Palo Alto Prevention alert

Back


Id	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
Rulename	Palo Alto Prevention alert
Description	The query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	PaloAltoNetworksCortex
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version	1.0.0
Arm template	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json

KQL

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated

YAML

relevantTechniques:
- T1562
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
triggerOperator: gt
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: SourceUserName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: FileHash
    identifier: Value
  entityType: File hash
- fieldMappings:
  - columnName: FileName
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: FilePath
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
requiredDataConnectors:
- dataTypes:
  - PaloAltoNetworksCortex
  connectorId: PaloAltoNetworksCortex
queryPeriod: 1d
name: Palo Alto Prevention alert
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
tactics:
- DefenseEvasion
severity: Medium
triggerThreshold: 0
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
queryFrequency: 1d
version: 1.0.0
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "properties": {
        "alertRuleTemplateName": "5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb",
        "customDetails": null,
        "description": "'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'\n",
        "displayName": "Palo Alto Prevention alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "File hash",
            "fieldMappings": [
              {
                "columnName": "FileHash",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FilePath",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where DeviceAction == \"Prevented (Blocked)\"\n| where LogSeverity =~ \"6\"\n| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n| sort by TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}