Malware Protection Essentials
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2023-09-25 |
| Last Updated | 2023-09-25 |
| Solution Folder | Malware Protection Essentials |
| Marketplace | Azure Marketplace · Popularity: 🟡 Low (33%) |
| Pre-requisites | Amazon Web Services, Azure Firewall, Azure Network Security Groups, Check Point, CiscoASA, CiscoMeraki, Corelight, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Sysmon For Linux, Windows Firewall, PaloAlto-PAN-OS, Vectra AI Stream, Watchguard Firebox, zscaler1579058425289.zscaler_internet_access_mss |
Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
For details on the required solutions, see the Pre-requisites section below.
Recommendation :-
It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
Contents
Pre-requisites
This solution depends on 14 other solution(s):
Data Connectors
This solution does not include its own data connectors but uses connectors from dependency solutions:
- AI Vectra Stream via Legacy Agent (dependency on Vectra AI Stream)
- Amazon Web Services (dependency on Amazon Web Services)
- Amazon Web Services S3 (dependency on Amazon Web Services)
- Amazon Web Services S3 WAF (dependency on Amazon Web Services)
- Azure Firewall (dependency on Azure Firewall)
- Network Security Groups (dependency on Azure Network Security Groups)
- Subscription-based Microsoft Defender for Cloud (Legacy) (dependency on Microsoft Defender for Cloud)
- Cisco ASA via Legacy Agent (dependency on CiscoASA)
- Cisco ASA/FTD via AMA (dependency on CiscoASA)
- [Deprecated] Cisco Meraki (dependency on CiscoMeraki)
- Cisco Meraki (using REST API) (dependency on CiscoMeraki)
- Cisco Meraki (using REST API) (dependency on CiscoMeraki)
- Corelight Connector Exporter (dependency on Corelight)
- Microsoft Defender for IoT (dependency on IoTOTThreatMonitoringwithDefenderforIoT)
- Tenant-based Microsoft Defender for Cloud (dependency on Microsoft Defender for Cloud)
- [Deprecated] Microsoft Sysmon For Linux (dependency on Microsoft Sysmon For Linux)
- [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
- [Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
- [Recommended] Vectra AI Stream via AMA (dependency on Vectra AI Stream)
- [Deprecated] WatchGuard Firebox (dependency on Watchguard Firebox)
- Windows Firewall (dependency on Windows Firewall)
- Windows Firewall Events via AMA (dependency on Windows Firewall)
Content Items
This solution includes 14 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 6 |
| Hunting Queries | 6 |
| Workbooks | 1 |
| Watchlists | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Detect Malicious Usage of Recovery Tools to Delete Backup Files | High | Impact | - |
| Detect Print Processors Registry Driver Key Creation/Modification | Medium | Persistence, PrivilegeEscalation | - |
| Detect Registry Run Key Creation/Modification | Medium | Persistence, PrivilegeEscalation, DefenseEvasion | - |
| Detect Windows Allow Firewall Rule Addition/Modification | Medium | DefenseEvasion | - |
| Detect Windows Update Disabled from Registry | Medium | DefenseEvasion | - |
| Process Creation with Suspicious CommandLine Arguments | Medium | Execution, DefenseEvasion | - |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Detect File Creation in Startup Folder | Persistence, PrivilegeEscalation, DefenseEvasion | - |
| Detect Files with Ramsomware Extensions | Execution, Impact | - |
| Detect Modification to System Files or Directories by User Accounts | DefenseEvasion, Persistence, PrivilegeEscalation | - |
| Detect New Scheduled Task Creation that Run Executables From Non-Standard Location | Execution, PrivilegeEscalation, Persistence | - |
| Detect New Scheduled Task Entry Creations | Execution, PrivilegeEscalation, Persistence | - |
| Executable Files Created in Uncommon Locations | Persistence, PrivilegeEscalation, DefenseEvasion | - |
Workbooks
| Name | Tables Used |
|---|---|
| MalwareProtectionEssentialsWorkbook | - |
Watchlists
| Name | Description | Tables Used |
|---|---|---|
| RansomwareFileExtensions | - | - |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 18-10-2024 | Analytical Rule [Process Creation with Suspicious CommandLine Arguments] |
| 3.0.0 | 21-12-2023 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