Illumio Enforcement Change Analytic Rule
| Id | 599fdc92-eb6d-4b54-8d79-2a3f740a846a |
| Rulename | Illumio Enforcement Change Analytic Rule |
| Description | Create Microsoft Sentinel Incident When Ven Changes Enforcement State from Full/Selective To Idle/Visibility state |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required data connectors | IllumioSaaSDataConnector SyslogAma |
| Kind | Scheduled |
| Query frequency | 60m |
| Query period | 60m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml |
| Version | 1.0.7 |
| Arm template | 599fdc92-eb6d-4b54-8d79-2a3f740a846a.json |
let enf_state = dynamic(["full", "selective"]);
let visibility_state = dynamic(["visibility_only", "idle"]);
Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents
| extend temp_resource_changes = parse_json(resource_changes)[0]
| where event_type == 'workloads.update'
| extend old_mode = temp_resource_changes.changes.enforcement_mode.before,
new_mode = temp_resource_changes.changes.enforcement_mode.after,
workload_href = temp_resource_changes.resource.workload.href,
workload_name = temp_resource_changes.resource.workload.hostname,
ipaddress = action.src_ip
| where new_mode in (visibility_state) and old_mode in (enf_state)
| project-away temp_*
| project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by, ipaddress
queryPeriod: 60m
query: |
let enf_state = dynamic(["full", "selective"]);
let visibility_state = dynamic(["visibility_only", "idle"]);
Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents
| extend temp_resource_changes = parse_json(resource_changes)[0]
| where event_type == 'workloads.update'
| extend old_mode = temp_resource_changes.changes.enforcement_mode.before,
new_mode = temp_resource_changes.changes.enforcement_mode.after,
workload_href = temp_resource_changes.resource.workload.href,
workload_name = temp_resource_changes.resource.workload.hostname,
ipaddress = action.src_ip
| where new_mode in (visibility_state) and old_mode in (enf_state)
| project-away temp_*
| project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by, ipaddress
name: Illumio Enforcement Change Analytic Rule
entityMappings:
- fieldMappings:
- columnName: workload_name
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: created_by
identifier: Name
entityType: Account
- fieldMappings:
- columnName: ipaddress
identifier: Address
entityType: IP
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 60m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml
alertDetailsOverride:
alertDisplayNameFormat: |
Illumio Enforcement Change Incident for {{workload_name}}
alertDescriptionFormat: |
Illumio Enforcement Change Incident for {{workload_name}} generated at {{TimeGenerated}}
requiredDataConnectors:
- connectorId: IllumioSaaSDataConnector
dataTypes:
- Illumio_Auditable_Events_CL
- connectorId: SyslogAma
datatypes:
- Syslog
description: |
'Create Microsoft Sentinel Incident When Ven Changes Enforcement State from Full/Selective To Idle/Visibility state'
kind: Scheduled
version: 1.0.7
status: Available
severity: Medium
relevantTechniques:
- T1562
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
id: 599fdc92-eb6d-4b54-8d79-2a3f740a846a