PaloAlto - MAC address conflict

Back


Id	976d2eee-51cb-11ec-bf63-0242ac130002
Rulename	PaloAlto - MAC address conflict
Description	Detects several users with the same MAC address.
Severity	Low
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CefAma PaloAltoCDL PaloAltoCDLAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
Version	1.0.2
Arm template	976d2eee-51cb-11ec-bf63-0242ac130002.json

KQL

let threshold = 2;
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)
| summarize UserSet = make_set(DstUsername) by DestinationMACAddress
| extend Users = array_length(UserSet)
| where Users >= threshold
| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
name: PaloAlto - MAC address conflict
tactics:
- InitialAccess
severity: Low
triggerThreshold: 0
relevantTechniques:
- T1190
- T1133
id: 976d2eee-51cb-11ec-bf63-0242ac130002
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml
queryFrequency: 1h
triggerOperator: gt
query: |
  let threshold = 2;
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)
  | summarize UserSet = make_set(DstUsername) by DestinationMACAddress
  | extend Users = array_length(UserSet)
  | where Users >= threshold
  | extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress  
description: |
    'Detects several users with the same MAC address.'
requiredDataConnectors:
- connectorId: PaloAltoCDL
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: PaloAltoCDLAma
  dataTypes:
  - PaloAltoCDLEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
status: Available
queryPeriod: 1h
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/976d2eee-51cb-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/976d2eee-51cb-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "976d2eee-51cb-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects several users with the same MAC address.'\n",
        "displayName": "PaloAlto - MAC address conflict",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml",
        "query": "let threshold = 2;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)\n| summarize UserSet = make_set(DstUsername) by DestinationMACAddress\n| extend Users = array_length(UserSet)\n| where Users >= threshold\n| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}