Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Template spec solution package update for palo alto network (#6031) 

* moving files

* update package

* update for postDeployment steps
This commit is contained in:
Manoj 2022-08-30 19:16:28 +05:30 коммит произвёл GitHub
Родитель 7158e1629a
Коммит 74b6be7949
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
18 изменённых файлов: 5964 добавлений и 92 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml → Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: Microsoft COVID-19 file hash indicator matches
description: |
'Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:

1
Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml → Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml
Просмотреть файл

@ -8,6 +8,7 @@ description: |
http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:

1
Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml → Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml
Просмотреть файл

@ -7,6 +7,7 @@ description: |
References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:

111
Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml → Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml
Просмотреть файл

@ -1,56 +1,57 @@
id: 89a86f70-615f-4a79-9621-6f68c50f365f
name: Palo Alto Threat signatures from Unusual IP addresses
description: |
'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen.
This detection is also leveraged and required for MDE and PAN Fusion scenario
https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1046
- T1030
- T1071.001
tags:
- Fusion
query: |
let starttime = 7d;
let endtime = 1d;
let timeframe = 1h;
let HistThreshold = 25;
let CurrThreshold = 10;
let HistoricalThreats = CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert"
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;
let CurrentHourThreats = CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated > ago(timeframe)
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert"
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;
CurrentHourThreats
| where TotalEvents < CurrThreshold
| join kind = leftanti (HistoricalThreats
| where TotalEvents > HistThreshold) on SourceIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.0
id: 89a86f70-615f-4a79-9621-6f68c50f365f
name: Palo Alto Threat signatures from Unusual IP addresses
description: |
'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen.
This detection is also leveraged and required for MDE and PAN Fusion scenario
https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1046
- T1030
- T1071.001
tags:
- Fusion
query: |
let starttime = 7d;
let endtime = 1d;
let timeframe = 1h;
let HistThreshold = 25;
let CurrThreshold = 10;
let HistoricalThreats = CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert"
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;
let CurrentHourThreats = CommonSecurityLog
| where isnotempty(SourceIP)
| where TimeGenerated > ago(timeframe)
| where DeviceVendor =~ "Palo Alto Networks"
| where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert"
| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;
CurrentHourThreats
| where TotalEvents < CurrThreshold
| join kind = leftanti (HistoricalThreats
| where TotalEvents > HistThreshold) on SourceIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.0
kind: Scheduled

12
DataConnectors/Palo Alto Networks/PaloAltoNetworks.json → Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json
Просмотреть файл

@ -2,7 +2,7 @@
"id": "PaloAltoNetworks",
"title": "Palo Alto Networks (Firewall)",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
@ -36,7 +36,7 @@
],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [
@ -65,15 +65,15 @@
"instructionSteps": [
{
"title": "1. Linux Syslog agent configuration",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
@ -92,7 +92,7 @@
},
{
"title": "2. Forward Palo Alto Networks logs to Syslog agent",
"description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Azure Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
"description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
},
{
"title": "3. Validate connection",

0
DataConnectors/Palo Alto Networks/readme.md → Solutions/PaloAlto-PAN-OS/Data Connectors/readme.md
Просмотреть файл

0
Hunting Queries/CommonSecurityLog/PaloAlto-HighRiskPorts.yaml → Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml
Просмотреть файл

Двоичные данные
Solutions/PaloAlto-PAN-OS/Package/2.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

176
Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://github.com/Azure/Azure-Sentinel/raw/master/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/PAN-OS_CustomConnector.png\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[PAN-OS](https://docs.paloaltonetworks.com/pan-os) is the software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively -- App-ID, Content-ID, Device-ID, and User-ID -- you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://github.com/Azure/Azure-Sentinel/raw/master/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/PAN-OS_CustomConnector.png\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -51,6 +51,180 @@
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Palo Alto Network Firewall logs in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Palo Alto Threat signatures from Unusual IP addresses",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Microsoft COVID-19 file hash indicator matches",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Palo Alto - potential beaconing detected",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Palo Alto - possible internal to external port scanning",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Palo Alto - high-risk ports",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. It depends on the PaloAltoNetworks data connector and CommonSecurityLog data type and PaloAltoNetworks parser."
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",

