Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Multiple threats on same host

Back
Idf53e5168-afdb-4fad-b29a-bb9cb71ec460
RulenameMcAfee ePO - Multiple threats on same host
DescriptionRule fires when multiple threat events were detected on the same host.
SeverityMedium
TacticsInitialAccess
Persistence
DefenseEvasion
PrivilegeEscalation
TechniquesT1562
T1070
T1189
T1195
T1543
T1055
Required data connectorsMcAfeeePO
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
Version1.0.0
Arm templatef53e5168-afdb-4fad-b29a-bb9cb71ec460.json
Deploy To Azure
McAfeeEPOEvent
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
| where th_cnt > 1
| extend IPCustomEntity = DvcIpAddr
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
severity: Medium
name: McAfee ePO - Multiple threats on same host
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
relevantTechniques:
- T1562
- T1070
- T1189
- T1195
- T1543
- T1055
queryFrequency: 1h
triggerThreshold: 0
queryPeriod: 1h
description: |
    'Rule fires when multiple threat events were detected on the same host.'
id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
version: 1.0.0
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- PrivilegeEscalation
query: |
  McAfeeEPOEvent
  | where isnotempty(ThreatName)
  | where ThreatName != '_'
  | summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
  | where th_cnt > 1
  | extend IPCustomEntity = DvcIpAddr  
status: Available
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: McAfeeePO
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "McAfee ePO - Multiple threats on same host",
        "description": "'Rule fires when multiple threat events were detected on the same host.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "McAfeeEPOEvent\n| where isnotempty(ThreatName)\n| where ThreatName != '_'\n| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr\n| where th_cnt > 1\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "DefenseEvasion",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1562",
          "T1070",
          "T1189",
          "T1195",
          "T1543",
          "T1055"
        ],
        "alertRuleTemplateName": "f53e5168-afdb-4fad-b29a-bb9cb71ec460",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}