Cisco SE High Events Last Hour

Back


Id	4683ebce-07ad-4089-89e3-39d8fe83c011
Rulename	Cisco SE High Events Last Hour
Description	Find events from Cisco Secure Endpoint that are of High severity in the last hour.
Severity	High
Tactics	Execution InitialAccess
Techniques	T1204.002 T1190
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
Version	1.0.1
Arm template	4683ebce-07ad-4089-89e3-39d8fe83c011.json

KQL

let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s

YAML

queryPeriod: 1h
triggerThreshold: 0
status: Available
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
severity: High
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: NetworkAddresses_ip
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: computer_hostname_s
    identifier: HostName
- entityType: URL
  fieldMappings:
  - columnName: computer_links_trajectory_s
    identifier: Url
relevantTechniques:
- T1204.002
- T1190
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
name: Cisco SE High Events Last Hour
query: |
  let endtime = 1h;
  CiscoSecureEndpoint_CL
  | where TimeGenerated >= ago(endtime)
  | where severity_s == "High"
  | project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
  | summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s  
tactics:
- Execution
- InitialAccess
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
version: 1.0.1
description: |
    'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "properties": {
        "alertRuleTemplateName": "4683ebce-07ad-4089-89e3-39d8fe83c011",
        "customDetails": null,
        "description": "'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'\n",
        "displayName": "Cisco SE High Events Last Hour",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkAddresses_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_hostname_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "computer_links_trajectory_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml",
        "query": "let endtime = 1h;\nCiscoSecureEndpoint_CL\n| where TimeGenerated >= ago(endtime)\n| where severity_s == \"High\"\n| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s\n| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1204"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}