Cisco SE - Unexpected binary file

Back


Id	eabb9c20-7b0b-4a77-81e8-b06944f351c6
Rulename	Cisco SE - Unexpected binary file
Description	Detects binary files in uncommon locations.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEUnexpectedBinary.yaml
Version	1.0.0
Arm template	eabb9c20-7b0b-4a77-81e8-b06944f351c6.json

KQL

CiscoSecureEndpoint
| where isnotempty(SrcFileName)
| where SrcFilePath contains @'AppData\Local\Temp' or SrcFilePath contains @'OUTLOOK_TEMP'
| extend ext = extract(@"(.*\/)?(.*)", 2, tostring(SrcFilePath))
| where ext contains 'dll' or ext contains @'ps1' or ext contains @'exe'
| extend HostCustomEntity = DstHostname

YAML

description: |
    'Detects binary files in uncommon locations.'
kind: Scheduled
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSEUnexpectedBinary.yaml
severity: Medium
name: Cisco SE - Unexpected binary file
triggerThreshold: 0
queryPeriod: 1h
query: |
  CiscoSecureEndpoint
  | where isnotempty(SrcFileName)
  | where SrcFilePath contains @'AppData\Local\Temp' or SrcFilePath contains @'OUTLOOK_TEMP'
  | extend ext = extract(@"(.*\/)?(.*)", 2, tostring(SrcFilePath))
  | where ext contains 'dll' or ext contains @'ps1' or ext contains @'exe'
  | extend HostCustomEntity = DstHostname  
relevantTechniques:
- T1190
- T1133
id: eabb9c20-7b0b-4a77-81e8-b06944f351c6
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName

ARM