Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SpyCloud Enterprise Malware Detection

SpyCloud Enterprise Malware Detection

Back
Id7ba50f9e-2f94-462b-a54b-8642b8c041f5
RulenameSpyCloud Enterprise Malware Detection
DescriptionThis alert creates an incident when an malware record is detected in the SpyCloud watchlist data
SeverityHigh
TacticsCredentialAccess
TechniquesT1555
KindScheduled
Query frequency12h
Query period12h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
Version1.0.2
Arm template7ba50f9e-2f94-462b-a54b-8642b8c041f5.json
Deploy To Azure
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '25'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s

kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Infected_Machine_Id_g
    identifier: HostName
  - columnName: User_Hostname_s
    identifier: DnsDomain
- entityType: Account
  fieldMappings:
  - columnName: Email_s
    identifier: FullName
  - columnName: Username_s
    identifier: Name
- entityType: DNS
  fieldMappings:
  - columnName: Target_Domain_s
    identifier: DomainName
- entityType: DNS
  fieldMappings:
  - columnName: Target_SubDomain_s
    identifier: DomainName
- entityType: IP
  fieldMappings:
  - columnName: IP_Address_s
    identifier: Address
sentinelEntitiesMappings: 
description: |
    'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
severity: High
queryFrequency: 12h
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 12h
    enabled: true
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1555
status: Available
customDetails:
  Source_Id: Source_Id_s
  Password: Password_s
  Document_Id: Document_Id_g
  Infected_Path: Infected_Path_s
  User_Host_Name: User_Hostname_s
  Infected_Time: Infected_Time_t
  PublishDate: SpyCloud_Publish_Date_t
  Password_Plaintext: Password_Plaintext_s
  Domain: Domain_s
tactics:
- CredentialAccess
name: SpyCloud Enterprise Malware Detection
id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
query: |
  SpyCloudBreachDataWatchlist_CL
  | where Severity_s == '25'
  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s  
requiredDataConnectors: []
version: 1.0.2
alertDetailsOverride: 
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
queryPeriod: 12h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ba50f9e-2f94-462b-a54b-8642b8c041f5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ba50f9e-2f94-462b-a54b-8642b8c041f5')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "7ba50f9e-2f94-462b-a54b-8642b8c041f5",
        "customDetails": {
          "Document_Id": "Document_Id_g",
          "Domain": "Domain_s",
          "Infected_Path": "Infected_Path_s",
          "Infected_Time": "Infected_Time_t",
          "Password": "Password_s",
          "Password_Plaintext": "Password_Plaintext_s",
          "PublishDate": "SpyCloud_Publish_Date_t",
          "Source_Id": "Source_Id_s",
          "User_Host_Name": "User_Hostname_s"
        },
        "description": "'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'\n",
        "displayName": "SpyCloud Enterprise Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Infected_Machine_Id_g",
                "identifier": "HostName"
              },
              {
                "columnName": "User_Hostname_s",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Email_s",
                "identifier": "FullName"
              },
              {
                "columnName": "Username_s",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Target_Domain_s",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Target_SubDomain_s",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_Address_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT12H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml",
        "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '25'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "sentinelEntitiesMappings": null,
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}