Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Multiple threats on same host

Back
Idf53e5168-afdb-4fad-b29a-bb9cb71ec460
RulenameMcAfee ePO - Multiple threats on same host
DescriptionRule fires when multiple threat events were detected on the same host.
SeverityMedium
TacticsInitialAccess
Persistence
DefenseEvasion
PrivilegeEscalation
TechniquesT1562
T1070
T1189
T1195
T1543
T1055
Required data connectorsMcAfeeePO
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
Version1.0.0
Arm templatef53e5168-afdb-4fad-b29a-bb9cb71ec460.json
Deploy To Azure
McAfeeEPOEvent
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
| where th_cnt > 1
| extend IPCustomEntity = DvcIpAddr
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1562
- T1070
- T1189
- T1195
- T1543
- T1055
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
query: |
  McAfeeEPOEvent
  | where isnotempty(ThreatName)
  | where ThreatName != '_'
  | summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
  | where th_cnt > 1
  | extend IPCustomEntity = DvcIpAddr  
name: McAfee ePO - Multiple threats on same host
queryFrequency: 1h
requiredDataConnectors:
- connectorId: McAfeeePO
  dataTypes:
  - Syslog
description: |
    'Rule fires when multiple threat events were detected on the same host.'
status: Available
id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- PrivilegeEscalation
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "properties": {
        "alertRuleTemplateName": "f53e5168-afdb-4fad-b29a-bb9cb71ec460",
        "customDetails": null,
        "description": "'Rule fires when multiple threat events were detected on the same host.'\n",
        "displayName": "McAfee ePO - Multiple threats on same host",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml",
        "query": "McAfeeEPOEvent\n| where isnotempty(ThreatName)\n| where ThreatName != '_'\n| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr\n| where th_cnt > 1\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1055",
          "T1070",
          "T1189",
          "T1195",
          "T1543",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}