3592
Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

4
Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"comments": "This playbook uses the PaloAlto connector to take necessary actions on IP address like Block IP/Unblock IP from predefined address group and also gives an option to close the incident.",
"title": "PaloAlto-PAN-OS-BlockIP",
"description": "This playbook allows blocking/unblocking IPs in PaloAlto, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule.",
"mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](./designerscreenshot.PNG) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](./AdaptiveCardtoBlockorUnblock.PNG) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](./SummarizedAdaptiveCard.PNG)"],
"mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/SummarizedAdaptiveCard.PNG?raw=true)"],
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."],
"lastUpdateTime": "2022-07-22T00:00:00.000Z",
"entities": ["Ip"],
@ -790,7 +790,7 @@
"value": [
{
"size": "Large",
"text": "Suspicious IP - Azure Sentinel",
"text": "Suspicious IP - Microsoft Sentinel",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true

2
Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json
Просмотреть файл

@ -6,7 +6,7 @@
"title": "PaloAlto-PAN-OS-BlockURL",
"description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.",
"prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."],
"mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group. \n\n 2. The SOC can act on risky URL based on the information provided in the adaptive card, or ignore. \n\n ![PaloAlto-PAN-OS-BlockURL](./designerScreenshot.PNG) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::** \n\n ![Adaptive Card example](./AdaptiveCardtoBlockorUnblock.PNG) \n\n **This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::** \n\n ![Consolidated Adaptive Card example](./SummarizedAdaptiveCard.PNG)"],
"mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group. \n\n 2. The SOC can act on risky URL based on the information provided in the adaptive card, or ignore. \n\n ![PaloAlto-PAN-OS-BlockURL](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/SummarizedAdaptiveCard.PNG?raw=true)"],
"lastUpdateTime": "2022-07-22T00:00:00.000Z",
"entities": ["Url"],
"tags": ["Remediation", "Response from teams"],

2
Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json
Просмотреть файл

@ -15,7 +15,7 @@
"author": {
"name": "Smitha Sundareswaran"
},
"postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook",
"postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"],
"releaseNotes": [
{
"version": "1.0.0",

2
Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json
Просмотреть файл

@ -15,7 +15,7 @@
"author": {
"name": "Smitha Sundareswaran"
},
"postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook",
"postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"],
"releaseNotes": [
{
"version": "1.0.0",

4
Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/azuredeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"comments": "This playbook uses the PaloAlto connector to automatically enrich incidents generated by Sentinel for address object details and URL filtering category information from PAN-OS",
"title": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"description": " When a new sentinal incident is created, this playbook gets triggered and performs below actions:",
"mainSteps": ["1. Fetches the address group details and URL filtering category information from PAN-OS \n\n 2. Updates all the collected information in incident \n\n ![PaloAlto-PAN-OS-GetURLCategoryInfo](./designerscreenshot.PNG)"],
"mainSteps": ["1. Fetches the address group details and URL filtering category information from PAN-OS \n\n 2. Updates all the collected information in incident \n\n ![PaloAlto-PAN-OS-GetURLCategoryInfo](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/designerscreenshot.PNG?raw=true)"],
"prerequisites": ["1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)"],
"lastUpdateTime": "2022-07-25T00:00:00.000Z",
"entities": [],
@ -16,7 +16,7 @@
"author": {
"name": "Sindhu Talluri, PAN-OS"
},
"postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook",
"postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook"],
"releaseNotes": [
{
"version": "1.0.0",

621
Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json Normal file
Просмотреть файл

