McAfeeEPO - updated rules and queries

2021-03-09 16:38:10 +02:00 · 2021-03-09 16:38:10 +02:00 · 2b0ae495e1
--- a/Detections/McAfeeePO/McAfeeEPOAgentHandlerDown.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOAgentHandlerDown.yaml
@ -7,17 +7,15 @@ requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 30m
-queryPeriod: 30m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
  - CommandAndControl
 query: |
-  let lbtime = 30m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('16025')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOAlertError.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOAlertError.yaml
@ -7,16 +7,14 @@ requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 15m
-queryPeriod: 15m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 15m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1062')
  | extend IPCustomEntity = DvcIpAddr
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOAttemptUninstallAgent.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOAttemptUninstallAgent.yaml
@ -1,22 +1,20 @@
 id: 2eff5809-bf84-48e0-8288-768689672c37
 name: McAfee ePO - Attempt uninstall McAfee agent
 description: |
-  'Detects when attempts uninstall McAfee agent.'
+  'Detects attempts uninstalling McAfee agent on host.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 15m
-queryPeriod: 15m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 15m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('2413')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPODeploymentFailed.yaml
+++ b/Detections/McAfeeePO/McAfeeEPODeploymentFailed.yaml
@ -1,22 +1,20 @@
 id: 155243f4-d962-4717-8a7b-b15b6d112660
 name: McAfee ePO - Deployment failed
 description: |
-  'Detects when error sending alert occurs.'
+  'Detects when errors occur during deployment new changes/policies.'
 severity: High
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 1h
-queryPeriod: 1h
+queryFrequency: 6h
+queryPeriod: 6h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 1h;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('2412')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOExceptionAdded.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOExceptionAdded.yaml
@ -1,22 +1,20 @@
 id: b9d9fdfe-bc17-45ce-a70d-67a5cfd119f4
 name: McAfee ePO - File added to exceptions
 description: |
-  'Detects when file was added to exceptions.'
+  'Detects when file was added to exception list on a host.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 5m
-queryPeriod: 5m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 5m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1029', '2005', '2015')
  | project DvcIpAddr, DstFileName
  | extend IPCustomEntity = DvcIpAddr
--- a/Detections/McAfeeePO/McAfeeEPOFirewallDisabled.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOFirewallDisabled.yaml
@ -7,17 +7,15 @@ requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 10m
-queryPeriod: 10m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
  - CommandAndControl
 query: |
-  let lbtime = 10m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('35009')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOLoggingError.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOLoggingError.yaml
@ -1,22 +1,20 @@
 id: 0c9243d6-d2ec-48e1-8593-e713859c8f3c
 name: McAfee ePO - Logging error occurred
 description: |
-  'Detects when logging error occured on agent.'
+  'Detects when logging errors on agent.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 5m
-queryPeriod: 5m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 5m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1040', '1076', '3032', '3033', '3034', '3036', '3038')
  | extend EventMessage = case(EventId == '1040', 'Activity Log error',
                                EventId == '1076', 'Error logging information',
--- a/Detections/McAfeeePO/McAfeeEPOMultipleThreatsSameHost.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOMultipleThreatsSameHost.yaml
@ -1,14 +1,14 @@
 id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
 name: McAfee ePO - Multiple threats on same host
 description: |
-  'Rule fires when multiple threats were detected on the same host.'
+  'Rule fires when multiple threat events were detected on the same host.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 30m
-queryPeriod: 30m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
@ -18,9 +18,7 @@ tactics:
  - PrivilegeEscalation
  - CommandAndControl
 query: |
-  let lbtime = 30m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where isnotempty(ThreatName)
  | where ThreatName != '_'
  | summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
@ -30,4 +28,4 @@ entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
-        columnName: IPCustomEntity
+        columnName: IPCustomEntity
--- a/Detections/McAfeeePO/McAfeeEPOScanningEngineDisabled.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOScanningEngineDisabled.yaml
@ -7,17 +7,15 @@ requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 5m
-queryPeriod: 5m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
  - CommandAndControl
 query: |
-  let lbtime = 5m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1127')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOSpamEmail.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOSpamEmail.yaml
@ -1,22 +1,20 @@
 id: ffc9052b-3658-4ad4-9003-0151515fde15
 name: McAfee ePO - Spam Email detected
 description: |
-  'Detects when spam email events.'
+  'Detects when email was marked as spam.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 5m
-queryPeriod: 5m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - InitialAccess
 query: |
-  let lbtime = 5m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('4650')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOTaskError.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOTaskError.yaml
@ -1,22 +1,20 @@
 id: 3e397e31-7964-417e-a3e0-0acfaa2056f4
 name: McAfee ePO - Task error
 description: |
-  'Detects when task error occured.'
+  'Detects when task error occurs.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 30m
-queryPeriod: 30m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 30m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1003', '1067')
  | extend EventMessage = case(EventId == '1003', 'Error starting Task',
                                'Unable to start scheduled task')
--- a/Detections/McAfeeePO/McAfeeEPOThreatNotBlocked.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOThreatNotBlocked.yaml
@ -1,14 +1,14 @@
 id: 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7
 name: McAfee ePO - Threat was not blocked
 description: |
-  'Detects when a threat was not blocked.'
