Updating to include new CEF Changes
This commit is contained in:
Devika Mehra
Родитель
e030fbc51d
Коммит
1b1b1b6bea
|
|
@ -64,10 +64,13 @@ output {
|
|||
"deviceCustomFloatingPoint4",
|
||||
"deviceCustomFloatingPoint4Label",
|
||||
"deviceCustomNumber1",
|
||||
"fieldDeviceCustomNumber1",
|
||||
"deviceCustomNumber1Label",
|
||||
"deviceCustomNumber2",
|
||||
"fieldDeviceCustomNumber2",
|
||||
"deviceCustomNumber2Label",
|
||||
"deviceCustomNumber3",
|
||||
"fieldDeviceCustomNumber3",
|
||||
"deviceCustomNumber3Label",
|
||||
"baseEventCount",
|
||||
"deviceCustomString1",
|
||||
|
|
@ -131,8 +134,9 @@ output {
|
|||
"destinationLatitude",
|
||||
"categoryDeviceType",
|
||||
"managerReceiptTime",
|
||||
"agentMacAddress"
|
||||
"agentMacAddress",
|
||||
"reason"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -381,10 +381,13 @@ output {
|
|||
"deviceCustomFloatingPoint4",
|
||||
"deviceCustomFloatingPoint4Label",
|
||||
"deviceCustomNumber1",
|
||||
"fieldDeviceCustomNumber1",
|
||||
"deviceCustomNumber1Label",
|
||||
"deviceCustomNumber2",
|
||||
"fieldDeviceCustomNumber2",
|
||||
"deviceCustomNumber2Label",
|
||||
"deviceCustomNumber3",
|
||||
"fieldDeviceCustomNumber3"
|
||||
"deviceCustomNumber3Label",
|
||||
"baseEventCount",
|
||||
"deviceCustomString1",
|
||||
|
|
@ -501,7 +504,8 @@ output {
|
|||
"destinationGeoCountryCode3",
|
||||
"destinationASNsOrg",
|
||||
"destinationASN",
|
||||
"destinationDnsDomain"
|
||||
"destinationDnsDomain",
|
||||
"reason"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
@ -513,4 +517,4 @@ output {
|
|||
# }
|
||||
# }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -21,7 +21,7 @@ relevantTechniques:
|
|||
- T1046
|
||||
query: |
|
||||
|
||||
CommonSecurityLog
|
||||
CommonSecurityLog
|
||||
| where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
|
||||
// filter out common usage ports. Add ports that are legitimate for your environment
|
||||
| where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
|
||||
|
|
@ -30,20 +30,26 @@ query: |
|
|||
| where DestinationPort !between (toint(49512) .. toint(65535))
|
||||
| where Computer != ""
|
||||
| where DestinationIP !startswith "10."
|
||||
| extend Reason = coalesce(
|
||||
column_ifexists("Reason", ""),
|
||||
extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
|
||||
""
|
||||
)
|
||||
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
|
||||
| where AdditionalExtensions !has "reason=aged-out"
|
||||
| where Reason !has "aged-out"
|
||||
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
|
||||
| where AdditionalExtensions !has "reason=tcp-fin"
|
||||
| where Reason !has "tcp-fin"
|
||||
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
|
||||
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
|
||||
// TCP RST-server - Occurs when the server sends a TCP reset to the client
|
||||
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
|
||||
// TCP RST-client - Occurs when the client sends a TCP reset to the server
|
||||
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
|
||||
| extend reason = tostring(split(AdditionalExtensions, ";")[3])
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
|
||||
// Already performed
|
||||
//| extend reason = tostring(split(AdditionalExtensions, ";")[3])
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
|
||||
| where count_ >= 10
|
||||
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
|
||||
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
|
||||
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
|
|
@ -58,5 +64,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -21,7 +21,10 @@ CommonSecurityLog
|
|||
SourceUserName = replace(@'\^', @'/', SourceUserName)
|
||||
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
|
||||
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
|
||||
end = extract("end=(.*?);", 1, AdditionalExtensions),
|
||||
end = coalesce(
|
||||
extract("end=(.*?);", 1, AdditionalExtensions),
|
||||
tostring(column_ifexists("EndTime", ""))
|
||||
),
|
||||
flag = extract("flag=(.*?);", 1, AdditionalExtensions),
|
||||
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
|
||||
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
|
||||
|
|
@ -87,4 +90,4 @@ SIGNUPMETHOD = extract("SIGNUPMETHOD=(.*?);", 1, AdditionalExtensions),
|
|||
PWDATTEMPTCNT = extract("PWDATTEMPTCNT=(.*?);", 1, AdditionalExtensions)
|
||||
| extend AllIPs = extract_all(@"(?P<ecIP>.*?)/(?P<wsIP>.*)", dynamic(['ecIP','wsIP']), src_dest_IPs)
