Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Palo Alto Prevention alert

Palo Alto Prevention alert

Back
Id5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
RulenamePalo Alto Prevention alert
DescriptionThe query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version1.0.0
Arm template5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated

id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
tactics:
- DefenseEvasion
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
kind: Scheduled
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
version: 1.0.0
relevantTechniques:
- T1562
severity: Medium
name: Palo Alto Prevention alert
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Value
    columnName: FileHash
  entityType: File hash
- fieldMappings:
  - identifier: Name
    columnName: FileName
  entityType: File
- fieldMappings:
  - identifier: Name
    columnName: FilePath
  entityType: File
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
triggerThreshold: 0