Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Illumio VEN Offline Detection Rule

Back
Idec07fcd3-724f-426d-9f53-041801ca5f6c
RulenameIllumio VEN Offline Detection Rule
DescriptionCreate Microsoft Sentinel Incident When Ven Goes Into Offline state
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsIllumioSaaSDataConnector
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
Version1.0.5
Arm templateec07fcd3-724f-426d-9f53-041801ca5f6c.json
Deploy To Azure
Illumio_Auditable_Events_CL
| where event_type has 'agent_offline_check'
queryPeriod: 60m
version: 1.0.5
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDescriptionFormat: |
        Illumio VEN Offline Incident {{IncidentId}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illumio VEN Offline Incident: {{IncidentId}}
queryFrequency: 60m
id: ec07fcd3-724f-426d-9f53-041801ca5f6c
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Illumio_Auditable_Events_CL
  connectorId: IllumioSaaSDataConnector
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: resource_changes
    identifier: HostName
triggerThreshold: 0
relevantTechniques:
- T1562
query: |
  Illumio_Auditable_Events_CL
  | where event_type has 'agent_offline_check'  
kind: Scheduled
name: Illumio VEN Offline Detection Rule
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
description: |
    'Create Microsoft Sentinel Incident When Ven Goes Into Offline state'
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ec07fcd3-724f-426d-9f53-041801ca5f6c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ec07fcd3-724f-426d-9f53-041801ca5f6c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illumio VEN Offline Incident {{IncidentId}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illumio VEN Offline Incident: {{IncidentId}}\n"
        },
        "alertRuleTemplateName": "ec07fcd3-724f-426d-9f53-041801ca5f6c",
        "customDetails": null,
        "description": "'Create Microsoft Sentinel Incident When Ven Goes Into Offline state'\n",
        "displayName": "Illumio VEN Offline Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "resource_changes",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml",
        "query": "Illumio_Auditable_Events_CL\n| where event_type has 'agent_offline_check'\n",
        "queryFrequency": "PT60M",
        "queryPeriod": "PT60M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}