Cisco SDWAN - IPS Event Threshold

Back


Id	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
Rulename	Cisco SDWAN - IPS Event Threshold
Description	This analytic rule will monitor specific IPS event in the data.
Severity	High
Tactics	Discovery
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version	1.0.0
Arm template	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json

KQL

CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10

YAML

id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High
customDetails:
  classification: Classification
  classification_count: count_
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Classification
  entityType: Malware
version: 1.0.0
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
queryPeriod: 3h
triggerOperator: gt
tactics:
- Discovery
incidentConfiguration:
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
status: Available
description: |
    'This analytic rule will monitor specific IPS event in the data.'
name: Cisco SDWAN - IPS Event Threshold
kind: Scheduled
queryFrequency: 3h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "properties": {
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "customDetails": {
          "classification": "Classification",
          "classification_count": "count_"
        },
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Classification",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml",
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}