Antivirus Detected an Infected File

Back


Id	4f767afa-d666-4ed4-b453-a4f5ad35181b
Rulename	Antivirus Detected an Infected File
Description	Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
Severity	High
Tactics	Impact
Techniques	T1203
Required data connectors	CTERA
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
Version	1.0.0
Arm template	4f767afa-d666-4ed4-b453-a4f5ad35181b.json

KQL

Syslog
| where SyslogMessage contains "found an infected file"
| extend 
    EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
    DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
    Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
    FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
    Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

YAML

id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
version: 1.0.0
relevantTechniques:
- T1203
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
suppressionEnabled: false
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: High
customDetails:
  FilePath: FilePath
  Portal: Portal
  EdgeFiler: EdgeFiler
  Virus: Virus
name: Antivirus Detected an Infected File
tactics:
- Impact
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: EdgeFiler
    identifier: HostName
status: Available
kind: NRT
suppressionDuration: PT5H
alertDetailsOverride:
  alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.
  alertnameFormat: Antivirus Detected an Infected File
query: |
  Syslog
  | where SyslogMessage contains "found an infected file"
  | extend 
      EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
      DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
      Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
      FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
      Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
  | project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

ARM