CiscoSecureEndpoint
| where EventMessage has 'Executed Malware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName
relevantTechniques:
- T1204.002
queryFrequency: 15m
description: |
'Detects malware execution on host.'
triggerThreshold: 0
id: aea4468e-6322-48b6-bd83-f9d300cce855
name: Cisco SE - Malware execusion on host
queryPeriod: 15m
query: |
CiscoSecureEndpoint
| where EventMessage has 'Executed Malware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName
severity: High
triggerOperator: gt
entityMappings:
- fieldMappings:
- columnName: HostCustomEntity
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: MalwareCustomEntity
identifier: Name
entityType: Malware
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMalwareExecution.yaml
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint
status: Available
version: 1.0.0
tactics:
- Execution
kind: Scheduled
