Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Trend Micro CAS - Threat detected and not blocked

Back
Idc8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
RulenameTrend Micro CAS - Threat detected and not blocked
DescriptionDetects when threat was not blocked by CAS solution.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsTrendMicroCAS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
Version1.0.1
Arm templatec8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a.json
Deploy To Azure
TrendMicroCAS
| where isnotempty(SecurityRiskName)
| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
| extend AccountCustomEntity = DstUserName
name: Trend Micro CAS - Threat detected and not blocked
version: 1.0.1
severity: High
queryFrequency: 10m
triggerOperator: gt
relevantTechniques:
- T1562
status: Available
description: |
    'Detects when threat was not blocked by CAS solution.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
requiredDataConnectors:
- connectorId: TrendMicroCAS
  dataTypes:
  - TrendMicroCAS
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- DefenseEvasion
queryPeriod: 10m
query: |
  TrendMicroCAS
  | where isnotempty(SecurityRiskName)
  | where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
  | extend AccountCustomEntity = DstUserName  
kind: Scheduled
triggerThreshold: 0
id: c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "properties": {
        "alertRuleTemplateName": "c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a",
        "customDetails": null,
        "description": "'Detects when threat was not blocked by CAS solution.'\n",
        "displayName": "Trend Micro CAS - Threat detected and not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml",
        "query": "TrendMicroCAS\n| where isnotempty(SecurityRiskName)\n| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}