Cisco SE - Generic IOC

Back


Id	bccdbc39-31d3-4e2b-9df2-e4c9eecba825
Rulename	Cisco SE - Generic IOC
Description	This rule is triggered when generic IOC is observed on host.
Severity	High
Tactics	Execution
Techniques	T1204.002
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
Version	1.0.0
Arm template	bccdbc39-31d3-4e2b-9df2-e4c9eecba825.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Generic IOC'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

queryFrequency: 15m
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
severity: High
triggerThreshold: 0
relevantTechniques:
- T1204.002
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Generic IOC'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
id: bccdbc39-31d3-4e2b-9df2-e4c9eecba825
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
description: |
    'This rule is triggered when generic IOC is observed on host.'
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
status: Available
name: Cisco SE - Generic IOC
tactics:
- Execution
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cisco SE - Generic IOC",
        "description": "'This rule is triggered when generic IOC is observed on host.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Generic IOC'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204.002"
        ],
        "alertRuleTemplateName": "bccdbc39-31d3-4e2b-9df2-e4c9eecba825",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "MalwareCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}