McAfee ePO - Unable to clean or delete infected file

Back


Id	9860e89f-72c8-425e-bac9-4a170798d3ea
Rulename	McAfee ePO - Unable to clean or delete infected file
Description	Detects when McAfee failed to clean or delete infected file.
Severity	High
Tactics	DefenseEvasion
Techniques	T1562 T1070
Required data connectors	McAfeeePO
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
Version	1.0.0
Arm template	9860e89f-72c8-425e-bac9-4a170798d3ea.json

KQL

McAfeeEPOEvent
| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                              EventId == '1028', 'Unable to delete infected file',
                              EventId == '1298', 'File infected. Delete failed, quarantine failed',
                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                              EventId == '1055', 'Unable to delete infected file',
                              EventId == '2002', 'Unable to clean infected file',
                              EventId == '2004', 'Unable to delete infected file',
                              'Unable to move infected file to quarantine')
| project DvcIpAddr, EventId, EventMessage, DstFileName
| extend IPCustomEntity = DvcIpAddr

YAML

severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
description: |
    'Detects when McAfee failed to clean or delete infected file.'
triggerOperator: gt
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: McAfeeePO
queryFrequency: 1h
triggerThreshold: 0
tactics:
- DefenseEvasion
query: |
  McAfeeEPOEvent
  | where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
  | extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                                EventId == '1028', 'Unable to delete infected file',
                                EventId == '1298', 'File infected. Delete failed, quarantine failed',
                                EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
                                EventId == '1055', 'Unable to delete infected file',
                                EventId == '2002', 'Unable to clean infected file',
                                EventId == '2004', 'Unable to delete infected file',
                                'Unable to move infected file to quarantine')
  | project DvcIpAddr, EventId, EventMessage, DstFileName
  | extend IPCustomEntity = DvcIpAddr  
status: Available
kind: Scheduled
relevantTechniques:
- T1562
- T1070
version: 1.0.0
id: 9860e89f-72c8-425e-bac9-4a170798d3ea
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: McAfee ePO - Unable to clean or delete infected file

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9860e89f-72c8-425e-bac9-4a170798d3ea')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "McAfee ePO - Unable to clean or delete infected file",
        "description": "'Detects when McAfee failed to clean or delete infected file.'\n",
        "severity": "High",
        "enabled": true,
        "query": "McAfeeEPOEvent\n| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')\n| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',\n                              EventId == '1028', 'Unable to delete infected file',\n                              EventId == '1298', 'File infected. Delete failed, quarantine failed',\n                              EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',\n                              EventId == '1055', 'Unable to delete infected file',\n                              EventId == '2002', 'Unable to clean infected file',\n                              EventId == '2004', 'Unable to delete infected file',\n                              'Unable to move infected file to quarantine')\n| project DvcIpAddr, EventId, EventMessage, DstFileName\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562",
          "T1070"
        ],
        "alertRuleTemplateName": "9860e89f-72c8-425e-bac9-4a170798d3ea",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml"
      }
    }
  ]
}