diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index e1884b0dd07..12d7eb84b8f 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -206,5 +206,6 @@ "ContrastProtectAma", "ClarotyAma", "illusiveAttackManagementSystemAma", - "TrendMicroApexOneAma" + "TrendMicroApexOneAma", + "PaloAltoCDLAma" ] diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml index febcea8c894..3249272b483 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -35,5 +38,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml index bbb612d6bc1..78d8c9e38d3 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -36,5 +39,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml index 0f74b67bec6..e88356b23f9 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -32,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml index de1987e25b2..281ef14caeb 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -29,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml index d8c6abf3530..5d9ca1e3395 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -35,5 +38,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: UrlCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml index ab69ea35774..b7cc42c4522 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -32,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml index 35e70c1dffa..9354d3e9c5e 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -29,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml index ac1ea11bac6..bfbcb784c38 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 14d triggerOperator: gt @@ -34,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml index 02688bb6c55..d8553fee7b3 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 10m queryPeriod: 10m triggerOperator: gt @@ -30,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml index fc697d0aab4..80a2d54058f 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml @@ -8,6 +8,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -33,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json b/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json index bf1d1c2b037..36f2416fdc6 100644 --- a/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json +++ b/Solutions/PaloAltoCDL/Data Connectors/Connector_PaloAlto_CDL_CEF.json @@ -1,6 +1,6 @@ { "id": "PaloAltoCDL", - "title": "Palo Alto Networks Cortex Data Lake (CDL)", + "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", "publisher": "Palo Alto Networks", "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", diff --git a/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json b/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json new file mode 100644 index 00000000000..7b988559461 --- /dev/null +++ b/Solutions/PaloAltoCDL/Data Connectors/template_PaloAlto_CDLAMA.json @@ -0,0 +1,115 @@ +{ + "id": "PaloAltoCDLAma", + "title": "[Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PaloAltoNetworksCDL", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description" : "Top 10 Destinations", + "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAltoNetworksCDL)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF", + "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} diff --git a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json index 46fd29efcc1..9c82bdc82f8 100644 --- a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json +++ b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json @@ -2,12 +2,12 @@ "Name": "PaloAltoCDL", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r**Underlying Microsoft Technologies used:**\n\rThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\ra. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)", + "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Workbooks": [ "Workbooks/PaloAltoCDL.json" ], "Parsers": [ - "Parsers/PaloAltoCDLEvent.txt" + "Parsers/PaloAltoCDLEvent.yaml" ], "Hunting Queries": [ "Hunting Queries/PaloAltoCDLCriticalEventResult.yaml", @@ -22,7 +22,8 @@ "Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml" ], "Data Connectors": [ - "Data Connectors/Connector_PaloAlto_CDL_CEF.json" + "Data Connectors/Connector_PaloAlto_CDL_CEF.json", + "Data Connectors/template_PaloAlto_CDLAMA.json" ], "Analytic Rules": [ "Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml", diff --git a/Solutions/PaloAltoCDL/Data/system_generated_metadata.json b/Solutions/PaloAltoCDL/Data/system_generated_metadata.json new file mode 100644 index 00000000000..2fef117cbba --- /dev/null +++ b/Solutions/PaloAltoCDL/Data/system_generated_metadata.json @@ -0,0 +1,33 @@ +{ + "Name": "PaloAltoCDL", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoCDL", + "TemplateSpec": true, + "Is1PConnector": false, + "Version": "3.0.0", + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-paloaltocdl", + "providers": [ + "Palo Alto Networks" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ] + }, + "firstPublishDate": "2021-10-23", + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "Data Connectors": "[\n \"Data Connectors/Connector_PaloAlto_CDL_CEF.json\",\n \"Data Connectors/template_PaloAlto_CDLAMA.json\"\n]", + "Parsers": "[\n \"PaloAltoCDLEvent.yaml\"\n]", + "Workbooks": "[\n \"Workbooks/PaloAltoCDL.json\"\n]", + "Analytic Rules": "[\n \"PaloAltoCDLConflictingMacAddress.yaml\",\n \"PaloAltoCDLDroppingSessionWithSentTraffic.yaml\",\n \"PaloAltoCDLFileTypeWasChanged.yaml\",\n \"PaloAltoCDLInboundRiskPorts.yaml\",\n \"PaloAltoCDLPossibleAttackWithoutResponse.yaml\",\n \"PaloAltoCDLPossibleFlooding.yaml\",\n \"PaloAltoCDLPossiblePortScan.yaml\",\n \"PaloAltoCDLPrivilegesWasChanged.yaml\",\n \"PaloAltoCDLPutMethodInHighRiskFileType.yaml\",\n \"PaloAltoCDLUnexpectedCountries.yaml\"\n]", + "Hunting Queries": "[\n \"PaloAltoCDLCriticalEventResult.yaml\",\n \"PaloAltoCDLFilePermissionWithPutRequest.yaml\",\n \"PaloAltoCDLIPsByPorts.yaml\",\n \"PaloAltoCDLIncompleteApplicationProtocol.yaml\",\n \"PaloAltoCDLMultiDenyResultbyUser.yaml\",\n \"PaloAltoCDLOutdatedAgentVersions.yaml\",\n \"PaloAltoCDLOutdatedConfigVersions.yaml\",\n \"PaloAltoCDLRareApplicationLayerProtocol.yaml\",\n \"PaloAltoCDLRareFileRequests.yaml\",\n \"PaloAltoCDLRarePortsbyUser.yaml\"\n]" +} diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml index c7fa6ecd4e7..157f7c0841e 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml index f4a1e3e3e1f..fa47b79cf8f 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml index 8bc5b0cd4ae..eef780ab970 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml index 6f5b814bacb..5c39e60b327 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml index 639a3a7ac5f..c3ae5a69935 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml index e503e9a0384..ce1f538ff93 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml index ac76cd48c2d..32c47737c92 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml index 03ce19e46b2..d8b07c2d787 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml index c92f33d43a4..d749917529b 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml index b998585f9b1..501d1113fea 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml @@ -7,6 +7,9 @@ requiredDataConnectors: - connectorId: PaloAltoCDL dataTypes: - PaloAltoCDLEvent + - connectorId: PaloAltoCDLAma + dataTypes: + - PaloAltoCDLEvent tactics: - InitialAccess relevantTechniques: diff --git a/Solutions/PaloAltoCDL/Package/3.0.0.zip b/Solutions/PaloAltoCDL/Package/3.0.0.zip new file mode 100644 index 00000000000..c08f94fc91a Binary files /dev/null and b/Solutions/PaloAltoCDL/Package/3.0.0.zip differ diff --git a/Solutions/PaloAltoCDL/Package/createUiDefinition.json b/Solutions/PaloAltoCDL/Package/createUiDefinition.json index c281e12e134..87d4931541b 100644 --- a/Solutions/PaloAltoCDL/Package/createUiDefinition.json +++ b/Solutions/PaloAltoCDL/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r**Underlying Microsoft Technologies used:**\n\rThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\ra. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\r\n1. **PaloAltoCDL via AMA** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **PaloAltoCDL via Legacy Agent** - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting CDL logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This solution installs the data connector for ingesting CDL logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.." } }, { @@ -95,7 +95,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The workbook installed with the Palo Alto Networks Cortex Data Lake help’s you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { diff --git a/Solutions/PaloAltoCDL/Package/mainTemplate.json b/Solutions/PaloAltoCDL/Package/mainTemplate.json index 2796042848e..eb3e941550e 100644 --- a/Solutions/PaloAltoCDL/Package/mainTemplate.json +++ b/Solutions/PaloAltoCDL/Package/mainTemplate.json @@ -42,191 +42,317 