Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Illumio VEN Deactivated Detection Rule

Illumio VEN Deactivated Detection Rule

Back
Idc18bd8c2-50f0-4aa2-8122-d449243627d7
RulenameIllumio VEN Deactivated Detection Rule
DescriptionCreate Microsoft Sentinel Incident When Ven Goes Into Deactivated state
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
Version1.0.5
Arm templatec18bd8c2-50f0-4aa2-8122-d449243627d7.json
Deploy To Azure
Illumio_Auditable_Events_CL
| where event_type has 'agent.deactivate'
| mv-expand resource_changes
| extend hostname = resource_changes['resource']['workload']['hostname'],
    workload_href = resource_changes['resource']['workload']['href'],
    workload_labels = resource_changes['resource']['workload']['labels']
| extend ipaddress = action.src_ip,       
      ven_href = created_by.ven.href
| project-away resource_changes, action, version 

relevantTechniques:
- T1562
name: Illumio VEN Deactivated Detection Rule
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: hostname
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ipaddress
  entityType: IP
triggerThreshold: 0
id: c18bd8c2-50f0-4aa2-8122-d449243627d7
tactics:
- DefenseEvasion
version: 1.0.5
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio VEN Deactivated Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio VEN Deactivated Incident for {{hostname}} generated at {{TimeGenerated}}
queryPeriod: 60m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
queryFrequency: 60m
severity: High
status: Available
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'
query: |
  Illumio_Auditable_Events_CL
  | where event_type has 'agent.deactivate'
  | mv-expand resource_changes
  | extend hostname = resource_changes['resource']['workload']['hostname'],
      workload_href = resource_changes['resource']['workload']['href'],
      workload_labels = resource_changes['resource']['workload']['labels']
  | extend ipaddress = action.src_ip,       
        ven_href = created_by.ven.href
  | project-away resource_changes, action, version   
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c18bd8c2-50f0-4aa2-8122-d449243627d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c18bd8c2-50f0-4aa2-8122-d449243627d7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio VEN Deactivated Incident for {{hostname}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio VEN Deactivated Incident for {{hostname}}\n"
        },
        "alertRuleTemplateName": "c18bd8c2-50f0-4aa2-8122-d449243627d7",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'\n",
        "displayName": "Illumio VEN Deactivated Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipaddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent.deactivate'\n| mv-expand resource_changes\n| extend hostname = resource_changes['resource']['workload']['hostname'],\n    workload_href = resource_changes['resource']['workload']['href'],\n    workload_labels = resource_changes['resource']['workload']['labels']\n| extend ipaddress = action.src_ip,       \n      ven_href = created_by.ven.href\n| project-away resource_changes, action, version \n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}