Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Unable to clean or delete infected file

Back
Id9860e89f-72c8-425e-bac9-4a170798d3ea
RulenameMcAfee ePO - Unable to clean or delete infected file
DescriptionDetects when McAfee failed to clean or delete infected file.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
T1070
Required data connectorsMcAfeeePO
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
Version1.0.1
Arm template9860e89f-72c8-425e-bac9-4a170798d3ea.json
Deploy To Azure
McAfeeEPOEvent
| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                              EventId == '1028', 'Unable to delete infected file',
                              EventId == '1298', 'File infected. Delete failed, quarantine failed',
                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                              EventId == '1055', 'Unable to delete infected file',
                              EventId == '2002', 'Unable to clean infected file',
                              EventId == '2004', 'Unable to delete infected file',
                              'Unable to move infected file to quarantine')
| project DvcIpAddr, EventId, EventMessage, DstFileName
| extend IPCustomEntity = DvcIpAddr
kind: Scheduled
relevantTechniques:
- T1562
- T1070
description: |
    'Detects when McAfee failed to clean or delete infected file.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- DefenseEvasion
name: McAfee ePO - Unable to clean or delete infected file
requiredDataConnectors:
- connectorId: McAfeeePO
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
version: 1.0.1
id: 9860e89f-72c8-425e-bac9-4a170798d3ea
query: |
  McAfeeEPOEvent
  | where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
  | extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                                EventId == '1028', 'Unable to delete infected file',
                                EventId == '1298', 'File infected. Delete failed, quarantine failed',
                                EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                                EventId == '1055', 'Unable to delete infected file',
                                EventId == '2002', 'Unable to clean infected file',
                                EventId == '2004', 'Unable to delete infected file',
                                'Unable to move infected file to quarantine')
  | project DvcIpAddr, EventId, EventMessage, DstFileName
  | extend IPCustomEntity = DvcIpAddr  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "properties": {
        "alertRuleTemplateName": "9860e89f-72c8-425e-bac9-4a170798d3ea",
        "customDetails": null,
        "description": "'Detects when McAfee failed to clean or delete infected file.'\n",
        "displayName": "McAfee ePO - Unable to clean or delete infected file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml",
        "query": "McAfeeEPOEvent\n| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')\n| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',\n                              EventId == '1028', 'Unable to delete infected file',\n                              EventId == '1298', 'File infected. Delete failed, quarantine failed',\n                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',\n                              EventId == '1055', 'Unable to delete infected file',\n                              EventId == '2002', 'Unable to clean infected file',\n                              EventId == '2004', 'Unable to delete infected file',\n                              'Unable to move infected file to quarantine')\n| project DvcIpAddr, EventId, EventMessage, DstFileName\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1070",
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}