Cisco SDWAN - Maleware Events

CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct 
    ["Username"] = NetflowUsername,
    ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: Malware
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Username
tactics:
- ResourceDevelopment
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
- dataTypes:
  - CiscoSDWANNetflow
  connectorId: CiscoSDWAN
incidentConfiguration:
  createIncident: true
id: cb14defd-3415-4420-a2e4-2dd0f3e07a86
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  mal_username: Username
  mal_malware: Malware
  mal_src_ip: SourceIP
query: |
  CiscoSyslogUTD
  | where isnotempty(Malware) and Malware != "None"
  | distinct Malware, SourceIP
  | join kind=inner (CiscoSDWANNetflow
  | where isnotempty(NetflowUsername)
  | summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
  | distinct 
      ["Username"] = NetflowUsername,
      ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
  | project Malware, SourceIP, Username  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
kind: Scheduled
queryPeriod: 3h
version: 1.0.1
name: Cisco SDWAN - Maleware Events
queryFrequency: 3h
triggerThreshold: 0
relevantTechniques:
- T1587.001
description: |
    'This analytic rule will monitor Malware Events in Syslog and Netflow Data'
triggerOperator: gt