Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SDWAN - IPS Event Threshold

Back
Iddc3627c3-f9de-4f17-bfd3-ba99b64a0a67
RulenameCisco SDWAN - IPS Event Threshold
DescriptionThis analytic rule will monitor specific IPS event in the data.
SeverityHigh
TacticsDiscovery
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version1.0.0
Arm templatedc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json
Deploy To Azure
CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10
incidentConfiguration:
  createIncident: true
name: Cisco SDWAN - IPS Event Threshold
status: Available
triggerThreshold: 0
severity: High
tactics:
- Discovery
customDetails:
  classification: Classification
  classification_count: count_
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: Classification
    identifier: Name
queryPeriod: 3h
queryFrequency: 3h
version: 1.0.0
triggerOperator: gt
description: |
    'This analytic rule will monitor specific IPS event in the data.'
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "properties": {
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "customDetails": {
          "classification": "Classification",
          "classification_count": "count_"
        },
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Classification",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml",
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}