Syslog
| where SyslogMessage contains "found an infected file"
| extend
EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus
tactics:
- Impact
requiredDataConnectors:
- connectorId: CTERA
dataTypes:
- Syslog
relevantTechniques:
- T1203
suppressionDuration: PT5H
id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
createIncident: true
name: Antivirus Detected an Infected File
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
customDetails:
Portal: Portal
FilePath: FilePath
Virus: Virus
EdgeFiler: EdgeFiler
suppressionEnabled: false
version: 1.0.0
query: |
Syslog
| where SyslogMessage contains "found an infected file"
| extend
EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus
alertDetailsOverride:
alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.
alertnameFormat: Antivirus Detected an Infected File
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: EdgeFiler
entityType: Host
severity: High
status: Available
eventGroupingSettings:
aggregationKind: SingleAlert
kind: NRT
