Illumio VEN Clone Detection Rule

Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents  
| where event_type has 'agent.clone_detected'
| extend hostname = created_by.agent.hostname,
        ven_href = created_by.ven.href

version: 1.0.6
requiredDataConnectors:
- connectorId: IllumioSaaSDataConnector
  dataTypes:
  - Illumio_Auditable_Events_CL
- connectorId: SyslogAma
  datatypes:
  - Syslog
status: Available
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: hostname
  entityType: Host
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
queryFrequency: 60m
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio VEN Clone Detection Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio VEN Clone Detection for {{hostname}} generated at {{TimeGenerated}}
severity: High
name: Illumio VEN Clone Detection Rule
description: |
    'Create Microsoft Sentinel Incident When A Cloned Ven Is Detected'
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents  
  | where event_type has 'agent.clone_detected'
  | extend hostname = created_by.agent.hostname,
          ven_href = created_by.ven.href  
eventGroupingSettings:
  aggregationKind: SingleAlert
kind: Scheduled
queryPeriod: 60m
triggerOperator: gt
id: b3c4b8f4-c12c-471e-9999-023c05852276