Cisco SE High Events Last Hour

Back


Id	4683ebce-07ad-4089-89e3-39d8fe83c011
Rulename	Cisco SE High Events Last Hour
Description	Find events from Cisco Secure Endpoint that are of High severity in the last hour.
Severity	High
Tactics	Execution InitialAccess
Techniques	T1204.002 T1190
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
Version	1.0.1
Arm template	4683ebce-07ad-4089-89e3-39d8fe83c011.json

KQL

let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s

YAML

status: Available
queryPeriod: 1h
version: 1.0.1
queryFrequency: 1h
tactics:
- Execution
- InitialAccess
name: Cisco SE High Events Last Hour
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
query: |
  let endtime = 1h;
  CiscoSecureEndpoint_CL
  | where TimeGenerated >= ago(endtime)
  | where severity_s == "High"
  | project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
  | summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s  
kind: Scheduled
severity: High
triggerOperator: gt
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint_CL
  connectorId: CiscoSecureEndpoint
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: NetworkAddresses_ip
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: computer_hostname_s
  entityType: Host
- fieldMappings:
  - identifier: Url
    columnName: computer_links_trajectory_s
  entityType: URL
relevantTechniques:
- T1204.002
- T1190
description: |
    'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "properties": {
        "alertRuleTemplateName": "4683ebce-07ad-4089-89e3-39d8fe83c011",
        "customDetails": null,
        "description": "'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'\n",
        "displayName": "Cisco SE High Events Last Hour",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkAddresses_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_hostname_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "computer_links_trajectory_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml",
        "query": "let endtime = 1h;\nCiscoSecureEndpoint_CL\n| where TimeGenerated >= ago(endtime)\n| where severity_s == \"High\"\n| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s\n| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1204"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}