Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updating to include new CEF Changes

This commit is contained in:
Devika Mehra 2022-05-31 17:06:53 +05:30
Родитель e030fbc51d
Коммит 1b1b1b6bea
9 изменённых файлов: 53 добавлений и 99 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
DataConnectors/Logstash-VMSS/logstash.conf
Просмотреть файл

@ -64,10 +64,13 @@ output {
"deviceCustomFloatingPoint4", "deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label", "deviceCustomFloatingPoint4Label",
"deviceCustomNumber1", "deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label", "deviceCustomNumber1Label",
"deviceCustomNumber2", "deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label", "deviceCustomNumber2Label",
"deviceCustomNumber3", "deviceCustomNumber3",
"fieldDeviceCustomNumber3",
"deviceCustomNumber3Label", "deviceCustomNumber3Label",
"baseEventCount", "baseEventCount",
"deviceCustomString1", "deviceCustomString1",
@ -131,8 +134,9 @@ output {
"destinationLatitude", "destinationLatitude",
"categoryDeviceType", "categoryDeviceType",
"managerReceiptTime", "managerReceiptTime",
"agentMacAddress" "agentMacAddress",
"reason"
] ]
} }
} }
} }

8
DataConnectors/UniFiSG/ui-logstash.conf
Просмотреть файл

@ -381,10 +381,13 @@ output {
"deviceCustomFloatingPoint4", "deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label", "deviceCustomFloatingPoint4Label",
"deviceCustomNumber1", "deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label", "deviceCustomNumber1Label",
"deviceCustomNumber2", "deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label", "deviceCustomNumber2Label",
"deviceCustomNumber3", "deviceCustomNumber3",
"fieldDeviceCustomNumber3"
"deviceCustomNumber3Label", "deviceCustomNumber3Label",
"baseEventCount", "baseEventCount",
"deviceCustomString1", "deviceCustomString1",
@ -501,7 +504,8 @@ output {
"destinationGeoCountryCode3", "destinationGeoCountryCode3",
"destinationASNsOrg", "destinationASNsOrg",
"destinationASN", "destinationASN",
"destinationDnsDomain" "destinationDnsDomain",
"reason"
] ]
} }
} }
@ -513,4 +517,4 @@ output {
# } # }
# } # }
} }
} }

20
Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml
Просмотреть файл

@ -21,7 +21,7 @@ relevantTechniques:
- T1046 - T1046
query: | query: |
CommonSecurityLog CommonSecurityLog
| where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny") | where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
// filter out common usage ports. Add ports that are legitimate for your environment // filter out common usage ports. Add ports that are legitimate for your environment
| where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080") | where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
@ -30,20 +30,26 @@ query: |
| where DestinationPort !between (toint(49512) .. toint(65535)) | where DestinationPort !between (toint(49512) .. toint(65535))
| where Computer != "" | where Computer != ""
| where DestinationIP !startswith "10." | where DestinationIP !startswith "10."
| extend Reason = coalesce(
column_ifexists("Reason", ""),
extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. // Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
| where AdditionalExtensions !has "reason=aged-out" | where Reason !has "aged-out"
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection. // Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
| where AdditionalExtensions !has "reason=tcp-fin" | where Reason !has "tcp-fin"
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons // Uncomment one of the following where clauses to trigger on specific TCP reset reasons
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK // See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
// TCP RST-server - Occurs when the server sends a TCP reset to the client // TCP RST-server - Occurs when the server sends a TCP reset to the client
// | where AdditionalExtensions has "reason=tcp-rst-from-server" // | where AdditionalExtensions has "reason=tcp-rst-from-server"
// TCP RST-client - Occurs when the client sends a TCP reset to the server // TCP RST-client - Occurs when the client sends a TCP reset to the server
// | where AdditionalExtensions has "reason=tcp-rst-from-client" // | where AdditionalExtensions has "reason=tcp-rst-from-client"
| extend reason = tostring(split(AdditionalExtensions, ";")[3]) // Already performed
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP //| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
| where count_ >= 10 | where count_ >= 10
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
entityMappings: entityMappings:
- entityType: Account - entityType: Account
@ -58,5 +64,5 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.0 version: 1.0.1
kind: Scheduled kind: Scheduled

7
Parsers/Epic_Parser.csl
Просмотреть файл

@ -21,7 +21,10 @@ CommonSecurityLog
SourceUserName = replace(@'\^', @'/', SourceUserName) SourceUserName = replace(@'\^', @'/', SourceUserName)
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions), | extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions), workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
end = extract("end=(.*?);", 1, AdditionalExtensions), end = coalesce(
extract("end=(.*?);", 1, AdditionalExtensions),
tostring(column_ifexists("EndTime", ""))
),
flag = extract("flag=(.*?);", 1, AdditionalExtensions), flag = extract("flag=(.*?);", 1, AdditionalExtensions),
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions), AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions), BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
@ -87,4 +90,4 @@ SIGNUPMETHOD = extract("SIGNUPMETHOD=(.*?);", 1, AdditionalExtensions),
PWDATTEMPTCNT = extract("PWDATTEMPTCNT=(.*?);", 1, AdditionalExtensions) PWDATTEMPTCNT = extract("PWDATTEMPTCNT=(.*?);", 1, AdditionalExtensions)
| extend AllIPs = extract_all(@"(?P<ecIP>.*?)/(?P<wsIP>.*)", dynamic(['ecIP','wsIP']), src_dest_IPs) | extend AllIPs = extract_all(@"(?P<ecIP>.*?)/(?P<wsIP>.*)", dynamic(['ecIP','wsIP']), src_dest_IPs)
| extend ecIP = tostring(AllIPs[0][0]) | extend ecIP = tostring(AllIPs[0][0])
| extend wsIP = tostring(AllIPs[0][1]) | extend wsIP = tostring(AllIPs[0][1])

