Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic

Back
Id6098b34a-1e6b-440a-9e3b-fb4d5944ade1
RulenamePalo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic
DescriptionDetects Network ACLs with Inbound rule to allow All Traffic.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsPaloAltoPrismaCloud
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml
Version1.0.0
Arm template6098b34a-1e6b-440a-9e3b-fb4d5944ade1.json
Deploy To Azure
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'Network ACLs with Inbound rule to allow All Traffic'
| extend AccountCustomEntity = UserName
name: Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic
query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where AlertMessage has 'Network ACLs with Inbound rule to allow All Traffic'
  | extend AccountCustomEntity = UserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
version: 1.0.0
queryPeriod: 1h
id: 6098b34a-1e6b-440a-9e3b-fb4d5944ade1
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1133
severity: Medium
description: |
    'Detects Network ACLs with Inbound rule to allow All Traffic.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098b34a-1e6b-440a-9e3b-fb4d5944ade1')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098b34a-1e6b-440a-9e3b-fb4d5944ade1')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic",
        "description": "'Detects Network ACLs with Inbound rule to allow All Traffic.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where AlertMessage has 'Network ACLs with Inbound rule to allow All Traffic'\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "alertRuleTemplateName": "6098b34a-1e6b-440a-9e3b-fb4d5944ade1",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml"
      }
    }
  ]
}