Antivirus Detected an Infected File

Back


Id	4f767afa-d666-4ed4-b453-a4f5ad35181b
Rulename	Antivirus Detected an Infected File
Description	Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
Severity	High
Tactics	Impact
Techniques	T1203
Required data connectors	CTERA
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
Version	1.0.0
Arm template	4f767afa-d666-4ed4-b453-a4f5ad35181b.json

KQL

Syslog
| where SyslogMessage contains "found an infected file"
| extend 
    EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
    DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
    Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
    FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
    Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

YAML

suppressionEnabled: false
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
kind: NRT
tactics:
- Impact
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
severity: High
name: Antivirus Detected an Infected File
suppressionDuration: PT5H
customDetails:
  Portal: Portal
  EdgeFiler: EdgeFiler
  Virus: Virus
  FilePath: FilePath
alertDetailsOverride:
  alertnameFormat: Antivirus Detected an Infected File
  alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.
query: |
  Syslog
  | where SyslogMessage contains "found an infected file"
  | extend 
      EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
      DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
      Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
      FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
      Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
  | project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus  
relevantTechniques:
- T1203
id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
status: Available
version: 1.0.0
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: EdgeFiler
    identifier: HostName

ARM