Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Illumio Firewall Tampering Analytic Rule

Illumio Firewall Tampering Analytic Rule

Back
Ide9e4e466-3970-4165-bc8d-7721c6ef34a6
RulenameIllumio Firewall Tampering Analytic Rule
DescriptionCreate Microsoft Sentinel Incident When Firewall Is Tampered With
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
SyslogAma
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml
Version1.0.7
Arm templatee9e4e466-3970-4165-bc8d-7721c6ef34a6.json
Deploy To Azure
Illumio_Auditable_Events_CL
 | union IllumioSyslogAuditEvents 
 | where event_type has 'tampering'
 | extend ipaddress = action.src_ip,
           hostname = created_by.agent.hostname,
           ven_href = created_by.ven.href
 | project-away resource_changes, action, version

kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio Firewall Tamper Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}
tactics:
- DefenseEvasion
name: Illumio Firewall Tampering Analytic Rule
id: e9e4e466-3970-4165-bc8d-7721c6ef34a6
queryFrequency: 60m
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.7
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml
queryPeriod: 60m
description: |
    'Create Microsoft Sentinel Incident When Firewall Is Tampered With'
triggerOperator: gt
status: Available
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
- datatypes:
  - Syslog
  connectorId: SyslogAma
query: |
  Illumio_Auditable_Events_CL
   | union IllumioSyslogAuditEvents 
   | where event_type has 'tampering'
   | extend ipaddress = action.src_ip,
             hostname = created_by.agent.hostname,
             ven_href = created_by.ven.href
   | project-away resource_changes, action, version  
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: hostname
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: ipaddress
    identifier: Address
relevantTechniques:
- T1562

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9e4e466-3970-4165-bc8d-7721c6ef34a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9e4e466-3970-4165-bc8d-7721c6ef34a6')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio Firewall Tamper Incident for {{hostname}}\n"
        },
        "alertRuleTemplateName": "e9e4e466-3970-4165-bc8d-7721c6ef34a6",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Firewall Is Tampered With'\n",
        "displayName": "Illumio Firewall Tampering Analytic Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipaddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n | union IllumioSyslogAuditEvents \n | where event_type has 'tampering'\n | extend ipaddress = action.src_ip,\n           hostname = created_by.agent.hostname,\n           ven_href = created_by.ven.href\n | project-away resource_changes, action, version\n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}