Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Illumio Firewall Tampering Analytic Rule

Back
Ide9e4e466-3970-4165-bc8d-7721c6ef34a6
RulenameIllumio Firewall Tampering Analytic Rule
DescriptionCreate Microsoft Sentinel Incident When Firewall Is Tampered With
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml
Version1.0.5
Arm templatee9e4e466-3970-4165-bc8d-7721c6ef34a6.json
Deploy To Azure
Illumio_Auditable_Events_CL
| where event_type has 'tampering'
queryPeriod: 60m
version: 1.0.5
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDescriptionFormat: |
        Illumio Firewall Tamper Incident {{IncidentId}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illumio Firewall Tamper Incident: {{IncidentId}}
queryFrequency: 60m
id: e9e4e466-3970-4165-bc8d-7721c6ef34a6
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: created_by
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: action
    identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1562
query: |
  Illumio_Auditable_Events_CL
  | where event_type has 'tampering'  
kind: Scheduled
name: Illumio Firewall Tampering Analytic Rule
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml
description: |
    'Create Microsoft Sentinel Incident When Firewall Is Tampered With'
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9e4e466-3970-4165-bc8d-7721c6ef34a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9e4e466-3970-4165-bc8d-7721c6ef34a6')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio Firewall Tamper Incident {{IncidentId}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio Firewall Tamper Incident: {{IncidentId}}\n"
        },
        "alertRuleTemplateName": "e9e4e466-3970-4165-bc8d-7721c6ef34a6",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Firewall Is Tampered With'\n",
        "displayName": "Illumio Firewall Tampering Analytic Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "created_by",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "action",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| where event_type has 'tampering'\n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}