Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SDWAN - Monitor Critical IPs

Cisco SDWAN - Monitor Critical IPs

Back
Ida62a207e-62be-4a74-acab-4466d5b3854f
RulenameCisco SDWAN - Monitor Critical IPs
DescriptionThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
Version1.0.1
Arm templatea62a207e-62be-4a74-acab-4466d5b3854f.json
Deploy To Azure
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP

id: a62a207e-62be-4a74-acab-4466d5b3854f
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
- dataTypes:
  - CiscoSDWANNetflow
  connectorId: CiscoSDWAN
queryFrequency: 3h
queryPeriod: 3h
status: Available
incidentConfiguration:
  createIncident: true
query: |
  CiscoSyslogUTD
  | union (CiscoSDWANNetflow)
  | where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
  | extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
  | where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
  | summarize count() by SourceIP  
name: Cisco SDWAN - Monitor Critical IPs
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
tactics:
- CommandAndControl
severity: High
relevantTechniques:
- T1071
triggerThreshold: 0
version: 1.0.1
description: |
    'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
customDetails:
  critical_ip: SourceIP