Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - Device changed IP in last 24 hours

Back
Id0c509e9b-121e-4951-9f9b-43722e052b4f
RulenameCiscoISE - Device changed IP in last 24 hours
DescriptionDetects when device changes IP address in last 24 hours.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
Required data connectorsCiscoISE
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
Version1.0.2
Arm template0c509e9b-121e-4951-9f9b-43722e052b4f.json
Deploy To Azure
let lbtime_48h = 48h;
let lbtime_24h = 24h;
CiscoISEEvent
| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
| where notempty(DvcIpAddr) and notempty(DvcHostname)
| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
| join (CiscoISEEvent
      | where TimeGenerated > ago(lbtime_24h)
      | where notempty(DvcIpAddr) and notempty(DvcHostname)
      | summarize evts = count() by DvcHostname, DvcIpAddr
      | project-away evts) on DvcHostname
| project-away DvcHostname1
| where knownIPs !contains DvcIpAddr
| extend HostCustomEntity = DvcHostname
| extend IPCustomEntity = DvcIpAddr
kind: Scheduled
relevantTechniques:
- T1568
description: |
    'Detects when device changes IP address in last 24 hours.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- CommandAndControl
name: CiscoISE - Device changed IP in last 24 hours
requiredDataConnectors:
- connectorId: CiscoISE
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
version: 1.0.2
id: 0c509e9b-121e-4951-9f9b-43722e052b4f
query: |
  let lbtime_48h = 48h;
  let lbtime_24h = 24h;
  CiscoISEEvent
  | where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
  | where notempty(DvcIpAddr) and notempty(DvcHostname)
  | summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
  | join (CiscoISEEvent
        | where TimeGenerated > ago(lbtime_24h)
        | where notempty(DvcIpAddr) and notempty(DvcHostname)
        | summarize evts = count() by DvcHostname, DvcIpAddr
        | project-away evts) on DvcHostname
  | project-away DvcHostname1
  | where knownIPs !contains DvcIpAddr
  | extend HostCustomEntity = DvcHostname
  | extend IPCustomEntity = DvcIpAddr  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "properties": {
        "alertRuleTemplateName": "0c509e9b-121e-4951-9f9b-43722e052b4f",
        "customDetails": null,
        "description": "'Detects when device changes IP address in last 24 hours.'\n",
        "displayName": "CiscoISE - Device changed IP in last 24 hours",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml",
        "query": "let lbtime_48h = 48h;\nlet lbtime_24h = 24h;\nCiscoISEEvent\n| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))\n| where notempty(DvcIpAddr) and notempty(DvcHostname)\n| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname\n| join (CiscoISEEvent\n      | where TimeGenerated > ago(lbtime_24h)\n      | where notempty(DvcIpAddr) and notempty(DvcHostname)\n      | summarize evts = count() by DvcHostname, DvcIpAddr\n      | project-away evts) on DvcHostname\n| project-away DvcHostname1\n| where knownIPs !contains DvcIpAddr\n| extend HostCustomEntity = DvcHostname\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1568"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}