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "PaloAltoCDL", + "_solutionVersion": "3.0.0", + "uiConfigId1": "PaloAltoCDL", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "PaloAltoCDL", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "PaloAltoCDLAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "PaloAltoCDLAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "parserName1": "PaloAltoCDLEvent", + "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", + "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "_parserId1": "[variables('parserId1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "PaloAltoCDLEvent-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "PaloAltoCDL", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "parserVersion1": "1.0.0", - "parserContentId1": "PaloAltoCDLEvent-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "parserName1": "PaloAltoCDLEvent", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleVersion1": "1.0.1", + "analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.2", + "analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.1", + "analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.1", + "analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.2", + "analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "1.0.2", + "analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002", + "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", + "analyticRuleVersion7": "1.0.2", + "analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002", + "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", + "analyticRuleVersion8": "1.0.2", + "analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002", + "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", + "analyticRuleVersion9": "1.0.2", + "analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002", + "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]", + "analyticRuleVersion10": "1.0.2", + "analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003", + "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", "huntingQueryVersion1": "1.0.0", "huntingQuerycontentId1": "97760cb0-511e-11ec-bf63-0242ac130002", "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", "huntingQueryVersion2": "1.0.0", "huntingQuerycontentId2": "2af5e154-511f-11ec-bf63-0242ac130002", "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", "huntingQueryVersion3": "1.0.0", "huntingQuerycontentId3": "a8887944-4c72-11ec-81d3-0242ac130003", "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", "huntingQueryVersion4": "1.0.0", "huntingQuerycontentId4": "7cbd46ce-5121-11ec-bf63-0242ac130002", "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", "huntingQueryVersion5": "1.0.0", "huntingQuerycontentId5": "04456860-5122-11ec-bf63-0242ac130002", "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", "huntingQueryVersion6": "1.0.0", "huntingQuerycontentId6": "555bf415-e171-4ad2-920f-1a4a96a9644c", "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", "huntingQueryVersion7": "1.0.0", "huntingQuerycontentId7": "6e4b6758-23a5-409b-a444-9bdef78e9dcc", "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]", + "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]", "huntingQueryVersion8": "1.0.0", "huntingQuerycontentId8": "0a18756a-5123-11ec-bf63-0242ac130002", "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]", + "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]", "huntingQueryVersion9": "1.0.0", "huntingQuerycontentId9": "93ae5df2-4c74-11ec-81d3-0242ac130003", "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]", "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9')))]", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]", + "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]", "huntingQueryVersion10": "1.0.0", "huntingQuerycontentId10": "ce9d58ce-51cd-11ec-bf63-0242ac130002", "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]", "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10')))]", - "uiConfigId1": "PaloAltoCDL", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PaloAltoCDL", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.0.1", - "analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.0", - "analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.0.0", - "analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.0.1", - "analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.0.1", - "analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "analyticRuleVersion7": "1.0.1", - "analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", - "analyticRuleVersion8": "1.0.1", - "analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", - "analyticRuleVersion9": "1.0.1", - "analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", - "analyticRuleVersion10": "1.0.1", - "analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]" + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]", + "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "PaloAltoCDL Workbook with template", - "displayName": "PaloAltoCDL workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLWorkbook with template version 2.0.4", + "description": "PaloAltoCDL data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('dataConnectorVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Sets the time name for analysis" - }, + "kind": "GenericUI", "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **PaloAltoCDLEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-paloaltocdl-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n | summarize Result = count() by EventSeverity\",\"size\":3,\"title\":\"Events Severity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr) \",\"size\":3,\"title\":\"Unique IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Events\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(DvcAction) \\r\\n| where EventResult contains \\\"drop\\\" or EventResult contains \\\"deny\\\" or EventResult contains \\\"reset\\\" or EventResult contains \\\"block\\\" or EventResult contains \\\"lockout\\\" or EventResult contains \\\"override\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Response\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| summarize ResponseAction = count() by DvcAction\",\"size\":3,\"title\":\"Response action \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" PaloAltoCDLEvent\\r\\n | where isnotempty(NetworkApplicationProtocol) \\r\\n | summarize ApplicationLayerProtocol = count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Application layer protocol\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(IndicatorThreatType) \\r\\n| summarize ThreatType = count() by IndicatorThreatType\",\"size\":3,\"title\":\"Threat Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstUsername)\\r\\n| sort by TimeGenerated desc \\r\\n| project User=DstUsername, ThreatEvent=strcat(iff(EventResourceId contains \\\"THREAT\\\", '❌', '✅')), SourceAddress=SrcIpAddr\",\"size\":0,\"title\":\"Latest events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstPortNumber) \\r\\n| summarize TopPorts = count() by tostring(DstPortNumber)\\r\\n| top 20 by TopPorts desc \",\"size\":3,\"title\":\"Top ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"DstPortNumber\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"DstPortNumber\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"DstPortNumber\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"30\",\"name\":\"query - 14\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(Url)\\r\\n| summarize ThreatEventUrl = count() by Url\\r\\n| top 10 by ThreatEventUrl desc \",\"size\":3,\"title\":\"Top Threat Event URLs \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"100\"}}],\"fromTemplateId\":\"sentinel-PaloAltoCDLWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PaloAltoNetworksCDL", + "baseQuery": "PaloAltoCDLEvent" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Destinations", + "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAltoNetworksCDL)", + "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", + "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { - "description": "@{workbookKey=PaloAltoCDL; logoFileName=paloalto_logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Palo Alto Networks Cortex Data Lake; templateRelativePath=PaloAltoCDL.json; subtitle=; provider=Palo Alto Networks}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -241,95 +367,330 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "CommonSecurityLog", - "kind": "DataType" - }, - { - "contentId": "PaloAltoCDL", - "kind": "DataConnector" - } - ] } } } ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAltoCDL", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" } } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('parserTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, + "kind": "GenericUI", "properties": { - "description": "PaloAltoCDLEvent Data Parser with template", - "displayName": "PaloAltoCDLEvent Data Parser template" + "connectorUiConfig": { + "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PaloAltoNetworksCDL", + "baseQuery": "PaloAltoCDLEvent" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAltoNetworksCDL)", + "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Destinations", + "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", + "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId1')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." + } } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLEvent Data Parser with template version 2.0.4", + "description": "PaloAltoCDL data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", + "contentVersion": "[variables('dataConnectorVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "eTag": "*", - "displayName": "PaloAltoCDLEvent", - "category": "Samples", - "functionAlias": "PaloAltoCDLEvent", - "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceProduct =~ 'LF'\r\n| extend EventVendor = 'Palo Alto Networks'\r\n| extend EventProduct = 'Cortex Data Lake'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2\r\n , FlexString1Label, FlexString1\r\n , FlexString2Label, FlexString2\r\n , DeviceCustomFloatingPoint1Label, DeviceCustomFloatingPoint1\r\n , DeviceCustomFloatingPoint2Label, DeviceCustomFloatingPoint2\r\n , DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address1\r\n , DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address2\r\n , DeviceCustomIPv6Address3Label, DeviceCustomIPv6Address3)\r\n| evaluate bag_unpack(packed)\r\n| mv-apply AdditionalFields = extract_all(@'(?P[a-zA-Z0-9-_]+)=(?P[a-zA-Z0-9-_:@.,?