Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

McAfee ePO - Multiple threats on same host

Back
Idf53e5168-afdb-4fad-b29a-bb9cb71ec460
RulenameMcAfee ePO - Multiple threats on same host
DescriptionRule fires when multiple threat events were detected on the same host.
SeverityMedium
TacticsInitialAccess
Persistence
DefenseEvasion
PrivilegeEscalation
TechniquesT1562
T1070
T1189
T1195
T1543
T1055
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
Version1.0.2
Arm templatef53e5168-afdb-4fad-b29a-bb9cb71ec460.json
Deploy To Azure
McAfeeEPOEvent
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
| where th_cnt > 1
| extend IPCustomEntity = DvcIpAddr
description: |
    'Rule fires when multiple threat events were detected on the same host.'
id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
version: 1.0.2
relevantTechniques:
- T1562
- T1070
- T1189
- T1195
- T1543
- T1055
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- PrivilegeEscalation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml
kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
triggerOperator: gt
query: |
  McAfeeEPOEvent
  | where isnotempty(ThreatName)
  | where ThreatName != '_'
  | summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
  | where th_cnt > 1
  | extend IPCustomEntity = DvcIpAddr  
name: McAfee ePO - Multiple threats on same host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f53e5168-afdb-4fad-b29a-bb9cb71ec460')]",
      "properties": {
        "alertRuleTemplateName": "f53e5168-afdb-4fad-b29a-bb9cb71ec460",
        "customDetails": null,
        "description": "'Rule fires when multiple threat events were detected on the same host.'\n",
        "displayName": "McAfee ePO - Multiple threats on same host",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee ePolicy Orchestrator/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml",
        "query": "McAfeeEPOEvent\n| where isnotempty(ThreatName)\n| where ThreatName != '_'\n| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr\n| where th_cnt > 1\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1055",
          "T1070",
          "T1189",
          "T1195",
          "T1543",
          "T1562"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}