@ -0,0 +1,621 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Palo Alto network threat\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"query": "",
"crossComponentResources": [],
"parameters": [
{
"id": "d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 43200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file';\r\ndata\r\n| summarize Count = count() by DeviceEventClassID\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\r\n on DeviceEventClassID\r\n| project-away DeviceEventClassID1, TimeGenerated\r\n| extend DeviceEventClassIDs = DeviceEventClassID\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \r\n)\r\n| project DeviceEventClassID, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 3,
"exportFieldName": "DeviceEventClassID",
"exportParameterName": "SelectedSubtype",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Threats, by subtypes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceEventClassID",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "Threats by subtypes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire';\r\ndata\r\n| summarize Count = count() by DeviceCustomString2\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\r\n on DeviceCustomString2\r\n| project-away DeviceCustomString21, TimeGenerated\r\n| extend DeviceCustomString2s = DeviceCustomString2\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \r\n)\r\n| project DeviceCustomString2, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 3,
"exportFieldName": "DeviceCustomString2",
"exportParameterName": "SelectedWildfire",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "WildFire verdicts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "DeviceCustomString2",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "WildFire verdicts"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and LogSeverity != 'url' and LogSeverity != 'file';\r\ndata\r\n| summarize Count = count() by LogSeverity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity)\r\n on LogSeverity\r\n| project-away LogSeverity1, TimeGenerated\r\n| extend LogSeveritys = LogSeverity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend LogSeverity = 'All', LogSeveritys = '*' \r\n)\r\n| project LogSeverity, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 3,
"exportFieldName": "LogSeverity",
"exportParameterName": "SelectedSeverity",
"exportDefaultValue": "All",
"exportToExcelOptions": "visible",
"title": "Threats severity",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "LogSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "lightBlue",
"showIcon": true
}
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "LogSeverity",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "33",
"name": "Threats severity"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| summarize count() by bin(TimeGenerated, 1h), DeviceEventClassID\r\n| render timechart\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Threat subtypes over time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "37.5",
"name": "Threat subtypes over time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| summarize count() by bin(TimeGenerated, 1h), LogSeverity\r\n| render timechart\r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Threat severity over time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "37.5",
"name": "Threat severity over time"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity;\r\ndata\r\n| summarize Count = count() by ApplicationProtocol\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ApplicationProtocol)\r\n on ApplicationProtocol\r\n| project-away ApplicationProtocol1, TimeGenerated\r\n| extend ApplicationProtocols = ApplicationProtocol\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ApplicationProtocol = 'All', ApplicationProtocols = '*' \r\n)\r\n| project ApplicationProtocol, Count, Trend\r\n| order by Count desc\r\n| take 10",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Threats, by application",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"showIcon": true
}
}
],
"labelSettings": []
},
"tileSettings": {
"titleContent": {
"columnMatch": "ApplicationProtocol",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"palette": "blueDark",
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "25",
"name": "Threats by application"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Threat events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true,
"labelSettings": []
}
},
"name": "All Threat Events"
},
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top vulnerability events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ThreatId",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "LogSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Amount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"filter": true,
"labelSettings": []
}
},
"customWidth": "50",
"name": "Top vulnerability events"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| search DeviceEventClassID:'*virus*'\r\n| summarize Amount=count() by RequestURL, DeviceEventClassID, DestinationIP, SourceIP, ApplicationProtocol\r\n| top 20 by Amount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Virus and malware events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "RequestURL",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "DeviceEventClassID",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "DestinationIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "SourceIP",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ApplicationProtocol",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Amount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "SourceUserID",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"filter": true,
"labelSettings": []
}
},
"customWidth": "50",
"name": "Virus and malware events"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top correlation events",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "ThreatId",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ThreatCategory",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "LogSeverity",
"formatter": 0,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Amount",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"palette": "coldHot",
"showIcon": true
}
}
],
"labelSettings": []
}
},
"name": "Top correlation events"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-PaloAltoNetworkThreat",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

1509
Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

18
Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json
Просмотреть файл

@ -2,7 +2,23 @@
"Name": "PaloAlto-PAN-OS",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://github.com/Azure/Azure-Sentinel/raw/master/Playbooks/PaloAlto-PAN-OS/PaloAltoCustomConnector/PAN-OS_CustomConnector.png\" width=\"75px\" height=\"75px\">",
"Description": "[PAN-OS](https://docs.paloaltonetworks.com/pan-os) is the software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively -- App-ID, Content-ID, Device-ID, and User-ID -- you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.",
"Description": "The [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. . **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)",
"Data Connectors": [
"Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json"
],
"Hunting Queries": [
"Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml"
],
"Workbooks": [
"Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json",
"Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json"
],
"Analytic Rules": [
"Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml",
"Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml",
"Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml",
"Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml"
],
"Playbooks": [
"Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoCustomConnector/azuredeploy.json",
"Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json",