Cisco SDWAN - Maleware Events
Id | cb14defd-3415-4420-a2e4-2dd0f3e07a86 |
Rulename | Cisco SDWAN - Maleware Events |
Description | This analytic rule will monitor Malware Events in Syslog and Netflow Data |
Severity | High |
Tactics | ResourceDevelopment |
Techniques | T1587.001 |
Required data connectors | CiscoSDWAN |
Kind | Scheduled |
Query frequency | 3h |
Query period | 3h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml |
Version | 1.0.1 |
Arm template | cb14defd-3415-4420-a2e4-2dd0f3e07a86.json |
CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct
["Username"] = NetflowUsername,
["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username
incidentConfiguration:
createIncident: true
relevantTechniques:
- T1587.001
description: |
'This analytic rule will monitor Malware Events in Syslog and Netflow Data'
queryPeriod: 3h
queryFrequency: 3h
tactics:
- ResourceDevelopment
name: Cisco SDWAN - Maleware Events
requiredDataConnectors:
- connectorId: CiscoSDWAN
dataTypes:
- CiscoSyslogUTD
- connectorId: CiscoSDWAN
dataTypes:
- CiscoSDWANNetflow
customDetails:
mal_malware: Malware
mal_username: Username
mal_src_ip: SourceIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: Malware
fieldMappings:
- identifier: Name
columnName: Malware
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username
triggerThreshold: 0
version: 1.0.1
id: cb14defd-3415-4420-a2e4-2dd0f3e07a86
query: |
CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct
["Username"] = NetflowUsername,
["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username
kind: Scheduled
status: Available
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
severity: High
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
"properties": {
"alertRuleTemplateName": "cb14defd-3415-4420-a2e4-2dd0f3e07a86",
"customDetails": {
"mal_malware": "Malware",
"mal_src_ip": "SourceIP",
"mal_username": "Username"
},
"description": "'This analytic rule will monitor Malware Events in Syslog and Netflow Data'\n",
"displayName": "Cisco SDWAN - Maleware Events",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "Malware",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml",
"query": "CiscoSyslogUTD\n| where isnotempty(Malware) and Malware != \"None\"\n| distinct Malware, SourceIP\n| join kind=inner (CiscoSDWANNetflow\n| where isnotempty(NetflowUsername)\n| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4\n| distinct \n [\"Username\"] = NetflowUsername,\n [\"SourceIP\"] = NetflowFwSrcAddrIpv4) on SourceIP\n| project Malware, SourceIP, Username\n",
"queryFrequency": "PT3H",
"queryPeriod": "PT3H",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1587.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"ResourceDevelopment"
],
"techniques": [
"T1587"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}