Cisco SE High Events Last Hour

Back


Id	4683ebce-07ad-4089-89e3-39d8fe83c011
Rulename	Cisco SE High Events Last Hour
Description	Find events from Cisco Secure Endpoint that are of High severity in the last hour.
Severity	High
Tactics	Execution InitialAccess
Techniques	T1204.002 T1190
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
Version	1.0.1
Arm template	4683ebce-07ad-4089-89e3-39d8fe83c011.json

KQL

let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s

YAML

entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: NetworkAddresses_ip
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: computer_hostname_s
    identifier: HostName
- entityType: URL
  fieldMappings:
  - columnName: computer_links_trajectory_s
    identifier: Url
tactics:
- Execution
- InitialAccess
triggerOperator: gt
description: |
    'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
relevantTechniques:
- T1204.002
- T1190
version: 1.0.1
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
kind: Scheduled
query: |
  let endtime = 1h;
  CiscoSecureEndpoint_CL
  | where TimeGenerated >= ago(endtime)
  | where severity_s == "High"
  | project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
  | summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
queryFrequency: 1h
severity: High
name: Cisco SE High Events Last Hour
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "properties": {
        "alertRuleTemplateName": "4683ebce-07ad-4089-89e3-39d8fe83c011",
        "customDetails": null,
        "description": "'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'\n",
        "displayName": "Cisco SE High Events Last Hour",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkAddresses_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_hostname_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "computer_links_trajectory_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml",
        "query": "let endtime = 1h;\nCiscoSecureEndpoint_CL\n| where TimeGenerated >= ago(endtime)\n| where severity_s == \"High\"\n| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s\n| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1204"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}