CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
queryPeriod: 3h
entityMappings:
- fieldMappings:
- columnName: SignatureId
identifier: Key
entityType: RegistryKey
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
name: Cisco SDWAN - Intrusion Events
kind: Scheduled
status: Available
description: |
'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
tactics:
- DefenseEvasion
customDetails:
signatureid: SignatureId
triggerOperator: gt
query: |
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
queryFrequency: 3h
incidentConfiguration:
createIncident: true
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
requiredDataConnectors:
- dataTypes:
- CiscoSyslogUTD
connectorId: CiscoSDWAN
version: 1.0.0
severity: High
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
"properties": {
"alertRuleTemplateName": "232a1c75-63fc-4c81-8b18-b4a739fccba8",
"customDetails": {
"signatureid": "SignatureId"
},
"description": "'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'\n",
"displayName": "Cisco SDWAN - Intrusion Events",
"enabled": true,
"entityMappings": [
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "SignatureId",
"identifier": "Key"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml",
"query": "CiscoSyslogUTD\n| where SignatureId == \"Enter SignatureId\"\n| distinct SignatureId,SourceIP\n",
"queryFrequency": "PT3H",
"queryPeriod": "PT3H",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}