Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SE - Possible webshell

Cisco SE - Possible webshell

Back
Idd2c97cc9-1ccc-494d-bad4-564700451a2b
RulenameCisco SE - Possible webshell
DescriptionDetects possible webshell on host.
SeverityHigh
TacticsCommandAndControl
TechniquesT1102
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEWebshell.yaml
Version1.0.0
Arm templated2c97cc9-1ccc-494d-bad4-564700451a2b.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Possible webshell'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEWebshell.yaml
queryFrequency: 15m
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
- entityType: Malware
  fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
triggerOperator: gt
relevantTechniques:
- T1102
name: Cisco SE - Possible webshell
description: |
    'Detects possible webshell on host.'
triggerThreshold: 0
kind: Scheduled
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Possible webshell'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
tactics:
- CommandAndControl
version: 1.0.0
queryPeriod: 15m
id: d2c97cc9-1ccc-494d-bad4-564700451a2b
status: Available