Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Antivirus Detected an Infected File

Antivirus Detected an Infected File

Back
Id4f767afa-d666-4ed4-b453-a4f5ad35181b
RulenameAntivirus Detected an Infected File
DescriptionMonitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
SeverityHigh
TacticsImpact
TechniquesT1203
Required data connectorsCTERA
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
Version1.0.0
Arm template4f767afa-d666-4ed4-b453-a4f5ad35181b.json
Deploy To Azure
Syslog
| where SyslogMessage contains "found an infected file"
| extend 
    EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
    DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
    Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
    FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
    Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus

kind: NRT
id: 4f767afa-d666-4ed4-b453-a4f5ad35181b
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
  entityType: Host
name: Antivirus Detected an Infected File
severity: High
tactics:
- Impact
query: |
  Syslog
  | where SyslogMessage contains "found an infected file"
  | extend 
      EdgeFiler = extract("Edge filer (\\w+)", 1, SyslogMessage),
      DetectionTime = extract("found an infected file at ([^ ]+)", 1, SyslogMessage),
      Portal = extract("from portal: (\\w+)", 1, SyslogMessage),
      FilePath = extract("The file path is: ([^\\.]+)", 1, SyslogMessage),
      Virus = extract("The virus is: ([^\\.]+)", 1, SyslogMessage)
  | project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus  
version: 1.0.0
status: Available
description: Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.
customDetails:
  FilePath: FilePath
  Portal: Portal
  EdgeFiler: EdgeFiler
  Virus: Virus
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
relevantTechniques:
- T1203
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml
suppressionDuration: PT5H
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
alertDetailsOverride:
  alertnameFormat: Antivirus Detected an Infected File
  alertDescriptionFormat: Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f767afa-d666-4ed4-b453-a4f5ad35181b')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f767afa-d666-4ed4-b453-a4f5ad35181b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Antivirus detected an infected file on {{EdgeFiler}} at {{DetectionTime}}.",
          "alertnameFormat": "Antivirus Detected an Infected File"
        },
        "alertRuleTemplateName": "4f767afa-d666-4ed4-b453-a4f5ad35181b",
        "customDetails": {
          "EdgeFiler": "EdgeFiler",
          "FilePath": "FilePath",
          "Portal": "Portal",
          "Virus": "Virus"
        },
        "description": "Monitors CTERA platform to detect files infected with viruses identified by the antivirus engine on Edge Filers.",
        "displayName": "Antivirus Detected an Infected File",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/InfectedFileDetected.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"found an infected file\"\n| extend \n    EdgeFiler = extract(\"Edge filer (\\\\w+)\", 1, SyslogMessage),\n    DetectionTime = extract(\"found an infected file at ([^ ]+)\", 1, SyslogMessage),\n    Portal = extract(\"from portal: (\\\\w+)\", 1, SyslogMessage),\n    FilePath = extract(\"The file path is: ([^\\\\.]+)\", 1, SyslogMessage),\n    Virus = extract(\"The virus is: ([^\\\\.]+)\", 1, SyslogMessage)\n| project TimeGenerated, EdgeFiler, DetectionTime, Portal, FilePath, Virus\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1203"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}