%#(){}><\\/\"\\\\ ]+)', dynamic([\"key\",\"value\"]), AdditionalExtensions) on (\r\n project packed1 = pack(tostring(AdditionalFields[0]), tostring(AdditionalFields[1]))\r\n | summarize bag = make_bag(packed1)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend DvcIpAddr = column_ifexists( \"Device IPv6 Address\" , \"\")\r\n , DstIpAddr = column_ifexists( \"Destination IPv6 Address\" , \"\")\r\n , SrcIpAddr = column_ifexists( \"Source IPv6 Address\" , \"\")\r\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\r\n , SrcZone = column_ifexists( \"FromZone\" , \"\")\r\n , DstZone = column_ifexists( \"Zone\" , \"\")\r\n , NetworkPackets = column_ifexists( \"PacketsTotal\" , int(null))\r\n , NetworkDuration = column_ifexists( \"SessionDuration\" , int(null))\r\n , NetworkSessionId = column_ifexists( \"SessionID\" , int(null))\r\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\r\n , todatetime(column_ifexists(\"start\",\"\")))\r\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\r\n , todatetime(column_ifexists(\"end\",\"\")))\r\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\r\n| project-rename EventProductVersion = DeviceVersion\r\n , DvcId = DeviceExternalID\r\n , DvcHostname = DeviceName\r\n , DstNatPortNumber = DestinationTranslatedPort\r\n , DstHostname = DestinationHostName\r\n , SrcNatPortNumber = SourceTranslatedPort\r\n , SrcFileName = FileName\r\n , SrcFilePath = FilePath\r\n , EventMessage = Message\r\n , EventSeverity = LogSeverity\r\n , EventResult = Activity\r\n , DstPortNumber = DestinationPort\r\n , DstUserId = DestinationUserID\r\n , EventResourceId = DeviceEventClassID\r\n , HttpRequestMethod = RequestMethod\r\n , Url = RequestURL\r\n , HttpContentFormat = RequestContext\r\n , SrcHostname = SourceHostName\r\n , DvcAction = DeviceAction\r\n , DstDomain = DestinationNTDomain\r\n , SrcPortNumber = SourcePort\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , NetworkProtocol = Protocol\r\n , NetworkApplicationProtocol = ApplicationProtocol\r\n , SrcDomain = SourceNTDomain\r\n , SrcUserId = SourceUserID\r\n , DstBytes = ReceivedBytes\r\n , SrcBytes = SentBytes\r\n| extend EventTimeIngested = todatetime(ReceiptTime)\r\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \r\n pack_array(SourceTranslatedAddress,SourceIP))\r\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\r\n pack_array(DestinationTranslatedAddress, DestinationIP))\r\n| extend suser0 = column_ifexists(\"suser0\",\"\")\r\n , duser0 = column_ifexists(\"duser0\",\"\")\r\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \r\n pack_array(SourceUserName,suser0))\r\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\r\n pack_array(DestinationUserName,duser0))\r\n| project-away ReceiptTime\r\n , Type\r\n , StartTime\r\n , EndTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , duser0\r\n , DestinationUserName\r\n , suser0\r\n , SourceUserName\r\n , AdditionalExtensions\r\n , DestinationTranslatedAddress\r\n , DestinationIP\r\n , SourceTranslatedAddress\r\n , SourceIP\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomString1Label\r\n , DeviceCustomString1\r\n , DeviceCustomString2Label\r\n , DeviceCustomString2\r\n , DeviceCustomString3Label\r\n , DeviceCustomString3\r\n , DeviceCustomString4Label\r\n , DeviceCustomString4\r\n , DeviceCustomString5Label\r\n , DeviceCustomString5\r\n , DeviceCustomString6Label\r\n , DeviceCustomString6\r\n , DeviceCustomDate1Label\r\n , DeviceCustomDate1\r\n , DeviceCustomDate2Label\r\n , DeviceCustomDate2\r\n , FlexString1Label\r\n , FlexString1\r\n , FlexString2Label\r\n , FlexString2\r\n , DeviceCustomIPv6Address1Label\r\n , DeviceCustomIPv6Address1\r\n , DeviceCustomIPv6Address2Label\r\n , DeviceCustomIPv6Address2\r\n , DeviceCustomIPv6Address3Label\r\n , DeviceCustomIPv6Address3\r\n , DeviceCustomFloatingPoint1Label\r\n , DeviceCustomFloatingPoint1\r\n , DeviceCustomFloatingPoint2Label\r\n , DeviceCustomFloatingPoint2", - "version": 1, - "tags": [ - { - "name": "description", - "value": "PaloAltoCDLEvent" - } - ] + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PaloAltoNetworksCDL", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Destinations", + "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAltoNetworksCDL)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF", + "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserName1')]" - ], + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", "source": { - "name": "PaloAltoCDL", "kind": "Solution", + "name": "PaloAltoCDL", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -345,36 +706,33 @@ } } ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2021-06-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "PaloAltoCDLEvent", - "category": "Samples", - "functionAlias": "PaloAltoCDLEvent", - "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceProduct =~ 'LF'\r\n| extend EventVendor = 'Palo Alto Networks'\r\n| extend EventProduct = 'Cortex Data Lake'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2\r\n , FlexString1Label, FlexString1\r\n , FlexString2Label, FlexString2\r\n , DeviceCustomFloatingPoint1Label, DeviceCustomFloatingPoint1\r\n , DeviceCustomFloatingPoint2Label, DeviceCustomFloatingPoint2\r\n , DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address1\r\n , DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address2\r\n , DeviceCustomIPv6Address3Label, DeviceCustomIPv6Address3)\r\n| evaluate bag_unpack(packed)\r\n| mv-apply AdditionalFields = extract_all(@'(?P[a-zA-Z0-9-_]+)=(?P[a-zA-Z0-9-_:@.,?%#(){}><\\/\"\\\\ ]+)', dynamic([\"key\",\"value\"]), AdditionalExtensions) on (\r\n project packed1 = pack(tostring(AdditionalFields[0]), tostring(AdditionalFields[1]))\r\n | summarize bag = make_bag(packed1)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend DvcIpAddr = column_ifexists( \"Device IPv6 Address\" , \"\")\r\n , DstIpAddr = column_ifexists( \"Destination IPv6 Address\" , \"\")\r\n , SrcIpAddr = column_ifexists( \"Source IPv6 Address\" , \"\")\r\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\r\n , SrcZone = column_ifexists( \"FromZone\" , \"\")\r\n , DstZone = column_ifexists( \"Zone\" , \"\")\r\n , NetworkPackets = column_ifexists( \"PacketsTotal\" , int(null))\r\n , NetworkDuration = column_ifexists( \"SessionDuration\" , int(null))\r\n , NetworkSessionId = column_ifexists( \"SessionID\" , int(null))\r\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\r\n , todatetime(column_ifexists(\"start\",\"\")))\r\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\r\n , todatetime(column_ifexists(\"end\",\"\")))\r\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\r\n| project-rename EventProductVersion = DeviceVersion\r\n , DvcId = DeviceExternalID\r\n , DvcHostname = DeviceName\r\n , DstNatPortNumber = DestinationTranslatedPort\r\n , DstHostname = DestinationHostName\r\n , SrcNatPortNumber = SourceTranslatedPort\r\n , SrcFileName = FileName\r\n , SrcFilePath = FilePath\r\n , EventMessage = Message\r\n , EventSeverity = LogSeverity\r\n , EventResult = Activity\r\n , DstPortNumber = DestinationPort\r\n , DstUserId = DestinationUserID\r\n , EventResourceId = DeviceEventClassID\r\n , HttpRequestMethod = RequestMethod\r\n , Url = RequestURL\r\n , HttpContentFormat = RequestContext\r\n , SrcHostname = SourceHostName\r\n , DvcAction = DeviceAction\r\n , DstDomain = DestinationNTDomain\r\n , SrcPortNumber = SourcePort\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , NetworkProtocol = Protocol\r\n , NetworkApplicationProtocol = ApplicationProtocol\r\n , SrcDomain = SourceNTDomain\r\n , SrcUserId = SourceUserID\r\n , DstBytes = ReceivedBytes\r\n , SrcBytes = SentBytes\r\n| extend EventTimeIngested = todatetime(ReceiptTime)\r\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \r\n pack_array(SourceTranslatedAddress,SourceIP))\r\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\r\n pack_array(DestinationTranslatedAddress, DestinationIP))\r\n| extend suser0 = column_ifexists(\"suser0\",\"\")\r\n , duser0 = column_ifexists(\"duser0\",\"\")\r\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \r\n pack_array(SourceUserName,suser0))\r\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\r\n pack_array(DestinationUserName,duser0))\r\n| project-away ReceiptTime\r\n , Type\r\n , StartTime\r\n , EndTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , duser0\r\n , DestinationUserName\r\n , suser0\r\n , SourceUserName\r\n , AdditionalExtensions\r\n , DestinationTranslatedAddress\r\n , DestinationIP\r\n , SourceTranslatedAddress\r\n , SourceIP\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomString1Label\r\n , DeviceCustomString1\r\n , DeviceCustomString2Label\r\n , DeviceCustomString2\r\n , DeviceCustomString3Label\r\n , DeviceCustomString3\r\n , DeviceCustomString4Label\r\n , DeviceCustomString4\r\n , DeviceCustomString5Label\r\n , DeviceCustomString5\r\n , DeviceCustomString6Label\r\n , DeviceCustomString6\r\n , DeviceCustomDate1Label\r\n , DeviceCustomDate1\r\n , DeviceCustomDate2Label\r\n , DeviceCustomDate2\r\n , FlexString1Label\r\n , FlexString1\r\n , FlexString2Label\r\n , FlexString2\r\n , DeviceCustomIPv6Address1Label\r\n , DeviceCustomIPv6Address1\r\n , DeviceCustomIPv6Address2Label\r\n , DeviceCustomIPv6Address2\r\n , DeviceCustomIPv6Address3Label\r\n , DeviceCustomIPv6Address3\r\n , DeviceCustomFloatingPoint1Label\r\n , DeviceCustomFloatingPoint1\r\n , DeviceCustomFloatingPoint2Label\r\n , DeviceCustomFloatingPoint2", - "version": 1 + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_parserId1')]" + "[variables('_dataConnectorId2')]" ], + "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -393,62 +751,159 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, + "kind": "GenericUI", "properties": { - "description": "PaloAltoCDL Hunting Query 1 with template", - "displayName": "PaloAltoCDL Hunting Query template" + "connectorUiConfig": { + "title": "[Recommended] Palo Alto Networks Cortex Data Lake (CDL) via AMA", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "PaloAltoNetworksCDL", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAltoNetworksCDL)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Top 10 Destinations", + "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF", + "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." + } } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLEvent Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('parserVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_1", + "name": "[variables('_parserName1')]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "PaloAlto - Critical event result", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity has 'critical' or tostring(ThreatSeverity) has_any ('high', 'critical')\n| extend UrlCustomEntity = Url, AccountCustomEntity = DstUsername\n", + "displayName": "PaloAltoCDLEvent", + "category": "Microsoft Sentinel Parser", + "functionAlias": "PaloAltoCDLEvent", + "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2\n , FlexString1Label, FlexString1\n , FlexString2Label, FlexString2\n , DeviceCustomFloatingPoint1Label, DeviceCustomFloatingPoint1\n , DeviceCustomFloatingPoint2Label, DeviceCustomFloatingPoint2\n , DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address1\n , DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address2\n , DeviceCustomIPv6Address3Label, DeviceCustomIPv6Address3)\n| evaluate bag_unpack(packed)\n| mv-apply AdditionalFields = extract_all(@'(?P[a-zA-Z0-9-_]+)=(?P[a-zA-Z0-9-_:@.,?