Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SE - Multiple malware on host

Back
Idb13489d7-feb1-4ad3-9a4c-09f6d64448fd
RulenameCisco SE - Multiple malware on host
DescriptionThis rule triggers when multiple malware where detected on host.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMultipleMalwareOnHost.yaml
Version1.0.0
Arm templateb13489d7-feb1-4ad3-9a4c-09f6d64448fd.json
Deploy To Azure
let threshold = 2;
CiscoSecureEndpoint
| where isnotempty(ThreatName)
| summarize infected = makeset(ThreatName) by DstHostname, bin(TimeGenerated, 10m)
| where array_length(infected) >= threshold
| extend HostCustomEntity = DstHostname
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
name: Cisco SE - Multiple malware on host
queryFrequency: 1h
tactics:
- InitialAccess
relevantTechniques:
- T1190
- T1133
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMultipleMalwareOnHost.yaml
id: b13489d7-feb1-4ad3-9a4c-09f6d64448fd
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
kind: Scheduled
query: |
  let threshold = 2;
  CiscoSecureEndpoint
  | where isnotempty(ThreatName)
  | summarize infected = makeset(ThreatName) by DstHostname, bin(TimeGenerated, 10m)
  | where array_length(infected) >= threshold
  | extend HostCustomEntity = DstHostname  
triggerOperator: gt
severity: High
description: |
    'This rule triggers when multiple malware where detected on host.'
triggerThreshold: 0
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b13489d7-feb1-4ad3-9a4c-09f6d64448fd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b13489d7-feb1-4ad3-9a4c-09f6d64448fd')]",
      "properties": {
        "alertRuleTemplateName": "b13489d7-feb1-4ad3-9a4c-09f6d64448fd",
        "customDetails": null,
        "description": "'This rule triggers when multiple malware where detected on host.'\n",
        "displayName": "Cisco SE - Multiple malware on host",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMultipleMalwareOnHost.yaml",
        "query": "let threshold = 2;\nCiscoSecureEndpoint\n| where isnotempty(ThreatName)\n| summarize infected = makeset(ThreatName) by DstHostname, bin(TimeGenerated, 10m)\n| where array_length(infected) >= threshold\n| extend HostCustomEntity = DstHostname\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}