Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SDWAN - Intrusion Events

Back
Id232a1c75-63fc-4c81-8b18-b4a739fccba8
RulenameCisco SDWAN - Intrusion Events
DescriptionThis Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1189
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
Version1.0.1
Arm template232a1c75-63fc-4c81-8b18-b4a739fccba8.json
Deploy To Azure
CiscoSyslogUTD
| where SignatureId == "Enter SignatureId"
| distinct SignatureId,SourceIP
kind: Scheduled
description: |
    'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'
query: |
  CiscoSyslogUTD
  | where SignatureId == "Enter SignatureId"
  | distinct SignatureId,SourceIP  
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml
entityMappings:
- entityType: RegistryKey
  fieldMappings:
  - columnName: SignatureId
    identifier: Key
tactics:
- InitialAccess
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
version: 1.0.1
name: Cisco SDWAN - Intrusion Events
queryPeriod: 3h
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
triggerOperator: gt
customDetails:
  signatureid: SignatureId
queryFrequency: 3h
status: Available
relevantTechniques:
- T1190
- T1189
severity: High
id: 232a1c75-63fc-4c81-8b18-b4a739fccba8
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/232a1c75-63fc-4c81-8b18-b4a739fccba8')]",
      "properties": {
        "alertRuleTemplateName": "232a1c75-63fc-4c81-8b18-b4a739fccba8",
        "customDetails": {
          "signatureid": "SignatureId"
        },
        "description": "'This Analytic rule will monitor Intrusion events in Cisco syslog data based on the provided Signature ID. This will create an incident if that Signature ID is found in the specified time range.'\n",
        "displayName": "Cisco SDWAN - Intrusion Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "SignatureId",
                "identifier": "Key"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIntrusionEvents.yaml",
        "query": "CiscoSyslogUTD\n| where SignatureId == \"Enter SignatureId\"\n| distinct SignatureId,SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}