From 6f7c0e0bb43fbb7db6393b9c40de10757b09fdab Mon Sep 17 00:00:00 2001 From: v-sudkharat Date: Thu, 31 Aug 2023 14:16:58 +0530 Subject: [PATCH] updated analytic rules --- .../PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml | 3 ++- .../PaloAltoPrismaCloudAclAllowInToAdminPort.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml | 3 ++- .../PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml | 3 ++- .../PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml | 3 ++- .../Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml | 3 ++- .../PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml | 3 ++- 11 files changed, 22 insertions(+), 11 deletions(-) diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml index 668df4a8645..9048302aa6d 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days description: | 'Detects access keys which were not rotated for 90 days.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml index 0ac6f5a66b2..283083c3835 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACL allow all outbound traffic description: | 'Detects network ACLs with outbound rule to allow all traffic.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml index abeb289b3e6..017ee900491 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server admin description: | 'Detects Network ACLs allow ingress traffic to server administration ports.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml index 23ab35c2899..37bfdc3b049 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic description: | 'Detects Network ACLs with Inbound rule to allow All Traffic.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml index 677ffc0bc71..3cf62b4777b 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Anomalous access key usage description: | 'Detects anomalous API key usage activity.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -29,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml index d307363c744..851809932bf 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - High risk score alert description: | 'Detects alerts with high risk score value.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -28,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml index 3138d87d4ee..fcff10aa916 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - High severity alert opened for several days description: | 'Detects high severity alert which is opened for several days.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -30,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml index d7f9002a61c..a62418f1ead 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions description: | 'Detects IAM Groups with Administrator Access Permissions.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml index 310b5ebc02a..51d2f0fa3aa 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Inactive user description: | 'Detects users inactive for 30 days.' severity: Low +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -25,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml index 773ccb442c9..8fb2ee05da4 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Maximum risk score alert description: | 'Detects alerts with maximum risk score value.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -26,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml index 186340048e7..2e2cbe18505 100644 --- a/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml +++ b/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml @@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Multiple failed logins for user description: | 'Detects multiple failed logins for the same user account.' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoPrismaCloud dataTypes: @@ -29,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file