Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SDWAN - Monitor Critical IPs

Cisco SDWAN - Monitor Critical IPs

Back
Ida62a207e-62be-4a74-acab-4466d5b3854f
RulenameCisco SDWAN - Monitor Critical IPs
DescriptionThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
Version1.0.1
Arm templatea62a207e-62be-4a74-acab-4466d5b3854f.json
Deploy To Azure
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP

queryFrequency: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSDWANNetflow
incidentConfiguration:
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
query: |
  CiscoSyslogUTD
  | union (CiscoSDWANNetflow)
  | where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
  | extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
  | where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
  | summarize count() by SourceIP  
customDetails:
  critical_ip: SourceIP
relevantTechniques:
- T1071
name: Cisco SDWAN - Monitor Critical IPs
description: |
    'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
severity: High
queryPeriod: 3h
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
status: Available
tactics:
- CommandAndControl
id: a62a207e-62be-4a74-acab-4466d5b3854f
version: 1.0.1
kind: Scheduled
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "properties": {
        "alertRuleTemplateName": "a62a207e-62be-4a74-acab-4466d5b3854f",
        "customDetails": {
          "critical_ip": "SourceIP"
        },
        "description": "'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'\n",
        "displayName": "Cisco SDWAN - Monitor Critical IPs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml",
        "query": "CiscoSyslogUTD\n| union (CiscoSDWANNetflow)\n| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)\n| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)\n| where ipv4_is_in_any_range(SourceIP, \"Enter comma-separated IPs\")\n| summarize count() by SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}