|
||||
| extend ecIP = tostring(AllIPs[0][0])
|
||||
| extend wsIP = tostring(AllIPs[0][1])
|
||||
| extend wsIP = tostring(AllIPs[0][1])
|
||||
|
|
@ -12,9 +12,12 @@
|
|||
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
|
||||
//
|
||||
//
|
||||
|
||||
CommonSecurityLog
|
||||
| where DeviceVendor == "Palo Alto Networks"
|
||||
| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", int(null)),DeviceCustomNumber1),
|
||||
DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", int(null)),DeviceCustomNumber2),
|
||||
DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", int(null)),DeviceCustomNumber3),
|
||||
ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
|
||||
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
|
||||
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
|
||||
PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
|
||||
|
|
@ -47,6 +50,9 @@ CommonSecurityLog
|
|||
LogProfile = DeviceCustomString6,
|
||||
TotalBytes = FlexNumber1,
|
||||
Flags = FlexString1
|
||||
| extend start = coalesce(tostring(column_ifexists("StartTime",datetime(null))),start),
|
||||
reason = coalesce(column_ifexists("Reason",""),reason),
|
||||
cat = coalesce(column_ifexists("DeviceEventCategory",""),cat)
|
||||
| project-away FlexString1Label,
|
||||
FlexString1,
|
||||
FlexNumber1Label,
|
||||
|
|
@ -69,4 +75,4 @@ CommonSecurityLog
|
|||
DeviceCustomNumber1,
|
||||
DeviceCustomNumber2,
|
||||
DeviceCustomNumber3,
|
||||
AdditionalExtensions
|
||||
AdditionalExtensions
|
||||
|
|
@ -15,7 +15,9 @@
|
|||
"multiSelect": true,
|
||||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"value": [],
|
||||
"value": [
|
||||
"/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [],
|
||||
"includeAll": false
|
||||
|
|
@ -35,7 +37,8 @@
|
|||
"additionalResourceOptions": []
|
||||
},
|
||||
"queryType": 1,
|
||||
"resourceType": "microsoft.resourcegraph/resources"
|
||||
"resourceType": "microsoft.resourcegraph/resources",
|
||||
"value": "/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/CATTesting/providers/Microsoft.OperationalInsights/workspaces/CAT-LogAnalytics"
|
||||
},
|
||||
{
|
||||
"id": "9fa77675-1222-4936-89d0-285da325bba0",
|
||||
|
|
@ -142,9 +145,6 @@
|
|||
"size": 1,
|
||||
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
|
||||
"color": "pink",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"timeBrushParameterName": "TimeRange",
|
||||
"timeBrushExportOnlyWhenBrushed": true,
|
||||
|
|
@ -221,9 +221,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
|
||||
"size": 3,
|
||||
"title": "Count by Actions ",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -283,9 +280,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
|
||||
"size": 3,
|
||||
"title": "Count by Protocols",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -357,9 +351,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
|
||||
"size": 3,
|
||||
"title": "Count by DeviceName",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -416,12 +407,9 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
|
||||
"size": 3,
|
||||
"title": "Count by Threats",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -495,9 +483,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
|
||||
"size": 0,
|
||||
"title": "Count by Application Protocol ",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -571,9 +556,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
|
||||
"size": 1,
|
||||
"title": "Count by EventClass",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -630,12 +612,9 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
|
||||
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
|
||||
"size": 0,
|
||||
"title": "Lastest Threats by ThreatId, {$rowCount}",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
|
|
@ -737,9 +716,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
|
||||
"size": 0,
|
||||
"title": "Blocks by Device, {$rowCount} - Click to check IOC status",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"exportFieldName": "SourceIP",
|
||||
"exportParameterName": "IPAddress",
|
||||
|
|
@ -820,9 +796,6 @@
|
|||
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
|
||||
"size": 0,
|
||||
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -872,9 +845,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
|
||||
"size": 0,
|
||||
"title": "File Malware Events, {$rowCount}",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
