Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prevention alert

Back
Id5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
RulenamePalo Alto Prevention alert
DescriptionThe query checks for all malicious events prevented events across all devices having LogSeverity of ‘6’ and summarize the result.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
Version1.0.0
Arm template5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
    'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
relevantTechniques:
- T1562
query: |
  CommonSecurityLog
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where DeviceAction == "Prevented (Blocked)"
  | where LogSeverity =~ "6"
  | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
  | sort by TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
- entityType: File hash
  fieldMappings:
  - identifier: Value
    columnName: FileHash
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileName
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FilePath
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
name: Palo Alto Prevention alert
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
kind: Scheduled
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Palo Alto Prevention alert",
        "description": "'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where DeviceAction == \"Prevented (Blocked)\"\n| where LogSeverity =~ \"6\"\n| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n| sort by TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "alertRuleTemplateName": "5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "SourceUserName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "SourceHostName"
              }
            ]
          },
          {
            "entityType": "File hash",
            "fieldMappings": [
              {
                "identifier": "Value",
                "columnName": "FileHash"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FileName"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FilePath"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "RequestURL"
              }
            ]
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml"
      }
    }
  ]
}