Palo Alto Threat signatures from Unusual IP addresses

let starttime = 7d;
let endtime = 1d;
let timeframe = 1h;
let HistThreshold = 25; 
let CurrThreshold = 10; 
let HistoricalThreats = CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" 
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;
let CurrentHourThreats =  CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated > ago(timeframe)
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" 
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;
CurrentHourThreats 
| where TotalEvents < CurrThreshold
| join kind = leftanti (HistoricalThreats 
| where TotalEvents > HistThreshold) on SourceIP

relevantTechniques:
- T1046
- T1030
- T1071.001
name: Palo Alto Threat signatures from Unusual IP addresses
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
triggerThreshold: 0
id: 89a86f70-615f-4a79-9621-6f68c50f365f
tactics:
- Discovery
- Exfiltration
- CommandAndControl
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml
queryPeriod: 7d
kind: Scheduled
tags:
- Fusion
queryFrequency: 1h
severity: Medium
status: Available
description: |
  'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. 
  This detection is also leveraged and required for MDE and PAN Fusion scenario
  https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall'  
query: |
  let starttime = 7d;
  let endtime = 1d;
  let timeframe = 1h;
  let HistThreshold = 25; 
  let CurrThreshold = 10; 
  let HistoricalThreats = CommonSecurityLog
  | where isnotempty(SourceIP)
  | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
  | where DeviceVendor =~ "Palo Alto Networks"
  | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" 
  | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
  | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;
  let CurrentHourThreats =  CommonSecurityLog
  | where isnotempty(SourceIP)
  | where TimeGenerated > ago(timeframe)
  | where DeviceVendor =~ "Palo Alto Networks"
  | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" 
  | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
  | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;
  CurrentHourThreats 
  | where TotalEvents < CurrThreshold
  | join kind = leftanti (HistoricalThreats 
  | where TotalEvents > HistThreshold) on SourceIP  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89a86f70-615f-4a79-9621-6f68c50f365f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89a86f70-615f-4a79-9621-6f68c50f365f')]",
      "properties": {
        "alertRuleTemplateName": "89a86f70-615f-4a79-9621-6f68c50f365f",
        "customDetails": null,
        "description": "'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall'\n",
        "displayName": "Palo Alto Threat signatures from Unusual IP addresses",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml",
        "query": "let starttime = 7d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet HistThreshold = 25; \nlet CurrThreshold = 10; \nlet HistoricalThreats = CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\nlet CurrentHourThreats =  CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated > ago(timeframe)\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\nCurrentHourThreats \n| where TotalEvents < CurrThreshold\n| join kind = leftanti (HistoricalThreats \n| where TotalEvents > HistThreshold) on SourceIP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1071.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Discovery",
          "Exfiltration"
        ],
        "tags": [
          "Fusion"
        ],
        "techniques": [
          "T1030",
          "T1046",
          "T1071"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}