Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CiscoISE - Device changed IP in last 24 hours

Back
Id0c509e9b-121e-4951-9f9b-43722e052b4f
RulenameCiscoISE - Device changed IP in last 24 hours
DescriptionDetects when device changes IP address in last 24 hours.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
Version1.0.3
Arm template0c509e9b-121e-4951-9f9b-43722e052b4f.json
Deploy To Azure
let lbtime_48h = 48h;
let lbtime_24h = 24h;
CiscoISEEvent
| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
| where notempty(DvcIpAddr) and notempty(DvcHostname)
| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
| join (CiscoISEEvent
      | where TimeGenerated > ago(lbtime_24h)
      | where notempty(DvcIpAddr) and notempty(DvcHostname)
      | summarize evts = count() by DvcHostname, DvcIpAddr
      | project-away evts) on DvcHostname
| project-away DvcHostname1
| where knownIPs !contains DvcIpAddr
| extend HostCustomEntity = DvcHostname
| extend IPCustomEntity = DvcIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
query: |
  let lbtime_48h = 48h;
  let lbtime_24h = 24h;
  CiscoISEEvent
  | where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
  | where notempty(DvcIpAddr) and notempty(DvcHostname)
  | summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
  | join (CiscoISEEvent
        | where TimeGenerated > ago(lbtime_24h)
        | where notempty(DvcIpAddr) and notempty(DvcHostname)
        | summarize evts = count() by DvcHostname, DvcIpAddr
        | project-away evts) on DvcHostname
  | project-away DvcHostname1
  | where knownIPs !contains DvcIpAddr
  | extend HostCustomEntity = DvcHostname
  | extend IPCustomEntity = DvcIpAddr  
description: |
    'Detects when device changes IP address in last 24 hours.'
severity: Medium
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
name: CiscoISE - Device changed IP in last 24 hours
triggerThreshold: 0
tactics:
- CommandAndControl
version: 1.0.3
relevantTechniques:
- T1568
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
id: 0c509e9b-121e-4951-9f9b-43722e052b4f
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0c509e9b-121e-4951-9f9b-43722e052b4f')]",
      "properties": {
        "alertRuleTemplateName": "0c509e9b-121e-4951-9f9b-43722e052b4f",
        "customDetails": null,
        "description": "'Detects when device changes IP address in last 24 hours.'\n",
        "displayName": "CiscoISE - Device changed IP in last 24 hours",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml",
        "query": "let lbtime_48h = 48h;\nlet lbtime_24h = 24h;\nCiscoISEEvent\n| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))\n| where notempty(DvcIpAddr) and notempty(DvcHostname)\n| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname\n| join (CiscoISEEvent\n      | where TimeGenerated > ago(lbtime_24h)\n      | where notempty(DvcIpAddr) and notempty(DvcHostname)\n      | summarize evts = count() by DvcHostname, DvcIpAddr\n      | project-away evts) on DvcHostname\n| project-away DvcHostname1\n| where knownIPs !contains DvcIpAddr\n| extend HostCustomEntity = DvcHostname\n| extend IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1568"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}