Cisco SDWAN - IPS Event Threshold

Back


Id	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
Rulename	Cisco SDWAN - IPS Event Threshold
Description	This analytic rule will monitor specific IPS event in the data.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1189
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version	1.0.1
Arm template	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json

KQL

CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
description: |
    'This analytic rule will monitor specific IPS event in the data.'
severity: High
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
incidentConfiguration:
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Cisco SDWAN - IPS Event Threshold
triggerThreshold: 0
customDetails:
  classification: Classification
  classification_count: count_
tactics:
- InitialAccess
version: 1.0.1
relevantTechniques:
- T1190
- T1189
triggerOperator: gt
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: Classification
    identifier: Name
id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
status: Available
kind: Scheduled
queryFrequency: 3h
queryPeriod: 3h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "properties": {
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "customDetails": {
          "classification": "Classification",
          "classification_count": "count_"
        },
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Classification",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml",
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}