Cisco SE - Multiple malware on host

Back


Id	b13489d7-feb1-4ad3-9a4c-09f6d64448fd
Rulename	Cisco SE - Multiple malware on host
Description	This rule triggers when multiple malware where detected on host.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMultipleMalwareOnHost.yaml
Version	1.0.0
Arm template	b13489d7-feb1-4ad3-9a4c-09f6d64448fd.json

KQL

let threshold = 2;
CiscoSecureEndpoint
| where isnotempty(ThreatName)
| summarize infected = makeset(ThreatName) by DstHostname, bin(TimeGenerated, 10m)
| where array_length(infected) >= threshold
| extend HostCustomEntity = DstHostname

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  let threshold = 2;
  CiscoSecureEndpoint
  | where isnotempty(ThreatName)
  | summarize infected = makeset(ThreatName) by DstHostname, bin(TimeGenerated, 10m)
  | where array_length(infected) >= threshold
  | extend HostCustomEntity = DstHostname  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEMultipleMalwareOnHost.yaml
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
kind: Scheduled
relevantTechniques:
- T1190
- T1133
description: |
    'This rule triggers when multiple malware where detected on host.'
name: Cisco SE - Multiple malware on host
version: 1.0.0
id: b13489d7-feb1-4ad3-9a4c-09f6d64448fd
severity: High

ARM