Palo Alto Prevention alert

Back


Id	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
Rulename	Palo Alto Prevention alert
Description	The query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	PaloAltoNetworksCortex
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version	1.0.0
Arm template	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json

KQL

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated

YAML

queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
relevantTechniques:
- T1562
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
- entityType: File hash
  fieldMappings:
  - identifier: Value
    columnName: FileHash
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileName
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FilePath
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
name: Palo Alto Prevention alert
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
kind: Scheduled
queryPeriod: 1d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Palo Alto Prevention alert",
        "description": "'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where DeviceAction == \"Prevented (Blocked)\"\n| where LogSeverity =~ \"6\"\n| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n| sort by TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "alertRuleTemplateName": "5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "SourceUserName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "SourceHostName"
              }
            ]
          },
          {
            "entityType": "File hash",
            "fieldMappings": [
              {
                "identifier": "Value",
                "columnName": "FileHash"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FileName"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FilePath"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "RequestURL"
              }
            ]
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml"
      }
    }
  ]
}