CiscoISE - Device changed IP in last 24 hours

Back


Id	0c509e9b-121e-4951-9f9b-43722e052b4f
Rulename	CiscoISE - Device changed IP in last 24 hours
Description	Detects when device changes IP address in last 24 hours.
Severity	Medium
Tactics	CommandAndControl
Techniques	T1568
Required data connectors	CiscoISE SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
Version	1.0.2
Arm template	0c509e9b-121e-4951-9f9b-43722e052b4f.json

KQL

let lbtime_48h = 48h;
let lbtime_24h = 24h;
CiscoISEEvent
| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
| where notempty(DvcIpAddr) and notempty(DvcHostname)
| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
| join (CiscoISEEvent
      | where TimeGenerated > ago(lbtime_24h)
      | where notempty(DvcIpAddr) and notempty(DvcHostname)
      | summarize evts = count() by DvcHostname, DvcIpAddr
      | project-away evts) on DvcHostname
| project-away DvcHostname1
| where knownIPs !contains DvcIpAddr
| extend HostCustomEntity = DvcHostname
| extend IPCustomEntity = DvcIpAddr

YAML

relevantTechniques:
- T1568
name: CiscoISE - Device changed IP in last 24 hours
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CiscoISE
- datatypes:
  - Syslog
  connectorId: SyslogAma
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: 0c509e9b-121e-4951-9f9b-43722e052b4f
tactics:
- CommandAndControl
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects when device changes IP address in last 24 hours.'
query: |
  let lbtime_48h = 48h;
  let lbtime_24h = 24h;
  CiscoISEEvent
  | where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
  | where notempty(DvcIpAddr) and notempty(DvcHostname)
  | summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
  | join (CiscoISEEvent
        | where TimeGenerated > ago(lbtime_24h)
        | where notempty(DvcIpAddr) and notempty(DvcHostname)
        | summarize evts = count() by DvcHostname, DvcIpAddr
        | project-away evts) on DvcHostname
  | project-away DvcHostname1
  | where knownIPs !contains DvcIpAddr
  | extend HostCustomEntity = DvcHostname
  | extend IPCustomEntity = DvcIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "properties": {
        "alertRuleTemplateName": "0c509e9b-121e-4951-9f9b-43722e052b4f",
        "customDetails": null,
        "description": "'Detects when device changes IP address in last 24 hours.'\n",
        "displayName": "CiscoISE - Device changed IP in last 24 hours",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml",
        "query": "let lbtime_48h = 48h;\nlet lbtime_24h = 24h;\nCiscoISEEvent\n| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))\n| where notempty(DvcIpAddr) and notempty(DvcHostname)\n| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname\n| join (CiscoISEEvent\n      | where TimeGenerated > ago(lbtime_24h)\n      | where notempty(DvcIpAddr) and notempty(DvcHostname)\n      | summarize evts = count() by DvcHostname, DvcIpAddr\n      | project-away evts) on DvcHostname\n| project-away DvcHostname1\n| where knownIPs !contains DvcIpAddr\n| extend HostCustomEntity = DvcHostname\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1568"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}