%#(){}><\\/\"\\\\ ]+)', dynamic([\"key\",\"value\"]), AdditionalExtensions) on (\n project packed1 = pack(tostring(AdditionalFields[0]), tostring(AdditionalFields[1]))\n | summarize bag = make_bag(packed1)\n)\n| evaluate bag_unpack(bag)\n| extend DvcIpAddr = column_ifexists( \"Device IPv6 Address\" , \"\")\n , DstIpAddr = column_ifexists( \"Destination IPv6 Address\" , \"\")\n , SrcIpAddr = column_ifexists( \"Source IPv6 Address\" , \"\")\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n , SrcZone = column_ifexists( \"FromZone\" , \"\")\n , DstZone = column_ifexists( \"Zone\" , \"\")\n , NetworkPackets = column_ifexists( \"PacketsTotal\" , int(null))\n , NetworkDuration = column_ifexists( \"SessionDuration\" , int(null))\n , NetworkSessionId = column_ifexists( \"SessionID\" , int(null))\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n , todatetime(column_ifexists(\"start\",\"\")))\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n , todatetime(column_ifexists(\"end\",\"\")))\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n , DvcId = DeviceExternalID\n , DvcHostname = DeviceName\n , DstNatPortNumber = DestinationTranslatedPort\n , DstHostname = DestinationHostName\n , SrcNatPortNumber = SourceTranslatedPort\n , SrcFileName = FileName\n , SrcFilePath = FilePath\n , EventMessage = Message\n , EventSeverity = LogSeverity\n , EventResult = Activity\n , DstPortNumber = DestinationPort\n , DstUserId = DestinationUserID\n , EventResourceId = DeviceEventClassID\n , HttpRequestMethod = RequestMethod\n , Url = RequestURL\n , HttpContentFormat = RequestContext\n , SrcHostname = SourceHostName\n , DvcAction = DeviceAction\n , DstDomain = DestinationNTDomain\n , SrcPortNumber = SourcePort\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , NetworkProtocol = Protocol\n , NetworkApplicationProtocol = ApplicationProtocol\n , SrcDomain = SourceNTDomain\n , SrcUserId = SourceUserID\n , DstBytes = ReceivedBytes\n , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n pack_array(DestinationTranslatedAddress, DestinationIP))\n| extend suser0 = column_ifexists(\"suser0\",\"\")\n , duser0 = column_ifexists(\"duser0\",\"\")\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime\n , Type\n , StartTime\n , EndTime\n , DeviceVendor\n , DeviceProduct\n , duser0\n , DestinationUserName\n , suser0\n , SourceUserName\n , AdditionalExtensions\n , DestinationTranslatedAddress\n , DestinationIP\n , SourceTranslatedAddress\n , SourceIP\n , DeviceCustomNumber1Label\n , DeviceCustomNumber1\n , DeviceCustomNumber2Label\n , DeviceCustomNumber2\n , DeviceCustomNumber3Label\n , DeviceCustomNumber3\n , DeviceCustomString1Label\n , DeviceCustomString1\n , DeviceCustomString2Label\n , DeviceCustomString2\n , DeviceCustomString3Label\n , DeviceCustomString3\n , DeviceCustomString4Label\n , DeviceCustomString4\n , DeviceCustomString5Label\n , DeviceCustomString5\n , DeviceCustomString6Label\n , DeviceCustomString6\n , DeviceCustomDate1Label\n , DeviceCustomDate1\n , DeviceCustomDate2Label\n , DeviceCustomDate2\n , FlexString1Label\n , FlexString1\n , FlexString2Label\n , FlexString2\n , DeviceCustomIPv6Address1Label\n , DeviceCustomIPv6Address1\n , DeviceCustomIPv6Address2Label\n , DeviceCustomIPv6Address2\n , DeviceCustomIPv6Address3Label\n , DeviceCustomIPv6Address3\n , DeviceCustomFloatingPoint1Label\n , DeviceCustomFloatingPoint1\n , DeviceCustomFloatingPoint2Label\n , DeviceCustomFloatingPoint2\n", + "functionParameters": "", "version": 2, "tags": [ { "name": "description", - "value": "Query shows critical event result" - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1190,T1133" + "value": "" } ] } @@ -456,16 +911,18 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", + "dependsOn": [ + "[variables('_parserId1')]" + ], "properties": { - "description": "PaloAltoCDL Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", "source": { - "kind": "Solution", "name": "PaloAltoCDL", + "kind": "Solution", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -481,80 +938,114 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "PaloAltoCDLEvent", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('_parserName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "properties": { - "description": "PaloAltoCDL Hunting Query 2 with template", - "displayName": "PaloAltoCDL Hunting Query template" + "eTag": "*", + "displayName": "PaloAltoCDLEvent", + "category": "Microsoft Sentinel Parser", + "functionAlias": "PaloAltoCDLEvent", + "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2\n , FlexString1Label, FlexString1\n , FlexString2Label, FlexString2\n , DeviceCustomFloatingPoint1Label, DeviceCustomFloatingPoint1\n , DeviceCustomFloatingPoint2Label, DeviceCustomFloatingPoint2\n , DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address1\n , DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address2\n , DeviceCustomIPv6Address3Label, DeviceCustomIPv6Address3)\n| evaluate bag_unpack(packed)\n| mv-apply AdditionalFields = extract_all(@'(?P[a-zA-Z0-9-_]+)=(?P[a-zA-Z0-9-_:@.,?%#(){}><\\/\"\\\\ ]+)', dynamic([\"key\",\"value\"]), AdditionalExtensions) on (\n project packed1 = pack(tostring(AdditionalFields[0]), tostring(AdditionalFields[1]))\n | summarize bag = make_bag(packed1)\n)\n| evaluate bag_unpack(bag)\n| extend DvcIpAddr = column_ifexists( \"Device IPv6 Address\" , \"\")\n , DstIpAddr = column_ifexists( \"Destination IPv6 Address\" , \"\")\n , SrcIpAddr = column_ifexists( \"Source IPv6 Address\" , \"\")\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n , SrcZone = column_ifexists( \"FromZone\" , \"\")\n , DstZone = column_ifexists( \"Zone\" , \"\")\n , NetworkPackets = column_ifexists( \"PacketsTotal\" , int(null))\n , NetworkDuration = column_ifexists( \"SessionDuration\" , int(null))\n , NetworkSessionId = column_ifexists( \"SessionID\" , int(null))\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n , todatetime(column_ifexists(\"start\",\"\")))\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n , todatetime(column_ifexists(\"end\",\"\")))\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n , DvcId = DeviceExternalID\n , DvcHostname = DeviceName\n , DstNatPortNumber = DestinationTranslatedPort\n , DstHostname = DestinationHostName\n , SrcNatPortNumber = SourceTranslatedPort\n , SrcFileName = FileName\n , SrcFilePath = FilePath\n , EventMessage = Message\n , EventSeverity = LogSeverity\n , EventResult = Activity\n , DstPortNumber = DestinationPort\n , DstUserId = DestinationUserID\n , EventResourceId = DeviceEventClassID\n , HttpRequestMethod = RequestMethod\n , Url = RequestURL\n , HttpContentFormat = RequestContext\n , SrcHostname = SourceHostName\n , DvcAction = DeviceAction\n , DstDomain = DestinationNTDomain\n , SrcPortNumber = SourcePort\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , NetworkProtocol = Protocol\n , NetworkApplicationProtocol = ApplicationProtocol\n , SrcDomain = SourceNTDomain\n , SrcUserId = SourceUserID\n , DstBytes = ReceivedBytes\n , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n pack_array(DestinationTranslatedAddress, DestinationIP))\n| extend suser0 = column_ifexists(\"suser0\",\"\")\n , duser0 = column_ifexists(\"duser0\",\"\")\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime\n , Type\n , StartTime\n , EndTime\n , DeviceVendor\n , DeviceProduct\n , duser0\n , DestinationUserName\n , suser0\n , SourceUserName\n , AdditionalExtensions\n , DestinationTranslatedAddress\n , DestinationIP\n , SourceTranslatedAddress\n , SourceIP\n , DeviceCustomNumber1Label\n , DeviceCustomNumber1\n , DeviceCustomNumber2Label\n , DeviceCustomNumber2\n , DeviceCustomNumber3Label\n , DeviceCustomNumber3\n , DeviceCustomString1Label\n , DeviceCustomString1\n , DeviceCustomString2Label\n , DeviceCustomString2\n , DeviceCustomString3Label\n , DeviceCustomString3\n , DeviceCustomString4Label\n , DeviceCustomString4\n , DeviceCustomString5Label\n , DeviceCustomString5\n , DeviceCustomString6Label\n , DeviceCustomString6\n , DeviceCustomDate1Label\n , DeviceCustomDate1\n , DeviceCustomDate2Label\n , DeviceCustomDate2\n , FlexString1Label\n , FlexString1\n , FlexString2Label\n , FlexString2\n , DeviceCustomIPv6Address1Label\n , DeviceCustomIPv6Address1\n , DeviceCustomIPv6Address2Label\n , DeviceCustomIPv6Address2\n , DeviceCustomIPv6Address3Label\n , DeviceCustomIPv6Address3\n , DeviceCustomFloatingPoint1Label\n , DeviceCustomFloatingPoint1\n , DeviceCustomFloatingPoint2Label\n , DeviceCustomFloatingPoint2\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[variables('_parserId1')]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", + "contentId": "[variables('_parserContentId1')]", + "kind": "Parser", + "version": "[variables('parserVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAltoCDL", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_2", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Sets the time name for analysis" + }, "properties": { - "eTag": "*", - "displayName": "PaloAlto - File permission with PUT or POST request", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where HttpRequestMethod contains \"PUT\" or HttpRequestMethod contains \"POST\"\n| where isnotempty(FilePermission)\n| summarize Permissions = count() by FilePermission, DstUsername\n| extend AccountCustomEntity = DstUsername\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows file permission with PUT or POST request" - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1190,T1133" - } - ] + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **PaloAltoCDLEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-paloaltocdl-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n | summarize Result = count() by EventSeverity\",\"size\":3,\"title\":\"Events Severity\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize dcount(SrcIpAddr) \",\"size\":3,\"title\":\"Unique IP Addresses\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Events\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(DvcAction) \\r\\n| where