Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto WildFire Malware Detection

Back
Id961672e7-15db-4df1-9bab-dc4f032b9b6f
RulenamePalo Alto WildFire Malware Detection
DescriptionThe query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
Version1.0.0
Arm template961672e7-15db-4df1-9bab-dc4f032b9b6f.json
Deploy To Azure
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
severity: High
query: |
  CommonSecurityLog
  | where ingestion_time() > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where Activity == "WildFire Malware"
  | summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
  | where count_ > 5  
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
  dataTypes:
  - PaloAltoNetworksCortex
queryPeriod: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SourceUserName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
triggerOperator: gt
triggerThreshold: 0
description: |
    'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
queryFrequency: 1d
name: Palo Alto WildFire Malware Detection
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "properties": {
        "alertRuleTemplateName": "961672e7-15db-4df1-9bab-dc4f032b9b6f",
        "customDetails": null,
        "description": "'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'\n",
        "displayName": "Palo Alto WildFire Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml",
        "query": "CommonSecurityLog\n| where ingestion_time() > ago(1d)\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where Activity == \"WildFire Malware\"\n| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer\n| where count_ > 5\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}