CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct
["Username"] = NetflowUsername,
["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username
kind: Scheduled
relevantTechniques:
- T1587.001
id: cb14defd-3415-4420-a2e4-2dd0f3e07a86
queryPeriod: 3h
incidentConfiguration:
createIncident: true
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
entityMappings:
- fieldMappings:
- columnName: SourceIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Malware
identifier: Name
entityType: Malware
- fieldMappings:
- columnName: Username
identifier: Name
entityType: Account
version: 1.0.1
severity: High
query: |
CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct
["Username"] = NetflowUsername,
["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username
customDetails:
mal_malware: Malware
mal_username: Username
mal_src_ip: SourceIP
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CiscoSyslogUTD
connectorId: CiscoSDWAN
- dataTypes:
- CiscoSDWANNetflow
connectorId: CiscoSDWAN
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
description: |
'This analytic rule will monitor Malware Events in Syslog and Netflow Data'
name: Cisco SDWAN - Maleware Events
tactics:
- ResourceDevelopment
queryFrequency: 3h