EventResult contains \\\"drop\\\" or EventResult contains \\\"deny\\\" or EventResult contains \\\"reset\\\" or EventResult contains \\\"block\\\" or EventResult contains \\\"lockout\\\" or EventResult contains \\\"override\\\"\\r\\n| count \",\"size\":3,\"title\":\"Total Threat Response\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| summarize ResponseAction = count() by DvcAction\",\"size\":3,\"title\":\"Response action \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" PaloAltoCDLEvent\\r\\n | where isnotempty(NetworkApplicationProtocol) \\r\\n | summarize ApplicationLayerProtocol = count() by NetworkApplicationProtocol\",\"size\":3,\"title\":\"Application layer protocol\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 15\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(IndicatorThreatType) \\r\\n| summarize ThreatType = count() by IndicatorThreatType\",\"size\":3,\"title\":\"Threat Types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstUsername)\\r\\n| sort by TimeGenerated desc \\r\\n| project User=DstUsername, ThreatEvent=strcat(iff(EventResourceId contains \\\"THREAT\\\", '❌', '✅')), SourceAddress=SrcIpAddr\",\"size\":0,\"title\":\"Latest events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where isnotempty(DstPortNumber) \\r\\n| summarize TopPorts = count() by tostring(DstPortNumber)\\r\\n| top 20 by TopPorts desc \",\"size\":3,\"title\":\"Top ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"DstPortNumber\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"DstPortNumber\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"DstPortNumber\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"30\",\"name\":\"query - 14\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"PaloAltoCDLEvent\\r\\n| where EventResourceId contains \\\"THREAT\\\"\\r\\n| where isnotempty(Url)\\r\\n| summarize ThreatEventUrl = count() by Url\\r\\n| top 10 by ThreatEventUrl desc \",\"size\":3,\"title\":\"Top Threat Event URLs \",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"35\",\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"100\"}}],\"fromTemplateId\":\"sentinel-PaloAltoCDLWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "description": "@{workbookKey=PaloAltoCDL; logoFileName=paloalto_logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Palo Alto Networks Cortex Data Lake; templateRelativePath=PaloAltoCDL.json; subtitle=; provider=Palo Alto Networks}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -569,70 +1060,111 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "PaloAltoCDL", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "description": "PaloAltoCDL Hunting Query 3 with template", - "displayName": "PaloAltoCDL Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" - ], - "properties": { - "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('analyticRuleVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_3", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Destination ports by IPs", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstPortNumber)\n| summarize IP_Dst = make_set(tostring(DstNatIpAddr)) by DstPortNumber\n| extend IPCustomEntity = IP_Dst\n", - "version": 2, - "tags": [ + "description": "Detects several users with the same MAC address.", + "displayName": "PaloAlto - MAC address conflict", + "enabled": false, + "query": "let threshold = 2;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)\n| summarize UserSet = make_set(DstUsername) by DestinationMACAddress\n| extend Users = array_length(UserSet)\n| where Users >= threshold\n| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows destination ports by IP address." + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] }, { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] } ] } @@ -640,13 +1172,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "description": "PaloAltoCDL Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -665,66 +1197,94 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 4 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - MAC address conflict", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('analyticRuleVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_4", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Incomplete application protocol", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where NetworkApplicationProtocol has_any (\"incomplete\", \"Not-Applicable\", \"insufficient\")\n| extend UrlCustomEntity = Url, IPCustomEntity = DstIpAddr\n", - "version": 2, - "tags": [ + "description": "Detects dropping or denying session with traffic.", + "displayName": "PaloAlto - Dropping or denying session with traffic", + "enabled": false, + "query": "let threshold = 100;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where EventResult has_any (\"deny\", \"drop\", \"reject\") \n| where tolong(DstBytes) > 0\n| where tolong(NetworkPackets) > 0\n| summarize count() by SrcIpAddr, DstUsername, bin(TimeGenerated, 10m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows incomplete application protocol" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] }, { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] } ] } @@ -732,13 +1292,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "description": "PaloAltoCDL Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -757,66 +1317,94 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 5 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Dropping or denying session with traffic", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('analyticRuleVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_5", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Multiple Deny result by user", - "category": "Hunting Queries", - "query": "let threshold = 20;\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction has 'deny'\n| summarize DenyCount = count() by DvcAction, DstUsername\n| where DenyCount > threshold\n| extend AccountCustomEntity = DstUsername\n", - "version": 2, - "tags": [ + "description": "Detects when file type changed.", + "displayName": "PaloAlto - File type changed", + "enabled": false, + "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where FileType != OldFileType\n| extend FileCustomEntity = SrcFileName, AccountCustomEntity = DstUsername\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows multiple Deny results by user" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] }, { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "File", + "fieldMappings": [ + { + "columnName": "FileCustomEntity", + "identifier": "Name" + } + ] } ] } @@ -824,13 +1412,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "description": "PaloAltoCDL Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -849,66 +1437,85 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 6 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - File type changed", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('analyticRuleVersion4')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_6", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Agent versions", - "category": "Hunting Queries", - "query": "let cur_ver = dynamic(['0.1']); //put latest agent version here\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(PanOSAgentVersion)\n| where PanOSAgentVersion != cur_ver\n| project SrcIpAddr, PanOSAgentVersion\n| extend IPCustomEntity = SrcIpAddr\n", - "version": 2, - "tags": [ + "description": "Detects inbound connection to high risk ports.", + "displayName": "PaloAlto - Inbound connection to high risk ports", + "enabled": false, + "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows agents which are not updated to the latest version" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" - }, + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] } ] } @@ -916,13 +1523,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "description": "PaloAltoCDL Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion4')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -941,66 +1548,103 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 7 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Inbound connection to high risk ports", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('analyticRuleVersion5')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_7", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId5')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Outdated config vesions", - "category": "Hunting Queries", - "query": "let cur_ver = dynamic(['0.1']); //put latest config version here\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(PanOSConfigVersion)\n| where PanOSConfigVersion != cur_ver\n| project SrcIpAddr, PanOSConfigVersion\n| extend IPCustomEntity = SrcIpAddr\n", - "version": 2, - "tags": [ + "description": "Detects possible attack without response.", + "displayName": "PaloAlto - Possible attack without response", + "enabled": false, + "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where DvcAction !has \"block\" or DvcAction !has \"override\" or DvcAction !has \"deny\"\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr, UrlCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows outdated config vesions" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] }, { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "UrlCustomEntity", + "identifier": "Url" + } + ] } ] } @@ -1008,13 +1652,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "description": "PaloAltoCDL Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion5')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -1033,66 +1677,94 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 8 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Possible attack without response", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('analyticRuleVersion6')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_8", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId6')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Rare application layer protocols", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkApplicationProtocol) \n| summarize ApplicationLayerProtocol = count() by NetworkApplicationProtocol\n| top 