Cisco SDWAN - Intrusion Events

CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP

customDetails:
  signatureid: SignatureId
triggerOperator: gt
queryFrequency: 3h
description: |
    'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
incidentConfiguration:
  createIncident: true
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 3h
name: Cisco SDWAN - Intrusion Events
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
tactics:
- DefenseEvasion
severity: High
entityMappings:
- fieldMappings:
  - identifier: Key
    columnName: SignatureId
  entityType: RegistryKey
query: |
  CiscoSyslogUTD
  | where SignatureId == "Enter SignatureId"
  | distinct SignatureId,SourceIP  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "properties": {
        "alertRuleTemplateName": "232a1c75-63fc-4c81-8b18-b4a739fccba8",
        "customDetails": {
          "signatureid": "SignatureId"
        },
        "description": "'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'\n",
        "displayName": "Cisco SDWAN - Intrusion Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "SignatureId",
                "identifier": "Key"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml",
        "query": "CiscoSyslogUTD\n| where SignatureId == \"Enter SignatureId\"\n| distinct SignatureId,SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}