Cisco SDWAN - IPS Event Threshold

Back


Id	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
Rulename	Cisco SDWAN - IPS Event Threshold
Description	This analytic rule will monitor specific IPS event in the data.
Severity	High
Tactics	Discovery
Required data connectors	CiscoSDWAN
Kind	Scheduled
Query frequency	3h
Query period	3h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version	1.0.0
Arm template	dc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json

KQL

CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10

YAML

severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
incidentConfiguration:
  createIncident: true
requiredDataConnectors:
- dataTypes:
  - CiscoSyslogUTD
  connectorId: CiscoSDWAN
id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
tactics:
- Discovery
queryFrequency: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
customDetails:
  classification_count: count_
  classification: Classification
description: |
    'This analytic rule will monitor specific IPS event in the data.'
triggerThreshold: 0
kind: Scheduled
name: Cisco SDWAN - IPS Event Threshold
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: Classification
    identifier: Name
status: Available
version: 1.0.0
queryPeriod: 3h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "incidentConfiguration": {
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "customDetails": {
          "classification_count": "count_",
          "classification": "Classification"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Classification"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml"
      }
    }
  ]
}