CarbonBlackEvents_CL
| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec
| where targetApp_effectiveReputation_s =~ "KNOWN_MALWARE"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s
description: |
'This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.'
kind: Scheduled
tactics:
- Execution
requiredDataConnectors:
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml
severity: Medium
name: Known Malware Detected
triggerThreshold: 0
queryPeriod: 1h
query: |
CarbonBlackEvents_CL
| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec
| where targetApp_effectiveReputation_s =~ "KNOWN_MALWARE"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s
relevantTechniques:
- T1204
id: 9f86885f-f31f-4e66-a39d-352771ee789e
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: Account
fieldMappings:
- columnName: processDetails_fullUserName_s
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: deviceDetails_deviceName_s
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: deviceDetails_deviceIpAddress_s
identifier: Address
