Link Search Menu Expand Document

AMPThreatAlert

ID: 100012

Description:

AMP Threat Detected

Repository: Group: AMP Type: event

Default Status:

Enabled

Tags:  
AMP Cisco
   

Selector:

Query:

@source:AMP

Filters:

Field MUST hit
@amp.event_type Threat Detected
Field MUST NOT hit
@amp.file.file_name PSAUTO.exe

Behavior Rule:

Key Type Behavior Category
@amp.computer.hostname asset security alert

Risks:

Risks Base Score Dimension
ALERT_END_POINT 800 alert

Attributes:

Alias Key
AgentID @amp.connector_guid
Severity @amp.severity
Hostname @amp.computer.hostname
Detection @amp.detection
FileName @amp.file.file_name
FilePath @amp.file.file_path
Username @amp.computer.user
SHA256 @amp.file.identity.sha256

Correlation Rules:

First Occurrence:

Name Window Fields
NewAsset 10 days @amp.connector_guid
  Risks: ML_NEW_ASSET
NewFile 10 days @amp.file.identity.sha256
  Risks: ML_NEW_FILE

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)