Cisco SDWAN - IPS Event Threshold

Back


Id	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
Rulename	Cisco SDWAN - IPS Event Threshold
Description	This analytic rule will monitor specific IPS event in the data.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1189
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version	1.0.1
Arm template	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json

KQL

CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10

YAML

name: Cisco SDWAN - IPS Event Threshold
relevantTechniques:
- T1190
- T1189
incidentConfiguration:
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
tactics:
- InitialAccess
description: |
    'This analytic rule will monitor specific IPS event in the data.'
entityMappings:
- fieldMappings:
  - columnName: Classification
    identifier: Name
  entityType: Malware
queryFrequency: 3h
triggerOperator: gt
version: 1.0.1
queryPeriod: 3h
status: Available
kind: Scheduled
severity: High
triggerThreshold: 0
id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
customDetails:
  classification_count: count_
  classification: Classification

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "properties": {
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "customDetails": {
          "classification": "Classification",
          "classification_count": "count_"
        },
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Classification",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml",
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}