Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - MAC address conflict

Back
Id976d2eee-51cb-11ec-bf63-0242ac130002
RulenamePaloAlto - MAC address conflict
DescriptionDetects several users with the same MAC address.
SeverityLow
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
PaloAltoCDL
PaloAltoCDLAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
Version1.0.2
Arm template976d2eee-51cb-11ec-bf63-0242ac130002.json
Deploy To Azure
let threshold = 2;
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)
| summarize UserSet = make_set(DstUsername) by DestinationMACAddress
| extend Users = array_length(UserSet)
| where Users >= threshold
| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress
status: Available
queryFrequency: 1h
description: |
    'Detects several users with the same MAC address.'
severity: Low
version: 1.0.2
relevantTechniques:
- T1190
- T1133
name: PaloAlto - MAC address conflict
triggerThreshold: 0
kind: Scheduled
query: |
  let threshold = 2;
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)
  | summarize UserSet = make_set(DstUsername) by DestinationMACAddress
  | extend Users = array_length(UserSet)
  | where Users >= threshold
  | extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
requiredDataConnectors:
- connectorId: PaloAltoCDL
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: PaloAltoCDLAma
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- InitialAccess
id: 976d2eee-51cb-11ec-bf63-0242ac130002
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/976d2eee-51cb-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/976d2eee-51cb-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "976d2eee-51cb-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects several users with the same MAC address.'\n",
        "displayName": "PaloAlto - MAC address conflict",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml",
        "query": "let threshold = 2;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)\n| summarize UserSet = make_set(DstUsername) by DestinationMACAddress\n| extend Users = array_length(UserSet)\n| where Users >= threshold\n| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}