Quokka - Malicious Results Detected

Back


Id	97ad71ed-e4c0-4f7a-b1a2-683108bece4f
Rulename	Quokka - Malicious Results Detected
Description	Detects if there are any malicious results in the app events coming from organization devices.
Severity	Medium
Tactics	InitialAccess Execution Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery Collection CommandAndControl Impact
Techniques	T1406 T1409 T1414 T1417 T1418 T1422 T1424 T1429 T1430 T1471 T1474 T1481 T1509 T1512 T1513 T1516 T1517 T1532 T1541 T1544 T1582 T1616 T1617 T1623 T1624 T1625 T1627 T1628 T1629 T1630 T1631 T1633 T1634 T1635 T1636 T1638 T1640 T1641 T1642 T1643
Required data connectors	QscoutAppEventsCCFDefinition
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Quokka/Analytic Rules/MaliciousResultsDetection.yaml
Version	1.0.0
Arm template	97ad71ed-e4c0-4f7a-b1a2-683108bece4f.json

KQL

let timeRange = 1h;
let appEventsWithMaliciousResults = QscoutAppEvents_CL
| extend AccountCustomEntity = tostring(org_id)
| where TimeGenerated >= ago(timeRange)
| where result_type == 'maliciousness'
| where isnotempty(results.entries);
appEventsWithMaliciousResults
| mv-expand entry = results.entries
| project
    TimeGenerated,
    AccountCustomEntity,
    app_id,
    mdm_source,
    mdm_device_id,
    package,
    platform,
    version,
    rule_id = tostring(entry.ruleId),
    desription = tostring(entry.description),
    threat_level = toint(entry.threatLevel),
    threat_types = tostring(entry.threatTypes)

YAML

query: |
  let timeRange = 1h;
  let appEventsWithMaliciousResults = QscoutAppEvents_CL
  | extend AccountCustomEntity = tostring(org_id)
  | where TimeGenerated >= ago(timeRange)
  | where result_type == 'maliciousness'
  | where isnotempty(results.entries);
  appEventsWithMaliciousResults
  | mv-expand entry = results.entries
  | project
      TimeGenerated,
      AccountCustomEntity,
      app_id,
      mdm_source,
      mdm_device_id,
      package,
      platform,
      version,
      rule_id = tostring(entry.ruleId),
      desription = tostring(entry.description),
      threat_level = toint(entry.threatLevel),
      threat_types = tostring(entry.threatTypes)  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
triggerThreshold: 0
name: Quokka - Malicious Results Detected
severity: Medium
relevantTechniques:
- T1406
- T1409
- T1414
- T1417
- T1418
- T1422
- T1424
- T1429
- T1430
- T1471
- T1474
- T1481
- T1509
- T1512
- T1513
- T1516
- T1517
- T1532
- T1541
- T1544
- T1582
- T1616
- T1617
- T1623
- T1624
- T1625
- T1627
- T1628
- T1629
- T1630
- T1631
- T1633
- T1634
- T1635
- T1636
- T1638
- T1640
- T1641
- T1642
- T1643
queryPeriod: 1h
tactics:
- InitialAccess
- Execution
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- Discovery
- Collection
- CommandAndControl
- Impact
requiredDataConnectors:
- connectorId: QscoutAppEventsCCFDefinition
  dataTypes:
  - QscoutAppEvents_CL
queryFrequency: 1h
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Quokka/Analytic Rules/MaliciousResultsDetection.yaml
id: 97ad71ed-e4c0-4f7a-b1a2-683108bece4f
kind: Scheduled
description: |
    'Detects if there are any malicious results in the app events coming from organization devices.'
status: Available
triggerOperator: gt

ARM