Cisco SDWAN - Intrusion Events

CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP

severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
incidentConfiguration:
  createIncident: true
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
tactics:
- DefenseEvasion
queryFrequency: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
customDetails:
  signatureid: SignatureId
description: |
    'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
triggerThreshold: 0
kind: Scheduled
name: Cisco SDWAN - Intrusion Events
query: |
  CiscoSyslogUTD
  | where SignatureId == "Enter SignatureId"
  | distinct SignatureId,SourceIP  
entityMappings:
- entityType: RegistryKey
  fieldMappings:
  - columnName: SignatureId
    identifier: Key
status: Available
version: 1.0.0
queryPeriod: 3h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SDWAN - Intrusion Events",
        "description": "'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSyslogUTD\n| where SignatureId == \"Enter SignatureId\"\n| distinct SignatureId,SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "alertRuleTemplateName": "232a1c75-63fc-4c81-8b18-b4a739fccba8",
        "incidentConfiguration": {
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "customDetails": {
          "signatureid": "SignatureId"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Key",
                "columnName": "SignatureId"
              }
            ],
            "entityType": "RegistryKey"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml"
      }
    }
  ]
}