Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Unable to clean or delete infected file

Back
Id9860e89f-72c8-425e-bac9-4a170798d3ea
RulenameMcAfee ePO - Unable to clean or delete infected file
DescriptionDetects when McAfee failed to clean or delete infected file.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
T1070
Required data connectorsMcAfeeePO
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
Version1.0.1
Arm template9860e89f-72c8-425e-bac9-4a170798d3ea.json
Deploy To Azure
McAfeeEPOEvent
| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                              EventId == '1028', 'Unable to delete infected file',
                              EventId == '1298', 'File infected. Delete failed, quarantine failed',
                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                              EventId == '1055', 'Unable to delete infected file',
                              EventId == '2002', 'Unable to clean infected file',
                              EventId == '2004', 'Unable to delete infected file',
                              'Unable to move infected file to quarantine')
| project DvcIpAddr, EventId, EventMessage, DstFileName
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
queryFrequency: 1h
name: McAfee ePO - Unable to clean or delete infected file
severity: High
kind: Scheduled
tactics:
- DefenseEvasion
triggerThreshold: 0
query: |
  McAfeeEPOEvent
  | where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
  | extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                                EventId == '1028', 'Unable to delete infected file',
                                EventId == '1298', 'File infected. Delete failed, quarantine failed',
                                EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                                EventId == '1055', 'Unable to delete infected file',
                                EventId == '2002', 'Unable to clean infected file',
                                EventId == '2004', 'Unable to delete infected file',
                                'Unable to move infected file to quarantine')
  | project DvcIpAddr, EventId, EventMessage, DstFileName
  | extend IPCustomEntity = DvcIpAddr  
triggerOperator: gt
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
relevantTechniques:
- T1562
- T1070
status: Available
id: 9860e89f-72c8-425e-bac9-4a170798d3ea
requiredDataConnectors:
- connectorId: McAfeeePO
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  datatypes:
  - Syslog
version: 1.0.1
description: |
    'Detects when McAfee failed to clean or delete infected file.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "properties": {
        "alertRuleTemplateName": "9860e89f-72c8-425e-bac9-4a170798d3ea",
        "customDetails": null,
        "description": "'Detects when McAfee failed to clean or delete infected file.'\n",
        "displayName": "McAfee ePO - Unable to clean or delete infected file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml",
        "query": "McAfeeEPOEvent\n| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')\n| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',\n                              EventId == '1028', 'Unable to delete infected file',\n                              EventId == '1298', 'File infected. Delete failed, quarantine failed',\n                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',\n                              EventId == '1055', 'Unable to delete infected file',\n                              EventId == '2002', 'Unable to clean infected file',\n                              EventId == '2004', 'Unable to delete infected file',\n                              'Unable to move infected file to quarantine')\n| project DvcIpAddr, EventId, EventMessage, DstFileName\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1070",
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}