Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Illumio VEN Offline Detection Rule

Illumio VEN Offline Detection Rule

Back
Idec07fcd3-724f-426d-9f53-041801ca5f6c
RulenameIllumio VEN Offline Detection Rule
DescriptionCreate Microsoft Sentinel Incident When Ven Goes Into Offline state
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
SyslogAma
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
Version1.0.7
Arm templateec07fcd3-724f-426d-9f53-041801ca5f6c.json
Deploy To Azure
Illumio_Auditable_Events_CL
| union IllumioSyslogAuditEvents    
| where event_type has 'agent_offline_check'
| mv-expand resource_changes
| extend hostname = resource_changes['resource']['workload']['hostname'],
    workload_href = resource_changes['resource']['workload']['href'],
    workload_labels = resource_changes['resource']['workload']['labels']
| project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity

queryFrequency: 60m
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: IllumioSaaSDataConnector
  dataTypes:
  - Illumio_Auditable_Events_CL
- connectorId: SyslogAma
  datatypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
query: |
  Illumio_Auditable_Events_CL
  | union IllumioSyslogAuditEvents    
  | where event_type has 'agent_offline_check'
  | mv-expand resource_changes
  | extend hostname = resource_changes['resource']['workload']['hostname'],
      workload_href = resource_changes['resource']['workload']['href'],
      workload_labels = resource_changes['resource']['workload']['labels']
  | project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity  
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: hostname
relevantTechniques:
- T1562
name: Illumio VEN Offline Detection Rule
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Offline state'
severity: High
queryPeriod: 60m
alertDetailsOverride:
  alertDescriptionFormat: |
        Illumio VEN Offline Incident for {{hostname}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illumio VEN Offline Incident for {{hostname}}
triggerOperator: gt
kind: Scheduled
status: Available
tactics:
- DefenseEvasion
id: ec07fcd3-724f-426d-9f53-041801ca5f6c
version: 1.0.7
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ec07fcd3-724f-426d-9f53-041801ca5f6c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ec07fcd3-724f-426d-9f53-041801ca5f6c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio VEN Offline Incident for {{hostname}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio VEN Offline Incident for {{hostname}}\n"
        },
        "alertRuleTemplateName": "ec07fcd3-724f-426d-9f53-041801ca5f6c",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Ven Goes Into Offline state'\n",
        "displayName": "Illumio VEN Offline Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| union IllumioSyslogAuditEvents    \n| where event_type has 'agent_offline_check'\n| mv-expand resource_changes\n| extend hostname = resource_changes['resource']['workload']['hostname'],\n    workload_href = resource_changes['resource']['workload']['href'],\n    workload_labels = resource_changes['resource']['workload']['labels']\n| project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity\n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}