Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SE - Generic IOC

Cisco SE - Generic IOC

Back
Idbccdbc39-31d3-4e2b-9df2-e4c9eecba825
RulenameCisco SE - Generic IOC
DescriptionThis rule is triggered when generic IOC is observed on host.
SeverityHigh
TacticsExecution
TechniquesT1204.002
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
Version1.0.0
Arm templatebccdbc39-31d3-4e2b-9df2-e4c9eecba825.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Generic IOC'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

relevantTechniques:
- T1204.002
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Generic IOC'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
description: |
    'This rule is triggered when generic IOC is observed on host.'
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
name: Cisco SE - Generic IOC
queryPeriod: 15m
triggerThreshold: 0
id: bccdbc39-31d3-4e2b-9df2-e4c9eecba825
status: Available
kind: Scheduled
severity: High
queryFrequency: 15m
tactics:
- Execution
version: 1.0.0