Trend Micro CAS - Multiple infected users

Back


Id	65c2a6fe-ff7b-46b0-9278-61265f77f3bc
Rulename	Trend Micro CAS - Multiple infected users
Description	Detects when same malware was detected for multiple user account.
Severity	High
Tactics	InitialAccess
Techniques	T1566
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAOutbreak.yaml
Version	1.0.1
Arm template	65c2a6fe-ff7b-46b0-9278-61265f77f3bc.json

KQL

TrendMicroCAS
| where EventType has_all ('virtual', 'analyzer')
| where isnotempty(VirusName)
| summarize count() by DstUserName, VirusName, bin(TimeGenerated, 15m)
| where count_ >= 2
| extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName

YAML

name: Trend Micro CAS - Multiple infected users
query: |
  TrendMicroCAS
  | where EventType has_all ('virtual', 'analyzer')
  | where isnotempty(VirusName)
  | summarize count() by DstUserName, VirusName, bin(TimeGenerated, 15m)
  | where count_ >= 2
  | extend AccountCustomEntity = DstUserName, MalwareCustomEntity = VirusName  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASVAOutbreak.yaml
description: |
    'Detects when same malware was detected for multiple user account.'
version: 1.0.1
id: 65c2a6fe-ff7b-46b0-9278-61265f77f3bc
kind: Scheduled
relevantTechniques:
- T1566
severity: High
tactics:
- InitialAccess
queryPeriod: 1h

ARM