Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CiscoISE - Device changed IP in last 24 hours

CiscoISE - Device changed IP in last 24 hours

Back
Id0c509e9b-121e-4951-9f9b-43722e052b4f
RulenameCiscoISE - Device changed IP in last 24 hours
DescriptionDetects when device changes IP address in last 24 hours.
SeverityMedium
TacticsCommandAndControl
TechniquesT1568
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
Version1.0.3
Arm template0c509e9b-121e-4951-9f9b-43722e052b4f.json
Deploy To Azure
let lbtime_48h = 48h;
let lbtime_24h = 24h;
CiscoISEEvent
| where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
| where notempty(DvcIpAddr) and notempty(DvcHostname)
| summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
| join (CiscoISEEvent
      | where TimeGenerated > ago(lbtime_24h)
      | where notempty(DvcIpAddr) and notempty(DvcHostname)
      | summarize evts = count() by DvcHostname, DvcIpAddr
      | project-away evts) on DvcHostname
| project-away DvcHostname1
| where knownIPs !contains DvcIpAddr
| extend HostCustomEntity = DvcHostname
| extend IPCustomEntity = DvcIpAddr

relevantTechniques:
- T1568
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
version: 1.0.3
id: 0c509e9b-121e-4951-9f9b-43722e052b4f
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects when device changes IP address in last 24 hours.'
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerOperator: gt
name: CiscoISE - Device changed IP in last 24 hours
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco ISE/Analytic Rules/CiscoISEDeviceChangedIP.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  let lbtime_48h = 48h;
  let lbtime_24h = 24h;
  CiscoISEEvent
  | where TimeGenerated between (ago(lbtime_48h) .. ago(lbtime_24h))
  | where notempty(DvcIpAddr) and notempty(DvcHostname)
  | summarize knownIPs = make_set(DvcIpAddr) by DvcHostname
  | join (CiscoISEEvent
        | where TimeGenerated > ago(lbtime_24h)
        | where notempty(DvcIpAddr) and notempty(DvcHostname)
        | summarize evts = count() by DvcHostname, DvcIpAddr
        | project-away evts) on DvcHostname
  | project-away DvcHostname1
  | where knownIPs !contains DvcIpAddr
  | extend HostCustomEntity = DvcHostname
  | extend IPCustomEntity = DvcIpAddr  
status: Available