Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SE - Dropper activity on host

Cisco SE - Dropper activity on host

Back
Idb6df3e11-de70-4779-ac9a-276c454a9025
RulenameCisco SE - Dropper activity on host
DescriptionDetects possible dropper activity on host.
SeverityHigh
TacticsExecution
TechniquesT1204.002
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEDropperActivity.yaml
Version1.0.0
Arm templateb6df3e11-de70-4779-ac9a-276c454a9025.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Potential Dropper Infection'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

id: b6df3e11-de70-4779-ac9a-276c454a9025
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Potential Dropper Infection'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
description: |
    'Detects possible dropper activity on host.'
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
tactics:
- Execution
status: Available
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
kind: Scheduled
name: Cisco SE - Dropper activity on host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEDropperActivity.yaml
version: 1.0.0
relevantTechniques:
- T1204.002
severity: High
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
triggerThreshold: 0