Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto WildFire Malware Detection

Back
Id961672e7-15db-4df1-9bab-dc4f032b9b6f
RulenamePalo Alto WildFire Malware Detection
DescriptionThe query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsPaloAltoNetworksCortex
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
Version1.0.0
Arm template961672e7-15db-4df1-9bab-dc4f032b9b6f.json
Deploy To Azure
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
queryPeriod: 1d
version: 1.0.0
tactics:
- DefenseEvasion
queryFrequency: 1d
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - PaloAltoNetworksCortex
  connectorId: PaloAltoNetworksCortex
severity: High
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: SourceUserName
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
triggerThreshold: 0
relevantTechniques:
- T1562
query: |
  CommonSecurityLog
  | where ingestion_time() > ago(1d)
  | where DeviceVendor == "Palo Alto Networks"
  | where DeviceProduct == "Cortex XDR"
  | where Activity == "WildFire Malware"
  | summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
  | where count_ > 5  
kind: Scheduled
name: Palo Alto WildFire Malware Detection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml
description: |
    'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/961672e7-15db-4df1-9bab-dc4f032b9b6f')]",
      "properties": {
        "alertRuleTemplateName": "961672e7-15db-4df1-9bab-dc4f032b9b6f",
        "customDetails": null,
        "description": "'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'\n",
        "displayName": "Palo Alto WildFire Malware Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUserName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml",
        "query": "CommonSecurityLog\n| where ingestion_time() > ago(1d)\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| where Activity == \"WildFire Malware\"\n| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer\n| where count_ > 5\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}