Cisco SE - Generic IOC

Back


Id	bccdbc39-31d3-4e2b-9df2-e4c9eecba825
Rulename	Cisco SE - Generic IOC
Description	This rule is triggered when generic IOC is observed on host.
Severity	High
Tactics	Execution
Techniques	T1204.002
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
Version	1.0.0
Arm template	bccdbc39-31d3-4e2b-9df2-e4c9eecba825.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Generic IOC'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

queryPeriod: 15m
version: 1.0.0
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1204.002
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Generic IOC'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
name: Cisco SE - Generic IOC
queryFrequency: 15m
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
description: |
    'This rule is triggered when generic IOC is observed on host.'
status: Available
id: bccdbc39-31d3-4e2b-9df2-e4c9eecba825
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
tactics:
- Execution
severity: High

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "properties": {
        "alertRuleTemplateName": "bccdbc39-31d3-4e2b-9df2-e4c9eecba825",
        "customDetails": null,
        "description": "'This rule is triggered when generic IOC is observed on host.'\n",
        "displayName": "Cisco SE - Generic IOC",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml",
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Generic IOC'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}