SpyCloud Enterprise Malware Detection

Back


Id	7ba50f9e-2f94-462b-a54b-8642b8c041f5
Rulename	SpyCloud Enterprise Malware Detection
Description	This alert creates an incident when an malware record is detected in the SpyCloud watchlist data
Severity	High
Tactics	CredentialAccess
Techniques	T1555
Kind	Scheduled
Query frequency	12h
Query period	12h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
Version	1.0.2
Arm template	7ba50f9e-2f94-462b-a54b-8642b8c041f5.json

KQL

SpyCloudBreachDataWatchlist_CL
| where Severity_s == '25'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s

YAML

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Infected_Machine_Id_g
  - identifier: DnsDomain
    columnName: User_Hostname_s
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Email_s
  - identifier: Name
    columnName: Username_s
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Target_Domain_s
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Target_SubDomain_s
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP_Address_s
tactics:
- CredentialAccess
suppressionDuration: 5h
requiredDataConnectors: []
alertDetailsOverride: 
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: 12h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  Source_Id: Source_Id_s
  Document_Id: Document_Id_g
  Password: Password_s
  User_Host_Name: User_Hostname_s
  PublishDate: SpyCloud_Publish_Date_t
  Password_Plaintext: Password_Plaintext_s
  Infected_Time: Infected_Time_t
  Infected_Path: Infected_Path_s
  Domain: Domain_s
kind: Scheduled
query: |
  SpyCloudBreachDataWatchlist_CL
  | where Severity_s == '25'
  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
sentinelEntitiesMappings: 
queryPeriod: 12h
version: 1.0.2
name: SpyCloud Enterprise Malware Detection
queryFrequency: 12h
triggerThreshold: 0
relevantTechniques:
- T1555
description: |
    'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
triggerOperator: gt

ARM