Cisco SDWAN - Maleware Events

Back


Id	cb14defd-3415-4420-a2e4-2dd0f3e07a86
Rulename	Cisco SDWAN - Maleware Events
Description	This analytic rule will monitor Malware Events in Syslog and Netflow Data
Severity	High
Tactics	ResourceDevelopment
Techniques	T1587.001
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
Version	1.0.1
Arm template	cb14defd-3415-4420-a2e4-2dd0f3e07a86.json

KQL

CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct 
    ["Username"] = NetflowUsername,
    ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username

YAML

id: cb14defd-3415-4420-a2e4-2dd0f3e07a86
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
- dataTypes:
  - CiscoSDWANNetflow
  connectorId: CiscoSDWAN
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
queryPeriod: 3h
query: |
  CiscoSyslogUTD
  | where isnotempty(Malware) and Malware != "None"
  | distinct Malware, SourceIP
  | join kind=inner (CiscoSDWANNetflow
  | where isnotempty(NetflowUsername)
  | summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
  | distinct 
      ["Username"] = NetflowUsername,
      ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
  | project Malware, SourceIP, Username  
name: Cisco SDWAN - Maleware Events
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Malware
  fieldMappings:
  - columnName: Malware
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: Username
    identifier: Name
description: |
    'This analytic rule will monitor Malware Events in Syslog and Netflow Data'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
tactics:
- ResourceDevelopment
triggerOperator: gt
version: 1.0.1
relevantTechniques:
- T1587.001
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  mal_malware: Malware
  mal_src_ip: SourceIP
  mal_username: Username
kind: Scheduled
status: Available
severity: High
queryFrequency: 3h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
      "properties": {
        "alertRuleTemplateName": "cb14defd-3415-4420-a2e4-2dd0f3e07a86",
        "customDetails": {
          "mal_malware": "Malware",
          "mal_src_ip": "SourceIP",
          "mal_username": "Username"
        },
        "description": "'This analytic rule will monitor Malware Events in Syslog and Netflow Data'\n",
        "displayName": "Cisco SDWAN - Maleware Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Malware",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml",
        "query": "CiscoSyslogUTD\n| where isnotempty(Malware) and Malware != \"None\"\n| distinct Malware, SourceIP\n| join kind=inner (CiscoSDWANNetflow\n| where isnotempty(NetflowUsername)\n| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4\n| distinct \n    [\"Username\"] = NetflowUsername,\n    [\"SourceIP\"] = NetflowFwSrcAddrIpv4) on SourceIP\n| project Malware, SourceIP, Username\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1587.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1587"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}