|
@ -923,9 +893,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
|
||||
"size": 0,
|
||||
"title": "Outbound Web Traffic Port 80, {$rowCount}",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
|
@ -939,9 +906,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
|
||||
"size": 0,
|
||||
"title": "Top 20 sending URLs (bytes Sent Out)",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
|
|
@ -987,9 +951,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
|
||||
"size": 0,
|
||||
"title": "IsConnected",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1029,9 +990,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
|
||||
"size": 1,
|
||||
"title": "Data Ingested during {TimeRange:label}",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1077,9 +1035,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
|
||||
"size": 0,
|
||||
"title": "Count by Malicious IP",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
|
|
@ -1140,9 +1095,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
|
||||
"size": 0,
|
||||
"title": "Malicious IP by Country",
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
|
|
@ -1210,9 +1162,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked inbound IPs",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1239,9 +1188,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked inbound Ports",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1268,9 +1214,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked outbound IPs",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1297,9 +1240,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked outbound Ports",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1326,9 +1266,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked Protocols",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1355,9 +1292,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
|
||||
"size": 0,
|
||||
"title": "Top 10 Blocked Computer vs. DeviceName",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
@ -1415,7 +1349,7 @@
|
|||
"{Workspace}"
|
||||
],
|
||||
"value": [
|
||||
"Detect"
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
|
|
@ -1565,9 +1499,6 @@
|
|||
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
|
||||
"size": 0,
|
||||
"title": "Filtered View, count: {$rowCount}",
|
||||
"timeContext": {
|
||||
"durationMs": 1209600000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"showExportToExcel": true,
|
||||
"queryType": 0,
|
||||
|
|
@ -1593,4 +1524,4 @@
|
|||
],
|
||||
"fromTemplateId": "sentinel-CiscoFirepowerWorkbook",
|
||||
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
||||
}
|
||||
}
|
||||
|
|
@ -422,7 +422,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Top vulnerability events",
|
||||
|
|
@ -558,7 +558,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions)\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Top correlation events",
|
||||
|
|
|
|||
|
|
@ -598,7 +598,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason= extract(';reason=(.*?);',1,AdditionalExtensions)\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
|
||||
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Reasons for session ending, by time",
|
||||
|
|
@ -1390,7 +1390,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= extract(';cat=(.*?);',1,AdditionalExtensions) \r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount\r\n",
|
||||
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
|
||||
"size": 0,
|
||||
"exportToExcelOptions": "visible",
|
||||
"title": "Summary of Palo Alto file categories, by activity",
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@
|
|||
"dataTypesDependencies": [ "CommonSecurityLog" ],
|
||||
"dataConnectorsDependencies": [ "PaloAltoNetworks" ],
|
||||
"previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
|
||||
"version": "1.2.0",
|
||||
"version": "1.2.2",
|
||||
"title": "Palo Alto overview",
|
||||
"templateRelativePath": "PaloAltoOverview.json",
|
||||
"subtitle": "",
|
||||
|
|
@ -1541,7 +1541,7 @@
|
|||
"dataTypesDependencies": [ "CommonSecurityLog"],
|
||||
"dataConnectorsDependencies": [],
|
||||
"previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
|
||||
"version": "1.0.0",
|
||||
"version": "1.0.1",
|
||||
"title": "Cisco Firepower",
|
||||
"templateRelativePath": "CiscoFirepower.json",
|
||||
"subtitle": "",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче