Cisco SE - Malware execusion on host

Back


Id	aea4468e-6322-48b6-bd83-f9d300cce855
Rulename	Cisco SE - Malware execusion on host
Description	Detects malware execution on host.
Severity	High
Tactics	Execution
Techniques	T1204.002
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMalwareExecution.yaml
Version	1.0.0
Arm template	aea4468e-6322-48b6-bd83-f9d300cce855.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Executed Malware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

queryPeriod: 15m
id: aea4468e-6322-48b6-bd83-f9d300cce855
severity: High
status: Available
queryFrequency: 15m
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Executed Malware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
triggerThreshold: 0
tactics:
- Execution
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMalwareExecution.yaml
relevantTechniques:
- T1204.002
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
name: Cisco SE - Malware execusion on host
triggerOperator: gt
version: 1.0.0
description: |
    'Detects malware execution on host.'

ARM