Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco ASA - threat detection message fired

Cisco ASA - threat detection message fired

Back
Id795edf2d-cf3e-45b5-8452-fe6c9e6a582e
RulenameCisco ASA - threat detection message fired
DescriptionIdentifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105

Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html

Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
SeverityMedium
TacticsDiscovery
Impact
TechniquesT1046
T1498
Required data connectorsCiscoAsaAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoASA/Analytic Rules/CiscoASA-ThreatDetectionMessage.yaml
Version1.0.3
Arm template795edf2d-cf3e-45b5-8452-fe6c9e6a582e.json
Deploy To Azure
CommonSecurityLog
| where isempty(CommunicationDirection)
| where DeviceEventClassID in ("733101","733102","733103","733104","733105")
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

description: |
  'Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105
  Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html
  Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html'  
kind: Scheduled
tactics:
- Discovery
- Impact
requiredDataConnectors:
- connectorId: CiscoAsaAma
  dataTypes:
  - CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoASA/Analytic Rules/CiscoASA-ThreatDetectionMessage.yaml
severity: Medium
name: Cisco ASA - threat detection message fired
triggerThreshold: 0
queryPeriod: 1h
query: |
  CommonSecurityLog
  | where isempty(CommunicationDirection)
  | where DeviceEventClassID in ("733101","733102","733103","733104","733105")
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
relevantTechniques:
- T1046
- T1498
id: 795edf2d-cf3e-45b5-8452-fe6c9e6a582e
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address