Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SE High Events Last Hour

Back
Id4683ebce-07ad-4089-89e3-39d8fe83c011
RulenameCisco SE High Events Last Hour
DescriptionFind events from Cisco Secure Endpoint that are of High severity in the last hour.
SeverityHigh
TacticsExecution
InitialAccess
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
Version1.0.0
Arm template4683ebce-07ad-4089-89e3-39d8fe83c011.json
Deploy To Azure
let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s
status: Available
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
name: Cisco SE High Events Last Hour
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
triggerOperator: gt
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
kind: Scheduled
description: |
    'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'
queryPeriod: 1h
query: |
  let endtime = 1h;
  CiscoSecureEndpoint_CL
  | where TimeGenerated >= ago(endtime)
  | where severity_s == "High"
  | project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
  | summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s  
queryFrequency: 1h
version: 1.0.0
tactics:
- Execution
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: NetworkAddresses_ip
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: computer_hostname_s
  entityType: Host
- fieldMappings:
  - identifier: Url
    columnName: computer_links_trajectory_s
  entityType: URL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "properties": {
        "alertRuleTemplateName": "4683ebce-07ad-4089-89e3-39d8fe83c011",
        "customDetails": null,
        "description": "'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'\n",
        "displayName": "Cisco SE High Events Last Hour",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkAddresses_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_hostname_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "computer_links_trajectory_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml",
        "query": "let endtime = 1h;\nCiscoSecureEndpoint_CL\n| where TimeGenerated >= ago(endtime)\n| where severity_s == \"High\"\n| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s\n| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}