10
Parsers/PAN_Parser.csl
Просмотреть файл

@ -12,9 +12,12 @@
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10). // Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
// //
// //
CommonSecurityLog CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" | where DeviceVendor == "Palo Alto Networks"
| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", int(null)),DeviceCustomNumber1),
DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", int(null)),DeviceCustomNumber2),
DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", int(null)),DeviceCustomNumber3),
ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions) | extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions), | extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions), PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
@ -47,6 +50,9 @@ CommonSecurityLog
LogProfile = DeviceCustomString6, LogProfile = DeviceCustomString6,
TotalBytes = FlexNumber1, TotalBytes = FlexNumber1,
Flags = FlexString1 Flags = FlexString1
| extend start = coalesce(tostring(column_ifexists("StartTime",datetime(null))),start),
reason = coalesce(column_ifexists("Reason",""),reason),
cat = coalesce(column_ifexists("DeviceEventCategory",""),cat)
| project-away FlexString1Label, | project-away FlexString1Label,
FlexString1, FlexString1,
FlexNumber1Label, FlexNumber1Label,
@ -69,4 +75,4 @@ CommonSecurityLog
DeviceCustomNumber1, DeviceCustomNumber1,
DeviceCustomNumber2, DeviceCustomNumber2,
DeviceCustomNumber3, DeviceCustomNumber3,
AdditionalExtensions AdditionalExtensions

87
Workbooks/CiscoFirepower.json
Просмотреть файл

@ -15,7 +15,9 @@
"multiSelect": true, "multiSelect": true,
"quote": "'", "quote": "'",
"delimiter": ",", "delimiter": ",",
"value": [], "value": [
"/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97"
],
"typeSettings": { "typeSettings": {
"additionalResourceOptions": [], "additionalResourceOptions": [],
"includeAll": false "includeAll": false
@ -35,7 +37,8 @@
"additionalResourceOptions": [] "additionalResourceOptions": []
}, },
"queryType": 1, "queryType": 1,
"resourceType": "microsoft.resourcegraph/resources" "resourceType": "microsoft.resourcegraph/resources",
"value": "/subscriptions/4383ac89-7cd1-48c1-8061-b0b3c5ccfd97/resourceGroups/CATTesting/providers/Microsoft.OperationalInsights/workspaces/CAT-LogAnalytics"
}, },
{ {
"id": "9fa77675-1222-4936-89d0-285da325bba0", "id": "9fa77675-1222-4936-89d0-285da325bba0",
@ -142,9 +145,6 @@
"size": 1, "size": 1,
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}", "title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
"color": "pink", "color": "pink",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeRange", "timeBrushParameterName": "TimeRange",
"timeBrushExportOnlyWhenBrushed": true, "timeBrushExportOnlyWhenBrushed": true,
@ -221,9 +221,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
"size": 3, "size": 3,
"title": "Count by Actions ", "title": "Count by Actions ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -283,9 +280,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
"size": 3, "size": 3,
"title": "Count by Protocols", "title": "Count by Protocols",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -357,9 +351,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
"size": 3, "size": 3,
"title": "Count by DeviceName", "title": "Count by DeviceName",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -416,12 +407,9 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
"size": 3, "size": 3,
"title": "Count by Threats", "title": "Count by Threats",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -495,9 +483,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
"size": 0, "size": 0,
"title": "Count by Application Protocol ", "title": "Count by Application Protocol ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -571,9 +556,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
"size": 1, "size": 1,
"title": "Count by EventClass", "title": "Count by EventClass",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -630,12 +612,9 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n", "query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
"size": 0, "size": 0,
"title": "Lastest Threats by ThreatId, {$rowCount}", "title": "Lastest Threats by ThreatId, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"showExportToExcel": true, "showExportToExcel": true,
"queryType": 0, "queryType": 0,
@ -737,9 +716,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
"size": 0, "size": 0,
"title": "Blocks by Device, {$rowCount} - Click to check IOC status", "title": "Blocks by Device, {$rowCount} - Click to check IOC status",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"exportFieldName": "SourceIP", "exportFieldName": "SourceIP",
"exportParameterName": "IPAddress", "exportParameterName": "IPAddress",
@ -820,9 +796,6 @@
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax", "query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
"size": 0, "size": 0,
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}", "title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -872,9 +845,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
"size": 0, "size": 0,
"title": "File Malware Events, {$rowCount}", "title": "File Malware Events, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces" "resourceType": "microsoft.operationalinsights/workspaces"
@ -923,9 +893,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
"size": 0, "size": 0,
"title": "Outbound Web Traffic Port 80, {$rowCount}", "title": "Outbound Web Traffic Port 80, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces" "resourceType": "microsoft.operationalinsights/workspaces"
@ -939,9 +906,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
"size": 0, "size": 0,
"title": "Top 20 sending URLs (bytes Sent Out)", "title": "Top 20 sending URLs (bytes Sent Out)",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"showExportToExcel": true, "showExportToExcel": true,
"queryType": 0, "queryType": 0,
@ -987,9 +951,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())", "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
"size": 0, "size": 0,
"title": "IsConnected", "title": "IsConnected",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1029,9 +990,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
"size": 1, "size": 1,
"title": "Data Ingested during {TimeRange:label}", "title": "Data Ingested during {TimeRange:label}",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1077,9 +1035,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
"size": 0, "size": 0,
"title": "Count by Malicious IP", "title": "Count by Malicious IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"showExportToExcel": true, "showExportToExcel": true,
"queryType": 0, "queryType": 0,
@ -1140,9 +1095,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
"size": 0, "size": 0,
"title": "Malicious IP by Country", "title": "Malicious IP by Country",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"showExportToExcel": true, "showExportToExcel": true,
"queryType": 0, "queryType": 0,
@ -1210,9 +1162,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked inbound IPs", "title": "Top 10 Blocked inbound IPs",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1239,9 +1188,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked inbound Ports", "title": "Top 10 Blocked inbound Ports",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1268,9 +1214,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked outbound IPs", "title": "Top 10 Blocked outbound IPs",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1297,9 +1240,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked outbound Ports", "title": "Top 10 Blocked outbound Ports",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1326,9 +1266,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked Protocols", "title": "Top 10 Blocked Protocols",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1355,9 +1292,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0, "size": 0,
"title": "Top 10 Blocked Computer vs. DeviceName", "title": "Top 10 Blocked Computer vs. DeviceName",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"queryType": 0, "queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces", "resourceType": "microsoft.operationalinsights/workspaces",
@ -1415,7 +1349,7 @@
"{Workspace}" "{Workspace}"
], ],
"value": [ "value": [
"Detect" "value::all"
], ],
"typeSettings": { "typeSettings": {
"additionalResourceOptions": [ "additionalResourceOptions": [
@ -1565,9 +1499,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")", "query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
"size": 0, "size": 0,
"title": "Filtered View, count: {$rowCount}", "title": "Filtered View, count: {$rowCount}",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange", "timeContextFromParameter": "TimeRange",
"showExportToExcel": true, "showExportToExcel": true,
"queryType": 0, "queryType": 0,
@ -1593,4 +1524,4 @@
], ],
"fromTemplateId": "sentinel-CiscoFirepowerWorkbook", "fromTemplateId": "sentinel-CiscoFirepowerWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
} }

