Cisco SE High Events Last Hour

Back


Id	4683ebce-07ad-4089-89e3-39d8fe83c011
Rulename	Cisco SE High Events Last Hour
Description	Find events from Cisco Secure Endpoint that are of High severity in the last hour.
Severity	High
Tactics	Execution InitialAccess
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
Version	1.0.0
Arm template	4683ebce-07ad-4089-89e3-39d8fe83c011.json

KQL

let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s

YAML

kind: Scheduled
triggerOperator: gt
queryFrequency: 1h
name: Cisco SE High Events Last Hour
queryPeriod: 1h
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
description: |
    'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'
severity: High
query: |
  let endtime = 1h;
  CiscoSecureEndpoint_CL
  | where TimeGenerated >= ago(endtime)
  | where severity_s == "High"
  | project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
  | summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s  
triggerThreshold: 0
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: NetworkAddresses_ip
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: computer_hostname_s
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: computer_links_trajectory_s
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint_CL
tactics:
- Execution
- InitialAccess
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4683ebce-07ad-4089-89e3-39d8fe83c011')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SE High Events Last Hour",
        "description": "'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let endtime = 1h;\nCiscoSecureEndpoint_CL\n| where TimeGenerated >= ago(endtime)\n| where severity_s == \"High\"\n| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s\n| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess"
        ],
        "alertRuleTemplateName": "4683ebce-07ad-4089-89e3-39d8fe83c011",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "NetworkAddresses_ip"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "computer_hostname_s"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "computer_links_trajectory_s"
              }
            ],
            "entityType": "URL"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoEndpointHighAlert.yaml",
        "status": "Available"
      }
    }
  ]
}