerdict":"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)"', 1, tostring(AdditionalFields))
  | where amp_verdict =~ 'MALICIOUS'
  | extend AccountCustomEntity = DstUserName  
queryPeriod: 10m
requiredDataConnectors:
- connectorId: CiscoSEG
  dataTypes:
  - CiscoSEGEvent
- connectorId: CiscoSEGAma
  dataTypes:
  - CiscoSEGEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: High
queryFrequency: 10m
relevantTechniques:
- T1566
version: 1.0.2
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
description: |
    'Detects mails with malicious attachments which were not blocked.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/236e872c-31d1-4b45-ac2a-fda3af465c97')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/236e872c-31d1-4b45-ac2a-fda3af465c97')]",
      "properties": {
        "alertRuleTemplateName": "236e872c-31d1-4b45-ac2a-fda3af465c97",
        "customDetails": null,
        "description": "'Detects mails with malicious attachments which were not blocked.'\n",
        "displayName": "Cisco SEG - Malicious attachment not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml",
        "query": "CiscoSEGEvent\n| where NetworkDirection =~ 'Incoming'\n| where SimplifiedDeviceAction =~ 'DELIVERED'\n| where tostring(AdditionalFields) has 'ESAAMPVerdict'\n| extend amp_verdict = extract(@'ESAAMPVerdict\":\"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)\"', 1, tostring(AdditionalFields))\n| where amp_verdict =~ 'MALICIOUS'\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}