32 строки
885 B
YAML
Executable File
32 строки
885 B
YAML
Executable File
id: 2389de0a-f53f-4a11-b01b-1adce5f26287
|
|
name: Cisco SEG - Insecure protocol
|
|
description: |
|
|
'Query searches for connections with insecure protocol.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: CiscoSEG
|
|
dataTypes:
|
|
- CiscoSEGEvent
|
|
- connectorId: CiscoSEGAma
|
|
dataTypes:
|
|
- CiscoSEGEvent
|
|
- connectorId: CefAma
|
|
dataTypes:
|
|
- CommonSecurityLog
|
|
tactics:
|
|
- Impact
|
|
relevantTechniques:
|
|
- T1565
|
|
query: |
|
|
CiscoSEGEvent
|
|
| where TimeGenerated > ago(24h)
|
|
| where tostring(AdditionalFields) has 'ESATLSOutProtocol'
|
|
| extend tls_status = extract(@'ESATLSOutProtocol":"(.*?)"', 1, tostring(AdditionalFields))
|
|
| where tls_status != 'TLSv1.2'
|
|
| extend AccountCustomEntity = SrcUserName
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: AccountCustomEntity
|