Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SDWAN - IPS Event Threshold

Back
Iddc3627c3-f9de-4f17-bfd3-ba99b64a0a67
RulenameCisco SDWAN - IPS Event Threshold
DescriptionThis analytic rule will monitor specific IPS event in the data.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1189
Required data connectorsCiscoSDWAN
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
Version1.0.1
Arm templatedc3627c3-f9de-4f17-bfd3-ba99b64a0a67.json
Deploy To Azure
CiscoSyslogUTD 
| where Classification == "Enter classification" 
| summarize count() by Classification 
| where count_ > 10
status: Available
queryFrequency: 3h
description: |
    'This analytic rule will monitor specific IPS event in the data.'
customDetails:
  classification_count: count_
  classification: Classification
severity: High
version: 1.0.1
relevantTechniques:
- T1190
- T1189
incidentConfiguration:
  createIncident: true
name: Cisco SDWAN - IPS Event Threshold
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  CiscoSyslogUTD 
  | where Classification == "Enter classification" 
  | summarize count() by Classification 
  | where count_ > 10  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml
requiredDataConnectors:
- connectorId: CiscoSDWAN
  dataTypes:
  - CiscoSyslogUTD
kind: Scheduled
tactics:
- InitialAccess
id: dc3627c3-f9de-4f17-bfd3-ba99b64a0a67
queryPeriod: 3h
entityMappings:
- fieldMappings:
  - columnName: Classification
    identifier: Name
  entityType: Malware
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc3627c3-f9de-4f17-bfd3-ba99b64a0a67')]",
      "properties": {
        "alertRuleTemplateName": "dc3627c3-f9de-4f17-bfd3-ba99b64a0a67",
        "customDetails": {
          "classification": "Classification",
          "classification_count": "count_"
        },
        "description": "'This analytic rule will monitor specific IPS event in the data.'\n",
        "displayName": "Cisco SDWAN - IPS Event Threshold",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Classification",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco SD-WAN/Analytic Rules/CiscoSDWANSentinelIPSEventThreshold.yaml",
        "query": "CiscoSyslogUTD \n| where Classification == \"Enter classification\" \n| summarize count() by Classification \n| where count_ > 10\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}