Cisco SDWAN - Intrusion Events
| Id | 232a1c75-63fc-4c81-8b18-b4a739fccba8 |
| Rulename | Cisco SDWAN - Intrusion Events |
| Description | This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1189 |
| Required data connectors | CiscoSDWAN |
| Kind | Scheduled |
| Query frequency | 3h |
| Query period | 3h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml |
| Version | 1.0.1 |
| Arm template | 232a1c75-63fc-4c81-8b18-b4a739fccba8.json |
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
triggerOperator: gt
incidentConfiguration:
createIncident: true
queryFrequency: 3h
requiredDataConnectors:
- connectorId: CiscoSDWAN
dataTypes:
- CiscoSyslogUTD
relevantTechniques:
- T1190
- T1189
entityMappings:
- entityType: RegistryKey
fieldMappings:
- identifier: Key
columnName: SignatureId
query: |
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
triggerThreshold: 0
customDetails:
signatureid: SignatureId
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
queryPeriod: 3h
name: Cisco SDWAN - Intrusion Events
status: Available
kind: Scheduled
description: |
'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- InitialAccess
severity: High