Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Illumio VEN Suspend Detection Rule

Illumio VEN Suspend Detection Rule

Back
Id7379f752-18a2-43ca-8b74-70747dd792f8
RulenameIllumio VEN Suspend Detection Rule
DescriptionCreate Microsoft Sentinel Incident When Ven Goes Into Suspended state
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
SyslogAma
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml
Version1.0.6
Arm template7379f752-18a2-43ca-8b74-70747dd792f8.json
Deploy To Azure
Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents  
| where event_type has 'agent.suspend'
| extend ipaddress = action.src_ip,
      hostname = created_by.agent.hostname
| project-away resource_changes, action, version        

name: Illumio VEN Suspend Detection Rule
relevantTechniques:
- T1562
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
- datatypes:
  - Syslog
  connectorId: SyslogAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents  
  | where event_type has 'agent.suspend'
  | extend ipaddress = action.src_ip,
        hostname = created_by.agent.hostname
  | project-away resource_changes, action, version          
tactics:
- DefenseEvasion
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Suspended state'
entityMappings:
- fieldMappings:
  - columnName: hostname
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: ipaddress
    identifier: Address
  entityType: IP
queryFrequency: 60m
alertDetailsOverride:
  alertDescriptionFormat: |
        Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illumio VEN Suspended Incident for {{hostname}}
triggerOperator: gt
version: 1.0.6
queryPeriod: 60m
status: Available
kind: Scheduled
severity: High
triggerThreshold: 0
id: 7379f752-18a2-43ca-8b74-70747dd792f8

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7379f752-18a2-43ca-8b74-70747dd792f8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7379f752-18a2-43ca-8b74-70747dd792f8')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio VEN Suspended Incident for {{hostname}}\n"
        },
        "alertRuleTemplateName": "7379f752-18a2-43ca-8b74-70747dd792f8",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Ven Goes Into Suspended state'\n",
        "displayName": "Illumio VEN Suspend Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipaddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| union IllumioSyslogAuditEvents  \n| where event_type has 'agent.suspend'\n| extend ipaddress = action.src_ip,\n      hostname = created_by.agent.hostname\n| project-away resource_changes, action, version        \n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}