10 by ApplicationLayerProtocol asc\n| extend UrlCustomEntity = NetworkApplicationProtocol\n", - "version": 2, - "tags": [ + "description": "Detects possible flooding.", + "displayName": "PaloAlto - Possible flooding", + "enabled": false, + "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(NetworkSessionId)\n| where DstBytes == 0 and tolong(NetworkPackets) > 0\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows Rare application layer protocols" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] }, { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] } ] } @@ -1100,13 +1772,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "description": "PaloAltoCDL Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion6')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -1125,158 +1797,84 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 9 with template", - "displayName": "PaloAltoCDL Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Possible flooding", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName9'),'/',variables('huntingQueryVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 2.0.4", + "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion9')]", + "contentVersion": "[variables('analyticRuleVersion7')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_9", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId7')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "eTag": "*", - "displayName": "PaloAlto - Rare files observed", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcFileName)\n| summarize RareFiles = count() by SrcFileName\n| top 20 by RareFiles asc\n| extend FileCustomEntity = SrcFileName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query shows rare files observed" - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1190,T1133" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", - "properties": { - "description": "PaloAltoCDL Hunting Query 9", - "parentId": "[variables('huntingQueryId9')]", - "contentId": "[variables('_huntingQuerycontentId9')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion9')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('huntingQueryTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "PaloAltoCDL Hunting Query 10 with template", - "displayName": "PaloAltoCDL Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('huntingQueryTemplateSpecName10'),'/',variables('huntingQueryVersion10'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName10'))]" - ], - "properties": { - "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 2.0.4", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion10')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "PaloAltoCDL_Hunting_Query_10", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "PaloAlto - Rare ports by user", - "category": "Hunting Queries", - "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstPortNumber) \n| summarize RarePorts = count() by DstPortNumber, DstIpAddr, DstUsername\n| top 20 by RarePorts asc \n| extend IPCustomEntity = DstIpAddr, AccountCustomEntity = DstUsername\n", - "version": 2, - "tags": [ + "description": "Detects possible port scan.", + "displayName": "PaloAlto - Possible port scan", + "enabled": false, + "query": "let threshold = 10;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DstPortNumber) and isnotempty(SrcIpAddr)\n| summarize PortSet = make_set(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where array_length(PortSet) > threshold\n| extend IPCustomEntity = SrcIpAddr\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ { - "name": "description", - "value": "Query shows rare ports by user." + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, { - "name": "tactics", - "value": "InitialAccess" - }, + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "Reconnaissance" + ], + "techniques": [ + "T1595" + ], + "entityMappings": [ { - "name": "techniques", - "value": "T1190,T1133" + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] } ] } @@ -1284,13 +1882,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { - "description": "PaloAltoCDL Hunting Query 10", - "parentId": "[variables('huntingQueryId10')]", - "contentId": "[variables('_huntingQuerycontentId10')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion10')]", + "description": "PaloAltoCDL Analytics Rule 7", + "parentId": "[variables('analyticRuleId7')]", + "contentId": "[variables('_analyticRulecontentId7')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion7')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -1309,405 +1907,161 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "PaloAltoCDL data connector with template", - "displayName": "PaloAltoCDL template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId7')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Possible port scan", + "contentProductId": "[variables('_analyticRulecontentProductId7')]", + "id": "[variables('_analyticRulecontentProductId7')]", + "version": "[variables('analyticRuleVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDL data connector with template version 2.0.4", + "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('analyticRuleVersion8')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId8')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Palo Alto Networks Cortex Data Lake (CDL)", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "PaloAltoCDLEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false + "description": "Detects changing of user privileges.", + "displayName": "PaloAlto - User privileges was changed", + "enabled": false, + "query": "let q_period = 14d;\nlet dt_lookBack = 24h;\nlet p = PaloAltoCDLEvent\n| where TimeGenerated between (ago(q_period)..ago(dt_lookBack))\n| summarize OldPrivileges = make_set(DestinationUserPrivileges) by DstUsername;\nPaloAltoCDLEvent\n| where TimeGenerated > ago(dt_lookBack)\n| summarize NewPrivileges = make_set(DestinationUserPrivileges) by DstUsername\n| join kind=innerunique (p) on DstUsername\n| where tostring(OldPrivileges) != tostring(NewPrivileges)\n| extend AccountCustomEntity = DstUsername\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDL" }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, + { + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", - "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Palo Alto Networks Cortex Data Lake (CDL)", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/log-forwarding-schema-overview.html) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "PaloAltoCDLEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", - "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] + } + ] + } }, { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "properties": { + "description": "PaloAltoCDL Analytics Rule 8", + "parentId": "[variables('analyticRuleId8')]", + "contentId": "[variables('_analyticRulecontentId8')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion8')]", + "source": { + "kind": "Solution", + "name": "PaloAltoCDL", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " + } } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 1 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId8')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - User privileges was changed", + "contentProductId": "[variables('_analyticRulecontentProductId8')]", + "id": "[variables('_analyticRulecontentProductId8')]", + "version": "[variables('analyticRuleVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleVersion9')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", + "name": "[variables('analyticRulecontentId9')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects several users with the same MAC address.", - "displayName": "PaloAlto - MAC address conflict", + "description": "Detects put and post method request in high risk file type.", + "displayName": "PaloAlto - Put and post method request in high risk file type", "enabled": false, - "query": "let threshold = 2;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DestinationMACAddress) and isnotempty(DstUsername)\n| summarize UserSet = make_set(DstUsername) by DestinationMACAddress\n| extend Users = array_length(UserSet)\n| where Users >= threshold\n| extend AccountCustomEntity = UserSet, IPCustomEntity = DestinationMACAddress\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Low", + "query": "let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where HttpRequestMethod has_any (\"POST\", \"PUT\")\n| where FileType in (HighRiskFileType)\n| extend FileCustomEntity = SrcFileName\n", + "queryFrequency": "PT10M", + "queryPeriod": "PT10M", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -1715,10 +2069,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoCDL", "dataTypes": [ "PaloAltoCDLEvent" - ] + ], + "connectorId": "PaloAltoCDL" + }, + { + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" } ], "tactics": [ @@ -1730,22 +2090,13 @@ ], "entityMappings": [ { + "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "FileCustomEntity", + "identifier": "Name" } - ], - "entityType": "IP" + ] } ] } @@ -1753,13 +2104,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "description": "PaloAltoCDL Analytics Rule 9", + "parentId": "[variables('analyticRuleId9')]", + "contentId": "[variables('_analyticRulecontentId9')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleVersion9')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -1778,54 +2129,47 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 2 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId9')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Put and post method request in high risk file type", + "contentProductId": "[variables('_analyticRulecontentProductId9')]", + "id": "[variables('_analyticRulecontentProductId9')]", + "version": "[variables('analyticRuleVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleVersion10')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", + "name": "[variables('analyticRulecontentId10')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects dropping or denying session with traffic.", - "displayName": "PaloAlto - Dropping or denying session with traffic", + "description": "Detects suspicious connections from forbidden