Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Illumio VEN Clone Detection Rule

Illumio VEN Clone Detection Rule

Back
Idb3c4b8f4-c12c-471e-9999-023c05852276
RulenameIllumio VEN Clone Detection Rule
DescriptionCreate Microsoft Sentinel Incident When A Cloned Ven Is Detected
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
SyslogAma
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml
Version1.0.6
Arm templateb3c4b8f4-c12c-471e-9999-023c05852276.json
Deploy To Azure
Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents  
| where event_type has 'agent.clone_detected'
| extend hostname = created_by.agent.hostname,
        ven_href = created_by.ven.href

name: Illumio VEN Clone Detection Rule
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio VEN Clone Detection Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio VEN Clone Detection for {{hostname}} generated at {{TimeGenerated}}
id: b3c4b8f4-c12c-471e-9999-023c05852276
description: |
    'Create Microsoft Sentinel Incident When A Cloned Ven Is Detected'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: hostname
    identifier: HostName
  entityType: Host
version: 1.0.6
triggerOperator: gt
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents  
  | where event_type has 'agent.clone_detected'
  | extend hostname = created_by.agent.hostname,
          ven_href = created_by.ven.href  
tactics:
- DefenseEvasion
kind: Scheduled
queryFrequency: 60m
severity: High
queryPeriod: 60m
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1562