CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP
queryPeriod: 3h
version: 1.0.1
tactics:
- CommandAndControl
queryFrequency: 3h
id: a62a207e-62be-4a74-acab-4466d5b3854f
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CiscoSyslogUTD
connectorId: CiscoSDWAN
- dataTypes:
- CiscoSDWANNetflow
connectorId: CiscoSDWAN
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
critical_ip: SourceIP
triggerThreshold: 0
relevantTechniques:
- T1071
query: |
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP
kind: Scheduled
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
name: Cisco SDWAN - Monitor Critical IPs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
description: |
'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
status: Available
incidentConfiguration:
createIncident: true
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a62a207e-62be-4a74-acab-4466d5b3854f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a62a207e-62be-4a74-acab-4466d5b3854f')]",
"properties": {
"alertRuleTemplateName": "a62a207e-62be-4a74-acab-4466d5b3854f",
"customDetails": {
"critical_ip": "SourceIP"
},
"description": "'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'\n",
"displayName": "Cisco SDWAN - Monitor Critical IPs",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml",
"query": "CiscoSyslogUTD\n| union (CiscoSDWANNetflow)\n| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)\n| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)\n| where ipv4_is_in_any_range(SourceIP, \"Enter comma-separated IPs\")\n| summarize count() by SourceIP\n",
"queryFrequency": "PT3H",
"queryPeriod": "PT3H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}