Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto WildFire Malware Detection

Back
Id961672e7-15db-4df1-9bab-dc4f032b9b6f
RulenamePalo Alto WildFire Malware Detection
DescriptionThe query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
Version1.0.0
Arm template961672e7-15db-4df1-9bab-dc4f032b9b6f.json
Deploy To Azure
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
description: |
    'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
queryPeriod: 1d
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
kind: Scheduled
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
tactics:
- DefenseEvasion
severity: High
triggerOperator: gt
version: 1.0.0
query: |
  CommonSecurityLog
  | where ingestion_time() > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where Activity == "WildFire Malware"
  | summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
  | where count_ > 5  
name: Palo Alto WildFire Malware Detection
queryFrequency: 1d
relevantTechniques:
- T1562
entityMappings:
- fieldMappings:
  - columnName: SourceUserName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
  entityType: Host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "properties": {
        "alertRuleTemplateName": "961672e7-15db-4df1-9bab-dc4f032b9b6f",
        "customDetails": null,
        "description": "'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'\n",
        "displayName": "Palo Alto WildFire Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml",
        "query": "CommonSecurityLog\n| where ingestion_time() > ago(1d)\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where Activity == \"WildFire Malware\"\n| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer\n| where count_ > 5\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}