SpyCloudBreachDataWatchlist_CL
| where Severity_s == '25'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Infected_Machine_Id_g
identifier: HostName
- columnName: User_Hostname_s
identifier: DnsDomain
- entityType: Account
fieldMappings:
- columnName: Email_s
identifier: FullName
- columnName: Username_s
identifier: Name
- entityType: DNS
fieldMappings:
- columnName: Target_Domain_s
identifier: DomainName
- entityType: DNS
fieldMappings:
- columnName: Target_SubDomain_s
identifier: DomainName
- entityType: IP
fieldMappings:
- columnName: IP_Address_s
identifier: Address
description: |
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
alertDetailsOverride:
requiredDataConnectors: []
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '25'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
triggerThreshold: 0
name: SpyCloud Enterprise Malware Detection
relevantTechniques:
- T1555
suppressionDuration: 5h
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
matchingMethod: AllEntities
lookbackDuration: 12h
createIncident: true
tactics:
- CredentialAccess
queryPeriod: 12h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
version: 1.0.2
severity: High
status: Available
sentinelEntitiesMappings:
queryFrequency: 12h
id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
kind: Scheduled
customDetails:
Password_Plaintext: Password_Plaintext_s
Document_Id: Document_Id_g
PublishDate: SpyCloud_Publish_Date_t
Password: Password_s
User_Host_Name: User_Hostname_s
Infected_Time: Infected_Time_t
Source_Id: Source_Id_s
Infected_Path: Infected_Path_s
Domain: Domain_s
triggerOperator: gt
