Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto WildFire Malware Detection

Back
Id961672e7-15db-4df1-9bab-dc4f032b9b6f
RulenamePalo Alto WildFire Malware Detection
DescriptionThe query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
Version1.0.0
Arm template961672e7-15db-4df1-9bab-dc4f032b9b6f.json
Deploy To Azure
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
query: |
  CommonSecurityLog
  | where ingestion_time() > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where Activity == "WildFire Malware"
  | summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
  | where count_ > 5  
description: |
    'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
severity: High
requiredDataConnectors:
- dataTypes:
  - PaloAltoNetworksCortex
  connectorId: PaloAltoNetworksCortex
name: Palo Alto WildFire Malware Detection
triggerThreshold: 0
tactics:
- DefenseEvasion
version: 1.0.0
relevantTechniques:
- T1562
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: SourceUserName
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
kind: Scheduled
queryFrequency: 1d
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "properties": {
        "alertRuleTemplateName": "961672e7-15db-4df1-9bab-dc4f032b9b6f",
        "customDetails": null,
        "description": "'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'\n",
        "displayName": "Palo Alto WildFire Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml",
        "query": "CommonSecurityLog\n| where ingestion_time() > ago(1d)\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where Activity == \"WildFire Malware\"\n| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer\n| where count_ > 5\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}