countries.", + "displayName": "PaloAlto - Forbidden countries", "enabled": false, - "query": "let threshold = 100;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where EventResult has_any (\"deny\", \"drop\", \"reject\") \n| where tolong(DstBytes) > 0\n| where tolong(NetworkPackets) > 0\n| summarize count() by SrcIpAddr, DstUsername, bin(TimeGenerated, 10m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr\n", + "query": "let bl_countries = dynamic(['CH', 'RU']);\nPaloAltoCDLEvent \n| where EventResourceId =~ 'TRAFFIC'\n| where MaliciousIPCountry in (bl_countries)\n| summarize count() by DstUsername, SrcIpAddr \n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUsername\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1836,10 +2180,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "PaloAltoCDL", "dataTypes": [ "PaloAltoCDLEvent" - ] + ], + "connectorId": "PaloAltoCDL" + }, + { + "dataTypes": [ + "PaloAltoCDLEvent" + ], + "connectorId": "PaloAltoCDLAma" } ], "tactics": [ @@ -1851,22 +2201,192 @@ ], "entityMappings": [ { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "Name" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "properties": { + "description": "PaloAltoCDL Analytics Rule 10", + "parentId": "[variables('analyticRuleId10')]", + "contentId": "[variables('_analyticRulecontentId10')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion10')]", + "source": { + "kind": "Solution", + "name": "PaloAltoCDL", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId10')]", + "contentKind": "AnalyticsRule", + "displayName": "PaloAlto - Forbidden countries", + "contentProductId": "[variables('_analyticRulecontentProductId10')]", + "id": "[variables('_analyticRulecontentProductId10')]", + "version": "[variables('analyticRuleVersion10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "PaloAlto - Critical event result", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity has 'critical' or tostring(ThreatSeverity) has_any ('high', 'critical')\n| extend UrlCustomEntity = Url, AccountCustomEntity = DstUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows critical event result" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "properties": { + "description": "PaloAltoCDL Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAltoCDL", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Critical event result", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "PaloAlto - File permission with PUT or POST request", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where HttpRequestMethod contains \"PUT\" or HttpRequestMethod contains \"POST\"\n| where isnotempty(FilePermission)\n| summarize Permissions = count() by FilePermission, DstUsername\n| extend AccountCustomEntity = DstUsername\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query shows file permission with PUT or POST request" }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1874,13 +2394,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "description": "PaloAltoCDL Hunting Query 2", + "parentId": "[variables('huntingQueryId2')]", + "contentId": "[variables('_huntingQuerycontentId2')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion2')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -1899,95 +2419,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 3 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - File permission with PUT or POST request", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName3')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('huntingQueryVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects when file type changed.", - "displayName": "PaloAlto - File type changed", - "enabled": false, - "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where FileType != OldFileType\n| extend FileCustomEntity = SrcFileName, AccountCustomEntity = DstUsername\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Destination ports by IPs", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstPortNumber)\n| summarize IP_Dst = make_set(tostring(DstNatIpAddr)) by DstPortNumber\n| extend IPCustomEntity = IP_Dst\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows destination ports by IP address." + }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "name": "tactics", + "value": "InitialAccess" }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "FileCustomEntity" - } - ], - "entityType": "File" + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -1995,13 +2479,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "description": "PaloAltoCDL Hunting Query 3", + "parentId": "[variables('huntingQueryId3')]", + "contentId": "[variables('_huntingQuerycontentId3')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion3')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2020,86 +2504,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 4 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Destination ports by IPs", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('huntingQueryVersion4')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects inbound connection to high risk ports.", - "displayName": "PaloAlto - Inbound connection to high risk ports", - "enabled": false, - "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Incomplete application protocol", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where NetworkApplicationProtocol has_any (\"incomplete\", \"Not-Applicable\", \"insufficient\")\n| extend UrlCustomEntity = Url, IPCustomEntity = DstIpAddr\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows incomplete application protocol" + }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2107,13 +2564,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "description": "PaloAltoCDL Hunting Query 4", + "parentId": "[variables('huntingQueryId4')]", + "contentId": "[variables('_huntingQuerycontentId4')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion4')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2132,104 +2589,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 5 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Incomplete application protocol", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('huntingQueryVersion5')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects possible attack without response.", - "displayName": "PaloAlto - Possible attack without response", - "enabled": false, - "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where DvcAction !has \"block\" or DvcAction !has \"override\" or DvcAction !has \"deny\"\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr, UrlCustomEntity = Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "eTag": "*", + "displayName": "PaloAlto - Multiple Deny result by user", + "category": "Hunting Queries", + "query": "let threshold = 20;\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where DvcAction has 'deny'\n| summarize DenyCount = count() by DvcAction, DstUsername\n| where DenyCount > threshold\n| extend AccountCustomEntity = DstUsername\n", + "version": 2, + "tags": [ { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "name": "description", + "value": "Query shows multiple Deny results by user" }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "tactics", + "value": "InitialAccess" }, { - "fieldMappings": [ - { - "identifier": "Url", - "columnName": "UrlCustomEntity" - } - ], - "entityType": "URL" + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2237,13 +2649,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "description": "PaloAltoCDL Hunting Query 5", + "parentId": "[variables('huntingQueryId5')]", + "contentId": "[variables('_huntingQuerycontentId5')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion5')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2262,95 +2674,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 6 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Multiple Deny result by user", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('huntingQueryVersion6')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects possible flooding.", - "displayName": "PaloAlto - Possible flooding", - "enabled": false, - "query": "PaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(NetworkSessionId)\n| where DstBytes == 0 and tolong(NetworkPackets) > 0\n| extend AccountCustomEntity = DstUsername, IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Agent versions", + "category": "Hunting Queries", + "query": "let cur_ver = dynamic(['0.1']); //put latest agent version here\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(PanOSAgentVersion)\n| where PanOSAgentVersion != cur_ver\n| project SrcIpAddr, PanOSAgentVersion\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows agents which are not updated to the latest version" + }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "name": "tactics", + "value": "InitialAccess" }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2358,13 +2734,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "description": "PaloAltoCDL Hunting Query 6", + "parentId": "[variables('huntingQueryId6')]", + "contentId": "[variables('_huntingQuerycontentId6')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion6')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2383,85 +2759,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 7 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Agent versions", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName7')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('huntingQueryVersion7')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects possible port scan.", - "displayName": "PaloAlto - Possible port scan", - "enabled": false, - "query": "let threshold = 10;\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where isnotempty(DstPortNumber) and isnotempty(SrcIpAddr)\n| summarize PortSet = make_set(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where array_length(PortSet) > threshold\n| extend IPCustomEntity = SrcIpAddr\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Outdated config vesions", + "category": "Hunting Queries", + "query": "let cur_ver = dynamic(['0.1']); //put latest config version here\nPaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(PanOSConfigVersion)\n| where