Illumio VEN Suspend Detection Rule

Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents  
| where event_type has 'agent.suspend'
| extend ipaddress = action.src_ip,
      hostname = created_by.agent.hostname
| project-away resource_changes, action, version        

relevantTechniques:
- T1562
entityMappings:
- fieldMappings:
  - columnName: hostname
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: ipaddress
    identifier: Address
  entityType: IP
version: 1.0.6
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Suspended state'
requiredDataConnectors:
- connectorId: IllumioSaaSDataConnector
  dataTypes:
  - Illumio_Auditable_Events_CL
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio VEN Suspended Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}
eventGroupingSettings:
  aggregationKind: SingleAlert
id: 7379f752-18a2-43ca-8b74-70747dd792f8
queryFrequency: 60m
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents  
  | where event_type has 'agent.suspend'
  | extend ipaddress = action.src_ip,
        hostname = created_by.agent.hostname
  | project-away resource_changes, action, version          
severity: High
status: Available
queryPeriod: 60m
name: Illumio VEN Suspend Detection Rule
tactics:
- DefenseEvasion
kind: Scheduled