Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SDWAN - Monitor Critical IPs

Back
Ida62a207e-62be-4a74-acab-4466d5b3854f
RulenameCisco SDWAN - Monitor Critical IPs
DescriptionThis analytic rule will monitor critical IPs in Syslog and Netflow Data.
SeverityHigh
TacticsCommandAndControl
TechniquesT1071
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
Version1.0.1
Arm templatea62a207e-62be-4a74-acab-4466d5b3854f.json
Deploy To Azure
CiscoSyslogUTD
| union (CiscoSDWANNetflow)
| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
| where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
| summarize count() by SourceIP
queryPeriod: 3h
version: 1.0.1
tactics:
- CommandAndControl
queryFrequency: 3h
id: a62a207e-62be-4a74-acab-4466d5b3854f
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
- dataTypes:
  - CiscoSDWANNetflow
  connectorId: CiscoSDWAN
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  critical_ip: SourceIP
triggerThreshold: 0
relevantTechniques:
- T1071
query: |
  CiscoSyslogUTD
  | union (CiscoSDWANNetflow)
  | where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)
  | extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)
  | where ipv4_is_in_any_range(SourceIP, "Enter comma-separated IPs")
  | summarize count() by SourceIP  
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
name: Cisco SDWAN - Monitor Critical IPs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml
description: |
    'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'
status: Available
incidentConfiguration:
  createIncident: true
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a62a207e-62be-4a74-acab-4466d5b3854f')]",
      "properties": {
        "alertRuleTemplateName": "a62a207e-62be-4a74-acab-4466d5b3854f",
        "customDetails": {
          "critical_ip": "SourceIP"
        },
        "description": "'This analytic rule will monitor critical IPs in Syslog and Netflow Data.'\n",
        "displayName": "Cisco SDWAN - Monitor Critical IPs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMonitorCriticalIP.yaml",
        "query": "CiscoSyslogUTD\n| union (CiscoSDWANNetflow)\n| where isnotempty(SourceIP) or isnotempty(NetflowFwSrcAddrIpv4)\n| extend SourceIP = coalesce(SourceIP, NetflowFwSrcAddrIpv4)\n| where ipv4_is_in_any_range(SourceIP, \"Enter comma-separated IPs\")\n| summarize count() by SourceIP\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}