PanOSConfigVersion != cur_ver\n| project SrcIpAddr, PanOSConfigVersion\n| extend IPCustomEntity = SrcIpAddr\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "Reconnaissance" - ], - "techniques": [ - "T1595" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows outdated config vesions" + }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2469,13 +2819,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "description": "PaloAltoCDL Hunting Query 7", + "parentId": "[variables('huntingQueryId7')]", + "contentId": "[variables('_huntingQuerycontentId7')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion7')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2494,86 +2844,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 8 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId7')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Outdated config vesions", + "contentProductId": "[variables('_huntingQuerycontentProductId7')]", + "id": "[variables('_huntingQuerycontentProductId7')]", + "version": "[variables('huntingQueryVersion7')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName8')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('huntingQueryVersion8')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects changing of user privileges.", - "displayName": "PaloAlto - User privileges was changed", - "enabled": false, - "query": "let q_period = 14d;\nlet dt_lookBack = 24h;\nlet p = PaloAltoCDLEvent\n| where TimeGenerated between (ago(q_period)..ago(dt_lookBack))\n| summarize OldPrivileges = make_set(DestinationUserPrivileges) by DstUsername;\nPaloAltoCDLEvent\n| where TimeGenerated > ago(dt_lookBack)\n| summarize NewPrivileges = make_set(DestinationUserPrivileges) by DstUsername\n| join kind=innerunique (p) on DstUsername\n| where tostring(OldPrivileges) != tostring(NewPrivileges)\n| extend AccountCustomEntity = DstUsername\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Rare application layer protocols", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(NetworkApplicationProtocol) \n| summarize ApplicationLayerProtocol = count() by NetworkApplicationProtocol\n| top 10 by ApplicationLayerProtocol asc\n| extend UrlCustomEntity = NetworkApplicationProtocol\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows Rare application layer protocols" + }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2581,13 +2904,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "description": "PaloAltoCDL Hunting Query 8", + "parentId": "[variables('huntingQueryId8')]", + "contentId": "[variables('_huntingQuerycontentId8')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion8')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2606,86 +2929,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 9 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId8')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Rare application layer protocols", + "contentProductId": "[variables('_huntingQuerycontentProductId8')]", + "id": "[variables('_huntingQuerycontentProductId8')]", + "version": "[variables('huntingQueryVersion8')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName9')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('huntingQueryVersion9')]", "parameters": {}, "variables": {}, "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects put and post method request in high risk file type.", - "displayName": "PaloAlto - Put and post method request in high risk file type", - "enabled": false, - "query": "let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'THREAT'\n| where EventResult =~ 'file'\n| where HttpRequestMethod has_any (\"POST\", \"PUT\")\n| where FileType in (HighRiskFileType)\n| extend FileCustomEntity = SrcFileName\n", - "queryFrequency": "PT10M", - "queryPeriod": "PT10M", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Rare files observed", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(SrcFileName)\n| summarize RareFiles = count() by SrcFileName\n| top 20 by RareFiles asc\n| extend FileCustomEntity = SrcFileName\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows rare files observed" + }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "FileCustomEntity" - } - ], - "entityType": "File" + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2693,13 +2989,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "description": "PaloAltoCDL Hunting Query 9", + "parentId": "[variables('huntingQueryId9')]", + "contentId": "[variables('_huntingQuerycontentId9')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion9')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2718,95 +3014,59 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiversion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "PaloAltoCDL Analytics Rule 10 with template", - "displayName": "PaloAltoCDL Analytics Rule template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId9')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Rare files observed", + "contentProductId": "[variables('_huntingQuerycontentProductId9')]", + "id": "[variables('_huntingQuerycontentProductId9')]", + "version": "[variables('huntingQueryVersion9')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiversion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName10')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 2.0.4", + "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('huntingQueryVersion10')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "PaloAltoCDL_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects suspicious connections from forbidden countries.", - "displayName": "PaloAlto - Forbidden countries", - "enabled": false, - "query": "let bl_countries = dynamic(['CH', 'RU']);\nPaloAltoCDLEvent \n| where EventResourceId =~ 'TRAFFIC'\n| where MaliciousIPCountry in (bl_countries)\n| summarize count() by DstUsername, SrcIpAddr \n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUsername\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ + "eTag": "*", + "displayName": "PaloAlto - Rare ports by user", + "category": "Hunting Queries", + "query": "PaloAltoCDLEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(DstPortNumber) \n| summarize RarePorts = count() by DstPortNumber, DstIpAddr, DstUsername\n| top 20 by RarePorts asc \n| extend IPCustomEntity = DstIpAddr, AccountCustomEntity = DstUsername\n", + "version": 2, + "tags": [ { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ + "name": "description", + "value": "Query shows rare ports by user." + }, { - "fieldMappings": [ - { - "identifier": "Name", - "columnName": "AccountCustomEntity" - } - ], - "entityType": "Account" + "name": "tactics", + "value": "InitialAccess" }, { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "IPCustomEntity" - } - ], - "entityType": "IP" + "name": "techniques", + "value": "T1190,T1133" } ] } @@ -2814,13 +3074,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]", "properties": { - "description": "PaloAltoCDL Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "description": "PaloAltoCDL Hunting Query 10", + "parentId": "[variables('huntingQueryId10')]", + "contentId": "[variables('_huntingQuerycontentId10')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion10')]", "source": { "kind": "Solution", "name": "PaloAltoCDL", @@ -2839,17 +3099,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId10')]", + "contentKind": "HuntingQuery", + "displayName": "PaloAlto - Rare ports by user", + "contentProductId": "[variables('_huntingQuerycontentProductId10')]", + "id": "[variables('_huntingQuerycontentProductId10')]", + "version": "[variables('huntingQueryVersion10')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.4", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "PaloAltoCDL", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.

\n
    \n

  1. PaloAltoCDL via AMA - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. PaloAltoCDL via Legacy Agent - This data connector helps in ingesting PaloAltoCDL logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of PaloAltoCDL via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -2871,9 +3149,14 @@ "operator": "AND", "criteria": [ { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "Parser", @@ -2881,59 +3164,9 @@ "version": "[variables('parserVersion1')]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" }, { "kind": "AnalyticsRule", @@ -2984,6 +3217,56 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRulecontentId10')]", "version": "[variables('analyticRuleVersion10')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId1')]", + "version": "[variables('huntingQueryVersion1')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId2')]", + "version": "[variables('huntingQueryVersion2')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId3')]", + "version": "[variables('huntingQueryVersion3')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId4')]", + "version": "[variables('huntingQueryVersion4')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId5')]", + "version": "[variables('huntingQueryVersion5')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId6')]", + "version": "[variables('huntingQueryVersion6')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId7')]", + "version": "[variables('huntingQueryVersion7')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId8')]", + "version": "[variables('huntingQueryVersion8')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId9')]", + "version": "[variables('huntingQueryVersion9')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId10')]", + "version": "[variables('huntingQueryVersion10')]" } ] }, diff --git a/Solutions/PaloAltoCDL/ReleaseNotes.md b/Solutions/PaloAltoCDL/ReleaseNotes.md new file mode 100644 index 00000000000..2ebb0688703 --- /dev/null +++ b/Solutions/PaloAltoCDL/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 25-09-2023 | Addition of new PaloAltoCDL AMA **Data Connector** | | + + diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index e3e6e9ba874..f1ec0ec0f41 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -2894,7 +2894,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoCDL" + "PaloAltoCDL", + "PaloAltoCDLAma" ], "previewImagesFileNames": [ "PaloAltoBlack.png",