McAfee ePO - Unable to clean or delete infected file

Back


Id	9860e89f-72c8-425e-bac9-4a170798d3ea
Rulename	McAfee ePO - Unable to clean or delete infected file
Description	Detects when McAfee failed to clean or delete infected file.
Severity	High
Tactics	DefenseEvasion
Techniques	T1562 T1070
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
Version	1.0.2
Arm template	9860e89f-72c8-425e-bac9-4a170798d3ea.json

KQL

McAfeeEPOEvent
| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                              EventId == '1028', 'Unable to delete infected file',
                              EventId == '1298', 'File infected. Delete failed, quarantine failed',
                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                              EventId == '1055', 'Unable to delete infected file',
                              EventId == '2002', 'Unable to clean infected file',
                              EventId == '2004', 'Unable to delete infected file',
                              'Unable to move infected file to quarantine')
| project DvcIpAddr, EventId, EventMessage, DstFileName
| extend IPCustomEntity = DvcIpAddr

YAML

status: Available
query: |
  McAfeeEPOEvent
  | where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
  | extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                                EventId == '1028', 'Unable to delete infected file',
                                EventId == '1298', 'File infected. Delete failed, quarantine failed',
                                EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                                EventId == '1055', 'Unable to delete infected file',
                                EventId == '2002', 'Unable to clean infected file',
                                EventId == '2004', 'Unable to delete infected file',
                                'Unable to move infected file to quarantine')
  | project DvcIpAddr, EventId, EventMessage, DstFileName
  | extend IPCustomEntity = DvcIpAddr  
version: 1.0.2
name: McAfee ePO - Unable to clean or delete infected file
queryPeriod: 1h
kind: Scheduled
id: 9860e89f-72c8-425e-bac9-4a170798d3ea
triggerOperator: gt
relevantTechniques:
- T1562
- T1070
tactics:
- DefenseEvasion
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
description: |
    'Detects when McAfee failed to clean or delete infected file.'

ARM