Palo Alto Prevention alert

Back


Id	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
Rulename	Palo Alto Prevention alert
Description	The query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	PaloAltoNetworksCortex
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version	1.0.0
Arm template	5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json

KQL

CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
- entityType: File hash
  fieldMappings:
  - identifier: Value
    columnName: FileHash
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileName
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FilePath
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
name: Palo Alto Prevention alert
tactics:
- DefenseEvasion
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1562
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
queryFrequency: 1d
triggerOperator: gt
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
queryPeriod: 1d
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "properties": {
        "alertRuleTemplateName": "5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb",
        "customDetails": null,
        "description": "'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'\n",
        "displayName": "Palo Alto Prevention alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "File hash",
            "fieldMappings": [
              {
                "columnName": "FileHash",
                "identifier": "Value"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FilePath",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where DeviceAction == \"Prevented (Blocked)\"\n| where LogSeverity =~ \"6\"\n| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n| sort by TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}