Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prevention alert

Back
Id5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
RulenamePalo Alto Prevention alert
DescriptionThe query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version1.0.0
Arm template5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated
name: Palo Alto Prevention alert
severity: Medium
queryFrequency: 1d
triggerOperator: gt
relevantTechniques:
- T1562
version: 1.0.0
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Value
    columnName: FileHash
  entityType: File hash
- fieldMappings:
  - identifier: Name
    columnName: FileName
  entityType: File
- fieldMappings:
  - identifier: Name
    columnName: FilePath
  entityType: File
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
tactics:
- DefenseEvasion
queryPeriod: 1d
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
kind: Scheduled
triggerThreshold: 0
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "properties": {
        "alertRuleTemplateName": "5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb",
        "customDetails": null,
        "description": "'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'\n",
        "displayName": "Palo Alto Prevention alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "File hash",
            "fieldMappings": [
              {
                "columnName": "FileHash",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FilePath",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where DeviceAction == \"Prevented (Blocked)\"\n| where LogSeverity =~ \"6\"\n| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n| sort by TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}