Cisco SE - Generic IOC

Back


Id	bccdbc39-31d3-4e2b-9df2-e4c9eecba825
Rulename	Cisco SE - Generic IOC
Description	This rule is triggered when generic IOC is observed on host.
Severity	High
Tactics	Execution
Techniques	T1204.002
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
Version	1.0.0
Arm template	bccdbc39-31d3-4e2b-9df2-e4c9eecba825.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Generic IOC'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

triggerOperator: gt
version: 1.0.0
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Generic IOC'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml
queryFrequency: 15m
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
name: Cisco SE - Generic IOC
queryPeriod: 15m
severity: High
kind: Scheduled
tactics:
- Execution
id: bccdbc39-31d3-4e2b-9df2-e4c9eecba825
description: |
    'This rule is triggered when generic IOC is observed on host.'
relevantTechniques:
- T1204.002
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bccdbc39-31d3-4e2b-9df2-e4c9eecba825')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SE - Generic IOC",
        "description": "'This rule is triggered when generic IOC is observed on host.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Generic IOC'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204.002"
        ],
        "alertRuleTemplateName": "bccdbc39-31d3-4e2b-9df2-e4c9eecba825",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEGenIoC.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}