4
Workbooks/PaloAltoNetworkThreat.json
Просмотреть файл

@ -422,7 +422,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount", "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
"size": 0, "size": 0,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Top vulnerability events", "title": "Top vulnerability events",
@ -558,7 +558,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions)\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount", "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
"size": 0, "size": 0,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Top correlation events", "title": "Top correlation events",

4
Workbooks/PaloAltoOverview.json
Просмотреть файл

@ -598,7 +598,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason= extract(';reason=(.*?);',1,AdditionalExtensions)\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n", "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
"size": 0, "size": 0,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Reasons for session ending, by time", "title": "Reasons for session ending, by time",
@ -1390,7 +1390,7 @@
"type": 3, "type": 3,
"content": { "content": {
"version": "KqlItem/1.0", "version": "KqlItem/1.0",
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= extract(';cat=(.*?);',1,AdditionalExtensions) \r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount\r\n", "query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
"size": 0, "size": 0,
"exportToExcelOptions": "visible", "exportToExcelOptions": "visible",
"title": "Summary of Palo Alto file categories, by activity", "title": "Summary of Palo Alto file categories, by activity",

4
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -84,7 +84,7 @@
"dataTypesDependencies": [ "CommonSecurityLog" ], "dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "PaloAltoNetworks" ], "dataConnectorsDependencies": [ "PaloAltoNetworks" ],
"previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ], "previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
"version": "1.2.0", "version": "1.2.2",
"title": "Palo Alto overview", "title": "Palo Alto overview",
"templateRelativePath": "PaloAltoOverview.json", "templateRelativePath": "PaloAltoOverview.json",
"subtitle": "", "subtitle": "",
@ -1541,7 +1541,7 @@
"dataTypesDependencies": [ "CommonSecurityLog"], "dataTypesDependencies": [ "CommonSecurityLog"],
"dataConnectorsDependencies": [], "dataConnectorsDependencies": [],
"previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ], "previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
"version": "1.0.0", "version": "1.0.1",
"title": "Cisco Firepower", "title": "Cisco Firepower",
"templateRelativePath": "CiscoFirepower.json", "templateRelativePath": "CiscoFirepower.json",
"subtitle": "", "subtitle": "",