Trend Micro CAS - Infected user

Back


Id	3649dfb8-a5ca-47dd-8965-cd2f633ca533
Rulename	Trend Micro CAS - Infected user
Description	Detects when malware was detected for user account.
Severity	High
Tactics	InitialAccess
Techniques	T1566
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml
Version	1.0.1
Arm template	3649dfb8-a5ca-47dd-8965-cd2f633ca533.json

KQL

TrendMicroCAS
| where EventType has_all ('virtual', 'analyzer')
| where isnotempty(VirusName)
| extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName

YAML

relevantTechniques:
- T1566
name: Trend Micro CAS - Infected user
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
triggerThreshold: 0
id: 3649dfb8-a5ca-47dd-8965-cd2f633ca533
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml
queryPeriod: 10m
kind: Scheduled
queryFrequency: 10m
severity: High
status: Available
description: |
    'Detects when malware was detected for user account.'
query: |
  TrendMicroCAS
  | where EventType has_all ('virtual', 'analyzer')
  | where isnotempty(VirusName)
  | extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3649dfb8-a5ca-47dd-8965-cd2f633ca533')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3649dfb8-a5ca-47dd-8965-cd2f633ca533')]",
      "properties": {
        "alertRuleTemplateName": "3649dfb8-a5ca-47dd-8965-cd2f633ca533",
        "customDetails": null,
        "description": "'Detects when malware was detected for user account.'\n",
        "displayName": "Trend Micro CAS - Infected user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAInfectedUser.yaml",
        "query": "TrendMicroCAS\n| where EventType has_all ('virtual', 'analyzer')\n| where isnotempty(VirusName)\n| extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}