Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SDWAN - Monitor Critical IPs

Cisco SDWAN - Monitor Critical IPs

Back
Ida62a207e-62be-4a74-acab-4466d5b3854f
RulenameCisco SDWAN - Monitor Critical IPs
DescriptionThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
Version1.0.1
Arm templatea62a207e-62be-4a74-acab-4466d5b3854f.json
Deploy To Azure
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Cisco SDWAN - Monitor Critical IPs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
queryPeriod: 3h
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
queryFrequency: 3h
relevantTechniques:
- T1071
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
- dataTypes:
  - CiscoSDWANNetflow
  connectorId: CiscoSDWAN
kind: Scheduled
customDetails:
  critical_ip: SourceIP
incidentConfiguration:
  createIncident: true
description: |
    'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
tactics:
- CommandAndControl
query: |
  CiscoSyslogUTD
  | union (CiscoSDWANNetflow)
  | where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
  | extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
  | where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
  | summarize count() by SourceIP  
id: a62a207e-62be-4a74-acab-4466d5b3854f
version: 1.0.1

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "properties": {
        "alertRuleTemplateName": "a62a207e-62be-4a74-acab-4466d5b3854f",
        "customDetails": {
          "critical_ip": "SourceIP"
        },
        "description": "'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'\n",
        "displayName": "Cisco SDWAN - Monitor Critical IPs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml",
        "query": "CiscoSyslogUTD\n| union (CiscoSDWANNetflow)\n| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)\n| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)\n| where ipv4_is_in_any_range(SourceIP, \"Enter comma-separated IPs\")\n| summarize count() by SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}