Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SDWAN - Monitor Critical IPs

Back
Ida62a207e-62be-4a74-acab-4466d5b3854f
RulenameCisco SDWAN - Monitor Critical IPs
DescriptionThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
SeverityHigh
TacticsDiscovery
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
Version1.0.0
Arm templatea62a207e-62be-4a74-acab-4466d5b3854f.json
Deploy To Azure
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP
queryPeriod: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
triggerThreshold: 0
customDetails:
  critical_ip: SourceIP
triggerOperator: gt
version: 1.0.0
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
query: |
  CiscoSyslogUTD
  | union (CiscoSDWANNetflow)
  | where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
  | extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
  | where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
  | summarize count() by SourceIP  
name: Cisco SDWAN - Monitor Critical IPs
queryFrequency: 3h
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSDWANNetflow
description: |
    'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
incidentConfiguration:
  createIncident: true
status: Available
id: a62a207e-62be-4a74-acab-4466d5b3854f
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
tactics:
- Discovery
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "properties": {
        "alertRuleTemplateName": "a62a207e-62be-4a74-acab-4466d5b3854f",
        "customDetails": {
          "critical_ip": "SourceIP"
        },
        "description": "'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'\n",
        "displayName": "Cisco SDWAN - Monitor Critical IPs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml",
        "query": "CiscoSyslogUTD\n| union (CiscoSDWANNetflow)\n| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)\n| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)\n| where ipv4_is_in_any_range(SourceIP, \"Enter comma-separated IPs\")\n| summarize count() by SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}