Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Trend Micro CAS - Threat detected and not blocked

Back
Idc8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
RulenameTrend Micro CAS - Threat detected and not blocked
DescriptionDetects when threat was not blocked by CAS solution.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsTrendMicroCAS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
Version1.0.1
Arm templatec8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a.json
Deploy To Azure
TrendMicroCAS
| where isnotempty(SecurityRiskName)
| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
| extend AccountCustomEntity = DstUserName
queryFrequency: 10m
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
    'Detects when threat was not blocked by CAS solution.'
status: Available
relevantTechniques:
- T1562
name: Trend Micro CAS - Threat detected and not blocked
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml
severity: High
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
query: |
  TrendMicroCAS
  | where isnotempty(SecurityRiskName)
  | where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'
  | extend AccountCustomEntity = DstUserName  
id: c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a
requiredDataConnectors:
- connectorId: TrendMicroCAS
  dataTypes:
  - TrendMicroCAS
kind: Scheduled
queryPeriod: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Trend Micro CAS - Threat detected and not blocked",
        "description": "'Detects when threat was not blocked by CAS solution.'\n",
        "severity": "High",
        "enabled": true,
        "query": "TrendMicroCAS\n| where isnotempty(SecurityRiskName)\n| where EventOriginalResultDetails !has 'Blocked' or EventOriginalResultDetails !has 'Block' or EventOriginalResultDetails !has 'Quarantine' or TriggeredPolicyName has 'Monitor Only'\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "alertRuleTemplateName": "c8e2ad52-bd5f-4f74-a2f7-6c3ab8ba687a",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASThreatNotBlocked.yaml",
        "status": "Available",
        "templateVersion": "1.0.1"
      }
    }
  ]
}