Solutions/Trend Micro Cloud App Security/Hunting Queries/TrendMicroCASVAThreats.yaml (25 lines of code) (raw):
id: 5ce1415f-cdea-4740-a481-73c1394248c2
name: Trend Micro CAS - Virtual Analyzer threats
description: |
'Query searches for Virtual Analyzer threats.'
severity: Medium
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
TrendMicroCAS
| where TimeGenerated > ago(24h)
| where EventType has 'virtual_analyzer'
| where isnotempty(VirusName)
| project DetectionTime, DstUserName, SrcFileName, RansomwareName
| extend AccountCustomEntity = DstUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity