Cisco SDWAN - Intrusion Events

Back


Id	232a1c75-63fc-4c81-8b18-b4a739fccba8
Rulename	Cisco SDWAN - Intrusion Events
Description	This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1189
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
Version	1.0.1
Arm template	232a1c75-63fc-4c81-8b18-b4a739fccba8.json

KQL

CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP

YAML

entityMappings:
- entityType: RegistryKey
  fieldMappings:
  - identifier: Key
    columnName: SignatureId
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
incidentConfiguration:
  createIncident: true
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  signatureid: SignatureId
query: |
  CiscoSyslogUTD
  | where SignatureId == "Enter SignatureId"
  | distinct SignatureId,SourceIP  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
kind: Scheduled
queryPeriod: 3h
version: 1.0.1
name: Cisco SDWAN - Intrusion Events
queryFrequency: 3h
triggerThreshold: 0
relevantTechniques:
- T1190
- T1189
description: |
    'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
triggerOperator: gt

ARM