Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto WildFire Malware Detection

Back
Id961672e7-15db-4df1-9bab-dc4f032b9b6f
RulenamePalo Alto WildFire Malware Detection
DescriptionThe query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
Version1.0.0
Arm template961672e7-15db-4df1-9bab-dc4f032b9b6f.json
Deploy To Azure
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
severity: High
requiredDataConnectors:
- dataTypes:
  - PaloAltoNetworksCortex
  connectorId: PaloAltoNetworksCortex
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
query: |
  CommonSecurityLog
  | where ingestion_time() > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where Activity == "WildFire Malware"
  | summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
  | where count_ > 5  
version: 1.0.0
relevantTechniques:
- T1562
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
triggerThreshold: 0
queryPeriod: 1d
name: Palo Alto WildFire Malware Detection
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
    'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
queryFrequency: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "properties": {
        "alertRuleTemplateName": "961672e7-15db-4df1-9bab-dc4f032b9b6f",
        "customDetails": null,
        "description": "'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'\n",
        "displayName": "Palo Alto WildFire Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml",
        "query": "CommonSecurityLog\n| where ingestion_time() > ago(1d)\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where Activity == \"WildFire Malware\"\n| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer\n| where count_ > 5\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}