Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Multiple threats on same host

Back
Idf53e5168-afdb-4fad-b29a-bb9cb71ec460
RulenameMcAfee ePO - Multiple threats on same host
DescriptionRule fires when multiple threat events were detected on the same host.
SeverityMedium
TacticsInitialAccess
Persistence
DefenseEvasion
PrivilegeEscalation
TechniquesT1562
T1070
T1189
T1195
T1543
T1055
Required data connectorsMcAfeeePO
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
Version1.0.0
Arm templatef53e5168-afdb-4fad-b29a-bb9cb71ec460.json
Deploy To Azure
McAfeeEPOEvent
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
| where th_cnt > 1
| extend IPCustomEntity = DvcIpAddr
severity: Medium
triggerThreshold: 0
query: |
  McAfeeEPOEvent
  | where isnotempty(ThreatName)
  | where ThreatName != '_'
  | summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
  | where th_cnt > 1
  | extend IPCustomEntity = DvcIpAddr  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: McAfeeePO
  dataTypes:
  - Syslog
id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
version: 1.0.0
name: McAfee ePO - Multiple threats on same host
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
queryPeriod: 1h
relevantTechniques:
- T1562
- T1070
- T1189
- T1195
- T1543
- T1055
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- PrivilegeEscalation
description: |
    'Rule fires when multiple threat events were detected on the same host.'
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "McAfee ePO - Multiple threats on same host",
        "description": "'Rule fires when multiple threat events were detected on the same host.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "McAfeeEPOEvent\n| where isnotempty(ThreatName)\n| where ThreatName != '_'\n| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr\n| where th_cnt > 1\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "DefenseEvasion",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1562",
          "T1070",
          "T1189",
          "T1195",
          "T1543",
          "T1055"
        ],
        "alertRuleTemplateName": "f53e5168-afdb-4fad-b29a-bb9cb71ec460",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}