Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SDWAN - Maleware Events

Cisco SDWAN - Maleware Events

Back
Idcb14defd-3415-4420-a2e4-2dd0f3e07a86
RulenameCisco SDWAN - Maleware Events
DescriptionThis analytic rule will monitor Malware Events in Syslog and Netflow Data
SeverityHigh
TacticsResourceDevelopment
TechniquesT1587.001
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
Version1.0.1
Arm templatecb14defd-3415-4420-a2e4-2dd0f3e07a86.json
Deploy To Azure
CiscoSyslogUTD
| where isnotempty(Malware) and Malware != "None"
| distinct Malware, SourceIP
| join kind=inner (CiscoSDWANNetflow
| where isnotempty(NetflowUsername)
| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
| distinct 
    ["Username"] = NetflowUsername,
    ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
| project Malware, SourceIP, Username

triggerThreshold: 0
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSDWANNetflow
severity: High
queryFrequency: 3h
id: cb14defd-3415-4420-a2e4-2dd0f3e07a86
relevantTechniques:
- T1587.001
queryPeriod: 3h
name: Cisco SDWAN - Maleware Events
status: Available
kind: Scheduled
incidentConfiguration:
  createIncident: true
tactics:
- ResourceDevelopment
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Malware
  fieldMappings:
  - columnName: Malware
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: Username
    identifier: Name
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  mal_malware: Malware
  mal_username: Username
  mal_src_ip: SourceIP
description: |
    'This analytic rule will monitor Malware Events in Syslog and Netflow Data'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml
query: |
  CiscoSyslogUTD
  | where isnotempty(Malware) and Malware != "None"
  | distinct Malware, SourceIP
  | join kind=inner (CiscoSDWANNetflow
  | where isnotempty(NetflowUsername)
  | summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4
  | distinct 
      ["Username"] = NetflowUsername,
      ["SourceIP"] = NetflowFwSrcAddrIpv4) on SourceIP
  | project Malware, SourceIP, Username  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb14defd-3415-4420-a2e4-2dd0f3e07a86')]",
      "properties": {
        "alertRuleTemplateName": "cb14defd-3415-4420-a2e4-2dd0f3e07a86",
        "customDetails": {
          "mal_malware": "Malware",
          "mal_src_ip": "SourceIP",
          "mal_username": "Username"
        },
        "description": "'This analytic rule will monitor Malware Events in Syslog and Netflow Data'\n",
        "displayName": "Cisco SDWAN - Maleware Events",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Malware",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelMalwareEvents.yaml",
        "query": "CiscoSyslogUTD\n| where isnotempty(Malware) and Malware != \"None\"\n| distinct Malware, SourceIP\n| join kind=inner (CiscoSDWANNetflow\n| where isnotempty(NetflowUsername)\n| summarize arg_max(TimeStamp, NetflowUsername) by NetflowFwSrcAddrIpv4\n| distinct \n    [\"Username\"] = NetflowUsername,\n    [\"SourceIP\"] = NetflowFwSrcAddrIpv4) on SourceIP\n| project Malware, SourceIP, Username\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1587.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1587"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}