Cisco SE - Dropper activity on host

Back


Id	b6df3e11-de70-4779-ac9a-276c454a9025
Rulename	Cisco SE - Dropper activity on host
Description	Detects possible dropper activity on host.
Severity	High
Tactics	Execution
Techniques	T1204.002
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEDropperActivity.yaml
Version	1.0.0
Arm template	b6df3e11-de70-4779-ac9a-276c454a9025.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Potential Dropper Infection'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
description: |
    'Detects possible dropper activity on host.'
severity: High
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1204.002
status: Available
tactics:
- Execution
name: Cisco SE - Dropper activity on host
id: b6df3e11-de70-4779-ac9a-276c454a9025
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Potential Dropper Infection'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEDropperActivity.yaml
queryPeriod: 15m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b6df3e11-de70-4779-ac9a-276c454a9025')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b6df3e11-de70-4779-ac9a-276c454a9025')]",
      "properties": {
        "alertRuleTemplateName": "b6df3e11-de70-4779-ac9a-276c454a9025",
        "customDetails": null,
        "description": "'Detects possible dropper activity on host.'\n",
        "displayName": "Cisco SE - Dropper activity on host",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEDropperActivity.yaml",
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Potential Dropper Infection'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}