Illumio Firewall Tampering Analytic Rule

Illumio_Auditable_Events_CL
 | union IllumioSyslogAuditEvents 
 | where event_type has 'tampering'
 | extend ipaddress = action.src_ip,
           hostname = created_by.agent.hostname,
           ven_href = created_by.ven.href
 | project-away resource_changes, action, version

kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
- datatypes:
  - Syslog
  connectorId: SyslogAma
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: hostname
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: ipaddress
    identifier: Address
relevantTechniques:
- T1562
status: Available
tactics:
- DefenseEvasion
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illumio Firewall Tamper Incident for {{hostname}}
  alertDescriptionFormat: |
        Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}
name: Illumio Firewall Tampering Analytic Rule
queryFrequency: 60m
query: |
  Illumio_Auditable_Events_CL
   | union IllumioSyslogAuditEvents 
   | where event_type has 'tampering'
   | extend ipaddress = action.src_ip,
             hostname = created_by.agent.hostname,
             ven_href = created_by.ven.href
   | project-away resource_changes, action, version  
id: e9e4e466-3970-4165-bc8d-7721c6ef34a6
severity: Medium
queryPeriod: 60m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml
version: 1.0.7
description: |
    'Create Microsoft Sentinel Incident When Firewall Is Tampered With'
triggerThreshold: 0
triggerOperator: gt