SonicWall - Capture ATP Malicious File Detection
| Id | 3db9f99e-a459-41e0-8e02-8b332f5fcb2c |
| Rulename | SonicWall - Capture ATP Malicious File Detection |
| Description | This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall). Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/ Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/ |
| Severity | Medium |
| Tactics | Execution |
| Techniques | T1204 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml |
| Version | 1.0.2 |
| Arm template | 3db9f99e-a459-41e0-8e02-8b332f5fcb2c.json |
CommonSecurityLog
| where DeviceEventClassID == 1631
| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
| where CaptureATPVerdict == "BAD"
| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
| extend
NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
| project
TimeGenerated,
DeviceModel = DeviceProduct,
SerialNumber = Computer,
SrcIpAddr = SourceIP,
SrcUsername = coalesce(susr, SourceUserName),
NetworkProtocol,
NetworkApplicationProtocol,
RequestURL,
File = url_decode(tostring(split(RequestURL, '/')[-1])),
Hash = fileid,
Verdict = CaptureATPVerdict
status: Experimental
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
query: |
CommonSecurityLog
| where DeviceEventClassID == 1631
| extend CaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\. ', 1, Message)
| where CaptureATPVerdict == "BAD"
| parse-kv AdditionalExtensions as (['susr']:string, ['fileid']:string) with (pair_delimiter=";", kv_delimiter="=")
| extend
NetworkProtocol = toupper(iff(Protocol contains "-" and Protocol !contains "/", toupper(trim_start(@".*-", Protocol)), toupper(trim_end(@"/.*", Protocol)))),
NetworkApplicationProtocol = tostring(toupper(trim_start(@".*/", Protocol)))
| project
TimeGenerated,
DeviceModel = DeviceProduct,
SerialNumber = Computer,
SrcIpAddr = SourceIP,
SrcUsername = coalesce(susr, SourceUserName),
NetworkProtocol,
NetworkApplicationProtocol,
RequestURL,
File = url_decode(tostring(split(RequestURL, '/')[-1])),
Hash = fileid,
Verdict = CaptureATPVerdict
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
tactics:
- Execution
name: SonicWall - Capture ATP Malicious File Detection
relevantTechniques:
- T1204
severity: Medium
entityMappings:
- fieldMappings:
- identifier: Name
columnName: File
entityType: File
- fieldMappings:
- identifier: Url
columnName: RequestURL
entityType: Url
- fieldMappings:
- identifier: FullName
columnName: SrcUsername
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
kind: Scheduled
queryFrequency: 5m
description: |
'This rule identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
Ref: https://www.sonicwall.com/products/capture-advanced-threat-protection/
Ref: https://www.sonicwall.com/support/knowledge-base/how-to-view-threat-reports-capture-atp/170505384715913/'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
queryPeriod: 5m
id: 3db9f99e-a459-41e0-8e02-8b332f5fcb2c