Illumio VEN Deactivated Detection Rule

Back


Id	c18bd8c2-50f0-4aa2-8122-d449243627d7
Rulename	Illumio VEN Deactivated Detection Rule
Description	Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state
Severity	High
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	IllumioSaaSDataConnector SyslogAma
Kind	Scheduled
Query frequency	60m
Query period	60m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
Version	1.0.6
Arm template	c18bd8c2-50f0-4aa2-8122-d449243627d7.json

KQL

Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents  
| where event_type has 'agent.deactivate'
| mv-expand resource_changes
| extend hostname = resource_changes['resource']['workload']['hostname'],
    workload_href = resource_changes['resource']['workload']['href'],
    workload_labels = resource_changes['resource']['workload']['labels']
| extend ipaddress = action.src_ip,       
      ven_href = created_by.ven.href
| project-away resource_changes, action, version

YAML

id: c18bd8c2-50f0-4aa2-8122-d449243627d7
triggerOperator: gt
status: Available
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: hostname
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ipaddress
  entityType: IP
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio VEN Deactivated Incident
  alertDescriptionFormat: |
        Illumio VEN Deactivated Incident generated at {{TimeGenerated}}
version: 1.0.6
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1562
tactics:
- DefenseEvasion
name: Illumio VEN Deactivated Detection Rule
queryFrequency: 60m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents  
  | where event_type has 'agent.deactivate'
  | mv-expand resource_changes
  | extend hostname = resource_changes['resource']['workload']['hostname'],
      workload_href = resource_changes['resource']['workload']['href'],
      workload_labels = resource_changes['resource']['workload']['labels']
  | extend ipaddress = action.src_ip,       
        ven_href = created_by.ven.href
  | project-away resource_changes, action, version   
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryPeriod: 60m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c18bd8c2-50f0-4aa2-8122-d449243627d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c18bd8c2-50f0-4aa2-8122-d449243627d7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio VEN Deactivated Incident generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio VEN Deactivated Incident\n"
        },
        "alertRuleTemplateName": "c18bd8c2-50f0-4aa2-8122-d449243627d7",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'\n",
        "displayName": "Illumio VEN Deactivated Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipaddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| union IllumioSyslogAuditEvents  \n| where event_type has 'agent.deactivate'\n| mv-expand resource_changes\n| extend hostname = resource_changes['resource']['workload']['hostname'],\n    workload_href = resource_changes['resource']['workload']['href'],\n    workload_labels = resource_changes['resource']['workload']['labels']\n| extend ipaddress = action.src_ip,       \n      ven_href = created_by.ven.href\n| project-away resource_changes, action, version \n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}