Cisco SDWAN - Intrusion Events
Id | 232a1c75-63fc-4c81-8b18-b4a739fccba8 |
Rulename | Cisco SDWAN - Intrusion Events |
Description | This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range. |
Severity | High |
Tactics | InitialAccess |
Techniques | T1190 T1189 |
Required data connectors | CiscoSDWAN |
Kind | Scheduled |
Query frequency | 3h |
Query period | 3h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml |
Version | 1.0.1 |
Arm template | 232a1c75-63fc-4c81-8b18-b4a739fccba8.json |
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
entityMappings:
- entityType: RegistryKey
fieldMappings:
- columnName: SignatureId
identifier: Key
tactics:
- InitialAccess
triggerOperator: gt
description: |
'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
requiredDataConnectors:
- connectorId: CiscoSDWAN
dataTypes:
- CiscoSyslogUTD
relevantTechniques:
- T1190
- T1189
version: 1.0.1
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
customDetails:
signatureid: SignatureId
kind: Scheduled
query: |
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
incidentConfiguration:
createIncident: true
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 3h
severity: High
name: Cisco SDWAN - Intrusion Events
queryPeriod: 3h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
"properties": {
"alertRuleTemplateName": "232a1c75-63fc-4c81-8b18-b4a739fccba8",
"customDetails": {
"signatureid": "SignatureId"
},
"description": "'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'\n",
"displayName": "Cisco SDWAN - Intrusion Events",
"enabled": true,
"entityMappings": [
{
"entityType": "RegistryKey",
"fieldMappings": [
{
"columnName": "SignatureId",
"identifier": "Key"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml",
"query": "CiscoSyslogUTD\n| where SignatureId == \"Enter SignatureId\"\n| distinct SignatureId,SourceIP\n",
"queryFrequency": "PT3H",
"queryPeriod": "PT3H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1189",
"T1190"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}