-severity: Medium
+  'Detects when a threat was not blocked on a host.'
+severity: High
 requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 5m
-queryPeriod: 5m
+queryFrequency: 15m
+queryPeriod: 15m
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
@ -16,9 +16,7 @@ tactics:
  - PrivilegeEscalation
  - DefenseEvasion
 query: |
-  let lbtime = 5m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where ThreatActionTaken in~ ('none', 'IDS_ACTION_WOULD_BLOCK')
  | extend IPCustomEntity = DvcIpAddr
 entityMappings:
--- a/Detections/McAfeeePO/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOUnableCleanDeleteInfectedFile.yaml
@ -7,16 +7,14 @@ requiredDataConnectors:
  - connectorId: McAfeeePO
    dataTypes:
      - Syslog
-queryFrequency: 10m
-queryPeriod: 10m
+queryFrequency: 1h
+queryPeriod: 1h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 10m;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
  | extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
                                EventId == '1028', 'Unable to delete infected file',
--- a/Detections/McAfeeePO/McAfeeEPOUpdateFailed.yaml
+++ b/Detections/McAfeeePO/McAfeeEPOUpdateFailed.yaml
@ -1,7 +1,7 @@
 id: 4f0c91c3-1690-48f0-b538-4282dd5417a4
 name: McAfee ePO - Update failed
 description: |
-  'Detects when update failed event occurs.'
+  'Detects when update failed event occurs on agent.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: McAfeeePO
@ -14,9 +14,7 @@ triggerThreshold: 0
 tactics:
  - DefenseEvasion
 query: |
-  let lbtime = 1h;
  McAfeeEPOEvent
-  | where TimeGenerated > ago(lbtime)
  | where EventId in ('2402', '1119', '1123')
  | extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
 entityMappings:
@ -26,5 +24,5 @@ entityMappings:
        columnName: IPCustomEntity
  - entityType: Host
    fieldMappings:
-      - identifier: FullName
+      - identifier: Fullname
        columnName: HostCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOAgentErrors.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOAgentErrors.yaml
@ -25,4 +25,9 @@ query: |
                                EventId == '3020', "Invalid virus signature files",
                                "Scan engine error")
  | project DvcIpAddr, EventId, EventMessage
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOApplicationsBlocked.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOApplicationsBlocked.yaml
@ -17,4 +17,9 @@ query: |
  | extend Reason = case(EventId == '18002', "Application blocked",
                        "Application contained")
  | project DvcIpAddr, DstFileName
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOEmailThreats.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOEmailThreats.yaml
@ -29,4 +29,9 @@ query: |
                                EventId == '1513', "Mail virus quarantined and cleaned",
                                "Mail virus quarantined (not cleaned)")
  | project DvcIpAddr, EventId, EventMessage
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOInfectedFiles.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOInfectedFiles.yaml
@ -15,4 +15,9 @@ query: |
  | where EventId in ('1024', '1053', '2000', '3004')
  | summarize ['Infected Files List'] = makeset(DstFileName) by DvcIpAddr
  | project DvcIpAddr, ['Infected Files List']
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOInfectedSystems.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOInfectedSystems.yaml
@ -14,4 +14,9 @@ query: |
  | where TimeGenerated > ago(lbtime)
  | where EventId in ('1038', '3043')
  | project DvcIpAddr, DvcHostname
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOLongTermInfectedSystems.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOLongTermInfectedSystems.yaml
@ -30,4 +30,10 @@ query: |
  | join (clean_systems
            | extend tmp_key = 1) on tmp_key
  | where  LastScanTimeInfected > LastScanTimeClean or DvcIpAddr !in (clean_systems2)
-  | project LastScanTimeInfected, DvcIpAddr
+  | project LastScanTimeInfected, DvcIpAddr
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOMultipleThreats.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOMultipleThreats.yaml
@ -18,4 +18,9 @@ query: |
  | summarize th_cnt = makeset(ThreatName) by DvcIpAddr
  | where array_len(ThreatList) > threshold
  | project DvcIpAddr, ThreatList
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOObjectsNotScanned.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOObjectsNotScanned.yaml
@ -18,4 +18,9 @@ query: |
                                EventId == '34925', "The object was not scanned because the scanner does not have enough rights to read it",
                                "The object was not scanned because the file size exceeds the configured maximum file size to scan")
  | project DvcIpAddr, EventId, Reason, DstFileName
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOScanErrors.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOScanErrors.yaml
@ -26,4 +26,9 @@ query: |
                                EventId == '3054', "Centralized Alerting - Scan reported an internal application error",
                                "Centralized Alerting - Scan reports memory allocation error")
  | project DvcIpAddr, EventId, Reason
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/McAfeeePO/McAfeeEPOThreatNotBlocked.yaml
+++ b/Queries/McAfeeePO/McAfeeEPOThreatNotBlocked.yaml
@ -26,4 +26,9 @@ query: |
                                EventId == '35111', "Adaptive Threat Protection Would Contain",
                                "Adaptive Threat Protection Would Block Source")
  | project DvcIpAddr, EventId, EventMessage
-  
+  | extend IPCustomEntity = DvcIpAddr
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity