diff --git a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml similarity index 98% rename from Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml rename to Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml index a1a734e7ac..18352c02cc 100644 --- a/Detections/ThreatIntelligenceIndicator/FileHashEntity_Covid19_CommonSecurityLog.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml @@ -3,6 +3,7 @@ name: Microsoft COVID-19 file hash indicator matches description: | 'Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/' severity: Medium +status: Available requiredDataConnectors: - connectorId: PaloAltoNetworks dataTypes: diff --git a/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml similarity index 99% rename from Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml rename to Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml index 67a9f6b7bc..1f0767d8dd 100644 --- a/Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml @@ -8,6 +8,7 @@ description: | http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/ https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586' severity: Low +status: Available requiredDataConnectors: - connectorId: PaloAltoNetworks dataTypes: diff --git a/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml similarity index 99% rename from Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml rename to Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml index 63e746fbf9..2cf73dde48 100644 --- a/Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml @@ -7,6 +7,7 @@ description: | References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK' severity: Low +status: Available requiredDataConnectors: - connectorId: PaloAltoNetworks dataTypes: diff --git a/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml similarity index 97% rename from Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml rename to Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml index e9faa4a7ea..594017dd17 100644 --- a/Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml @@ -1,56 +1,57 @@ -id: 89a86f70-615f-4a79-9621-6f68c50f365f -name: Palo Alto Threat signatures from Unusual IP addresses -description: | - 'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. - This detection is also leveraged and required for MDE and PAN Fusion scenario - https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' -severity: Medium -requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog -queryFrequency: 1h -queryPeriod: 7d -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Discovery - - Exfiltration - - CommandAndControl -relevantTechniques: - - T1046 - - T1030 - - T1071.001 -tags: - - Fusion -query: | - let starttime = 7d; - let endtime = 1d; - let timeframe = 1h; - let HistThreshold = 25; - let CurrThreshold = 10; - let HistoricalThreats = CommonSecurityLog - | where isnotempty(SourceIP) - | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) - | where DeviceVendor =~ "Palo Alto Networks" - | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" - | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') - | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor; - let CurrentHourThreats = CommonSecurityLog - | where isnotempty(SourceIP) - | where TimeGenerated > ago(timeframe) - | where DeviceVendor =~ "Palo Alto Networks" - | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" - | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') - | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor; - CurrentHourThreats - | where TotalEvents < CurrThreshold - | join kind = leftanti (HistoricalThreats - | where TotalEvents > HistThreshold) on SourceIP -entityMappings: - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SourceIP -version: 1.0.0 +id: 89a86f70-615f-4a79-9621-6f68c50f365f +name: Palo Alto Threat signatures from Unusual IP addresses +description: | + 'Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. + This detection is also leveraged and required for MDE and PAN Fusion scenario + https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: PaloAltoNetworks + dataTypes: + - CommonSecurityLog +queryFrequency: 1h +queryPeriod: 7d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Discovery + - Exfiltration + - CommandAndControl +relevantTechniques: + - T1046 + - T1030 + - T1071.001 +tags: + - Fusion +query: | + let starttime = 7d; + let endtime = 1d; + let timeframe = 1h; + let HistThreshold = 25; + let CurrThreshold = 10; + let HistoricalThreats = CommonSecurityLog + | where isnotempty(SourceIP) + | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) + | where DeviceVendor =~ "Palo Alto Networks" + | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" + | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') + | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor; + let CurrentHourThreats = CommonSecurityLog + | where isnotempty(SourceIP) + | where TimeGenerated > ago(timeframe) + | where DeviceVendor =~ "Palo Alto Networks" + | where Activity =~ "THREAT" and SimplifiedDeviceAction =~ "alert" + | where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') + | summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor; + CurrentHourThreats + | where TotalEvents < CurrThreshold + | join kind = leftanti (HistoricalThreats + | where TotalEvents > HistThreshold) on SourceIP +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP +version: 1.0.0 kind: Scheduled \ No newline at end of file diff --git a/DataConnectors/Palo Alto Networks/PaloAltoNetworks.json b/Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json similarity index 79% rename from DataConnectors/Palo Alto Networks/PaloAltoNetworks.json rename to Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json index 43b682a145..76bcb7cfb6 100644 --- a/DataConnectors/Palo Alto Networks/PaloAltoNetworks.json +++ b/Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json @@ -2,7 +2,7 @@ "id": "PaloAltoNetworks", "title": "Palo Alto Networks (Firewall)", "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", + "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", "graphQueries": [ { "metricName": "Total data received", @@ -36,7 +36,7 @@ ], "availability": { "status": 1, - "isPreview": true + "isPreview": false }, "permissions": { "resourceProvider": [ @@ -65,15 +65,15 @@ "instructionSteps": [ { "title": "1. Linux Syslog agent configuration", - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", "innerSteps": [ { "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." }, { "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", "instructions": [ { "parameters": { @@ -92,7 +92,7 @@ }, { "title": "2. Forward Palo Alto Networks logs to Syslog agent", - "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Azure Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)" + "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)" }, { "title": "3. Validate connection", diff --git a/DataConnectors/Palo Alto Networks/readme.md b/Solutions/PaloAlto-PAN-OS/Data Connectors/readme.md similarity index 100% rename from DataConnectors/Palo Alto Networks/readme.md rename to Solutions/PaloAlto-PAN-OS/Data Connectors/readme.md diff --git a/Hunting Queries/CommonSecurityLog/PaloAlto-HighRiskPorts.yaml b/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml similarity index 100% rename from Hunting Queries/CommonSecurityLog/PaloAlto-HighRiskPorts.yaml rename to Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml diff --git a/Solutions/PaloAlto-PAN-OS/Package/2.0.0.zip b/Solutions/PaloAlto-PAN-OS/Package/2.0.0.zip index 92140b3953..14d4e944f4 100644 Binary files a/Solutions/PaloAlto-PAN-OS/Package/2.0.0.zip and b/Solutions/PaloAlto-PAN-OS/Package/2.0.0.zip differ diff --git a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json index 917292fc1f..482a5577b9 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json +++ b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[PAN-OS](https://docs.paloaltonetworks.com/pan-os) is the software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively -- App-ID, Content-ID, Device-ID, and User-ID -- you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.\n\n**Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,6 +51,180 @@ } ], "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the data connector for ingesting Palo Alto Network Firewall logs in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Palo Alto Threat signatures from Unusual IP addresses", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Microsoft COVID-19 file hash indicator matches", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/" + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Palo Alto - potential beaconing detected", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586" + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Palo Alto - possible internal to external port scanning", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK" + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Palo Alto - high-risk ports", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. It depends on the PaloAltoNetworks data connector and CommonSecurityLog data type and PaloAltoNetworks parser." + } + } + ] + } + ] + }, { "name": "playbooks", "label": "Playbooks", diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json index a81182d476..8a19441aed 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json +++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json @@ -27,6 +27,22 @@ "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Palo Alto overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Palo Alto Network Threat", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } } }, "variables": { @@ -34,23 +50,1211 @@ "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "uiConfigId1": "PaloAltoNetworks", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "PaloAltoNetworks", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorVersion1": "1.0.0", + "huntingQueryVersion1": "1.0.0", + "huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59", + "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", + "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", + "workbookVersion1": "1.2.0", + "workbookContentId1": "PaloAltoOverviewWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workbookVersion2": "1.1.0", + "workbookContentId2": "PaloAltoNetworkThreatWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2')))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", + "analyticRuleVersion2": "1.3.0", + "analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", + "analyticRuleVersion3": "1.0.1", + "analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", + "analyticRuleVersion4": "1.0.1", + "analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", "PaloAltoCustomConnector": "PaloAltoCustomConnector", "_PaloAltoCustomConnector": "[variables('PaloAltoCustomConnector')]", "playbookVersion1": "1.0", "playbookContentId1": "PaloAltoCustomConnector", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1')))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "blanks": "[replace('b', 'b', '')]", - "PaloAlto-PAN-OS-BlockIP": "PaloAlto-PAN-OS-BlockIP", - "_PaloAlto-PAN-OS-BlockIP": "[variables('PaloAlto-PAN-OS-BlockIP')]", + "PaloAlto-PAN-OS-GetSystemInfo": "PaloAlto-PAN-OS-GetSystemInfo", + "_PaloAlto-PAN-OS-GetSystemInfo": "[variables('PaloAlto-PAN-OS-GetSystemInfo')]", "playbookVersion2": "1.0", - "playbookContentId2": "PaloAlto-PAN-OS-BlockIP", + "playbookContentId2": "PaloAlto-PAN-OS-GetSystemInfo", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]" + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]", + "PaloAlto-PAN-OS-GetThreatPCAP": "PaloAlto-PAN-OS-GetThreatPCAP", + "_PaloAlto-PAN-OS-GetThreatPCAP": "[variables('PaloAlto-PAN-OS-GetThreatPCAP')]", + "playbookVersion3": "1.0", + "playbookContentId3": "PaloAlto-PAN-OS-GetThreatPCAP", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]", + "PaloAlto-PAN-OS-GetURLCategoryInfo": "PaloAlto-PAN-OS-GetURLCategoryInfo", + "_PaloAlto-PAN-OS-GetURLCategoryInfo": "[variables('PaloAlto-PAN-OS-GetURLCategoryInfo')]", + "playbookVersion4": "1.0", + "playbookContentId4": "PaloAlto-PAN-OS-GetURLCategoryInfo", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4')))]", + "PaloAlto-PAN-OS-BlockIP": "PaloAlto-PAN-OS-BlockIP", + "_PaloAlto-PAN-OS-BlockIP": "[variables('PaloAlto-PAN-OS-BlockIP')]", + "playbookVersion5": "1.0", + "playbookContentId5": "PaloAlto-PAN-OS-BlockIP", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5')))]", + "PaloAlto-PAN-OS-BlockURL": "PaloAlto-PAN-OS-BlockURL", + "_PaloAlto-PAN-OS-BlockURL": "[variables('PaloAlto-PAN-OS-BlockURL')]", + "playbookVersion6": "1.0", + "playbookContentId6": "PaloAlto-PAN-OS-BlockURL", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6')))]" }, "resources": [ + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "DataConnector" + }, + "properties": { + "description": "PaloAlto-PAN-OS data connector with template", + "displayName": "PaloAlto-PAN-OS template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "DataConnector" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + ], + "properties": { + "description": "PaloAlto-PAN-OS data connector with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Palo Alto Networks (Firewall)", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Palo Alto Networks", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" + }, + { + "description": "THREAT activity", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAlto)", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)", + "title": "2. Forward Palo Alto Networks logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "metadata": { + "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "Palo Alto Networks" + }, + "support": { + "name": "Palo Alto Networks", + "link": "https://www.paloaltonetworks.com/company/contact-support", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Palo Alto Networks (Firewall)", + "publisher": "Palo Alto Networks", + "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Palo Alto Networks", + "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (PaloAlto)", + "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" + }, + { + "description": "THREAT activity", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)", + "title": "2. Forward Palo Alto Networks logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('huntingQueryTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "HuntingQuery" + }, + "properties": { + "description": "PaloAlto-PAN-OS Hunting Query 1 with template", + "displayName": "PaloAlto-PAN-OS Hunting Query template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "HuntingQuery" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + ], + "properties": { + "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2020-08-01", + "name": "PaloAlto-PAN-OS_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Palo Alto - high-risk ports", + "category": "Hunting Queries", + "query": "\nlet HighRiskPorts = datatable (Port:int, Protocol:string, RiskType:string, RiskDescription:string)[\n13,\"udp\",\"3rd Party Attacks\",\"Daytime protocol used in reflection/amplification attacks\",\n17,\"udp\",\"3rd Party Attacks\",\"QOTD protocol, reflection/amplification attacks\",\n19,\"udp\",\"3rd Party Attacks\",\"Chargen protocol, reflection/amplification attacks\",\n20,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n21,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n22,\"tcp\",\"Management\",\"SSH, brute force attacks common\",\n23,\"tcp\",\"Management\",\"Telnet, allows unauthenticated and/or unencrypted\",\n53,\"udp\",\"3rd Party Attacks\",\"DNS, reflection/amplification attacks\",\n69,\"udp\",\"Management\",\"TFTP, allows unauthenticated and/or unencrypted\",\n111,\"udp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n111,\"tcp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n119,\"tcp\",\"Unsecure\",\"NNTP, unencrypted authentication\",\n123,\"udp\",\"3rd Party Attacks\",\"Network Time Protocol, reflection/amplification attacks\",\n135,\"tcp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n135,\"udp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n137,\"tcp\",\"Hacker Recon\",\"Netbios Name Service\",\n137,\"udp\",\"Hacker Recon\",\"Netbios Name Service\",\n138,\"tcp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n138,\"udp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n139,\"tcp\",\"Hacker Recon\",\"Netbios Session Service\",\n161,\"tcp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n161,\"udp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n162,\"tcp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n162,\"udp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n389,\"tcp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n389,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n443,\"udp\",\"3rd Party Attacks\",\"UDP Reflection / Amplification attacks\",\n445,\"tcp\",\"Unsecure\",\"SMB - well known attack vector\",\n512,\"tcp\",\"Management\",\"Rexec on Linux, remote commands w/o encrypt auth\",\n514,\"tcp\",\"Management\",\"Remote Shell, remote commands w/o auth or encrypt\",\n593,\"tcp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n593,\"udp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n636,\"tcp\",\"Hacker Recon\",\"Lightweight Directory Access Protocol\",\n873,\"tcp\",\"Management\",\"Rsync, unencrypted file transfer\",\n1433,\"tcp\",\"Data Access/Mgmt\",\"MS SQL Management & Data Access\",\n1434,\"udp\",\"Data Access/Mgmt\",\"MS SQL Monitor Port\",\n1900,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"Simple Service Discovery Protocol, unencrypted\",\n2049,\"tcp\",\"Unsecure\",\"Network File System\",\n2049,\"udp\",\"Unsecure\",\"Network File System\",\n2301,\"tcp\",\"Hacker Recon\",\"Compaq Management Service, no recent incidents\",\n2381,\"tcp\",\"Management\",\"Compaq Management Service, no recent incidents\",\n3268,\"tcp\",\"Hacker Recon\",\"Microsoft Global Catalog LDAP\",\n3306,\"tcp\",\"Data Access/Mgmt\",\"MySQL Database Management Port\",\n3389,\"tcp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n3389,\"udp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n4333,\"tcp\",\"Data Access/Mgmt\",\"MSql\",\n5353,\"udp\",\"3rd Party Attacks\",\"mDNS\",\n5432,\"tcp\",\"Data Access/Mgmt\",\"PostgresSQL Database Management\",\n5800,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5900,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5985,\"tcp\",\"Management\",\"Windows Powershell\",\n5986,\"tcp\",\"Management\",\"Windows Powershell\",\n6379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n7000,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7001,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7199,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9042,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9160,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9200,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9300,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9987,\"udp\",\"3rd Party Attack\",\"DSM/SCM Target Interface\",\n11211,\"udp\",\"Unencrypted\",\"Memcached\",\n16379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n26379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n27017,\"tcp\",\"Data Access/Mgmt\",\"MongoDB\",\n];\nHighRiskPorts\n| join kind=inner (\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\" and DeviceAction != \"deny\"\n | where SentBytes > 0 and ReceivedBytes > 0\n //Remove private IP communation from DestinationIP\n | extend result = ipv4_is_private(DestinationIP) \n | where result == 0\n | summarize\n Count = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated)\n by \n DeviceName,\n SourceIP,\n DestinationIP,\n DestinationPort,\n Protocol\n) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol\n| project-away Protocol1, Port\n| order by DeviceName asc, SourceIP asc, DestinationIP asc, DestinationPort asc\n| extend timestamp = StartTime, IPCustomEntity = SourceIP\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections." + }, + { + "name": "tactics", + "value": "InitialAccess,Discovery" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "properties": { + "description": "PaloAlto-PAN-OS Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS Workbook with template", + "displayName": "PaloAlto-PAN-OS workbook template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + ], + "properties": { + "description": "PaloAltoOverviewWorkbook Workbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"
Palo Alto Networks overview
\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"a5c18655-3e2d-4d12-8ba4-82e57b296581\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Source_IP\",\"label\":\"Source IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| summarize Count = count()/1000 by SourceIP\\r\\n| where SourceIP != \\\"\\\"\\r\\n| order by Count desc, SourceIP asc\\r\\n| project Value = SourceIP, Label = strcat(SourceIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":1800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b937ca33-bc62-4183-bc0f-9ad8306dc36a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Destination_IP\",\"label\":\"Destination IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| summarize Count = count()/1000 by DestinationIP\\r\\n| where DestinationIP != \\\"\\\"\\r\\n| order by Count desc, DestinationIP asc\\r\\n| project Value = DestinationIP, Label = strcat(DestinationIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"7f28bae3-a11f-408a-832f-77a0f3e633d7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventClass\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| distinct DeviceEventClassID\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 35\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass});\\r\\ndata\\r\\n| summarize Count = count() by Activity\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\\r\\n on Activity\\r\\n| project-away Activity1, TimeGenerated\\r\\n| extend Activitys = Activity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Activity = 'All', Activitys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"Activity\",\"exportParameterName\":\"activities\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Activities, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}},{\"columnMatch\":\"Activitys\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"name\":\"all activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass})\\r\\n| where '{activities}' == \\\"All\\\" or Activity == '{activities}'\\r\\n| summarize LogVolume=count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"aggregation\":3,\"exportToExcelOptions\":\"visible\",\"title\":\"Event trend, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LogVolume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Event trend by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//trend by sevearity\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass})\\r\\n| where '{activities}' == \\\"All\\\" or Activity == '{activities}'\\r\\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), LogSeverity\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events severity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Events severity over time\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n### Traffic events summary\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ \\\"Traffic\\\";\\r\\ndata\\r\\n| summarize Count = count() by DeviceEventClassID\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\\r\\n on DeviceEventClassID\\r\\n| project-away DeviceEventClassID1, TimeGenerated\\r\\n| extend DeviceEventClassIDs = DeviceEventClassID\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceEventClassID\",\"exportParameterName\":\"EventClass\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Device events Id summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"Traffic event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ \\\"Traffic\\\";\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceAction = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"DeviceAction\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Device action summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Traffic activity summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC'\\r\\n| where '{EventClass}' == \\\"All\\\" or DeviceEventClassID=='{EventClass}'\\r\\n| summarize EventCount= count() by DeviceAction, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Device action, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"Traffic activity by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where '{DeviceAction}' == \\\"All\\\" or DeviceAction=='{DeviceAction}'\\r\\n| where Activity =~ \\\"Traffic\\\"\\r\\n| summarize EventCount= count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Device events Id, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"Traffic class ID by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS' \\r\\n| where DeviceVendor =~ 'Palo Alto Networks' \\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC' \\r\\n| where DeviceEventClassID =~ 'end' \\r\\n| extend Reason = coalesce(\\r\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\r\\n extract(';reason=(.*?);',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize ReasonCount= count() by Reason, TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Reasons for session ending, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Reasons for session ending\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Data sent outbound vs inbound\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC'\\r\\n| extend Direction=iff(DeviceCustomString4=~'Trust','Outbound' ,'Inbound' )\\r\\n| summarize DataSentOutBoundMB=sumif(SentBytes, Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(ReceivedBytes, Direction=~'Inbound')/1048576 by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Sent and received data, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Sent and received data by volume\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Web filter\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction contains 'block'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"purple\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('block-url', 'block-continue')\\r\\n| summarize CategoryCount=count() by DeviceCustomString2\\r\\n| project-rename CategoryName= DeviceCustomString2\\r\\n| top 5 by CategoryCount\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URL blocked, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"op 5 URL blocked by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('block-url', 'block-continue')\\r\\n| summarize URLCount=count() by RequestURL\\r\\n| top 5 by URLCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URLs, by application protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 URLs by application protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize URLCount=count() by RequestURL\\r\\n| top 5 by URLCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RequestURL\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"URLCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ActionCount=count() by DeviceAction\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"URL threat event summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"URL threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction contains 'block'\\r\\n| extend PAReferer= extract(';PanOSReferer=(.*?);',1,AdditionalExtensions)\\r\\n| where PAReferer !=''\\r\\n| summarize RefererCount= count() by PAReferer\\r\\n| top 5 by RefererCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 referrers for blocked URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"Top 5 referrers for blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize CategoryCount=count() by DeviceCustomString2\\r\\n| project-rename CategoryName= DeviceCustomString2\\r\\n| top 5 by CategoryCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs, by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction !contains 'block'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Web filter ativity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Web filter ativity by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize IPCount=count() by SourceIP\\r\\n| top 5 by IPCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed web traffic source IP addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"IPCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed web traffic source IP addresses\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Wildfire\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'wildfire'\\r\\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Wildfire events, by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceActions = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| project DeviceAction, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"DeviceAction\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"DeviceAction\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceCustomString2\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\\r\\n on DeviceCustomString2\\r\\n| project-away DeviceCustomString21, TimeGenerated\\r\\n| extend DeviceCustomString2s = DeviceCustomString2\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \\r\\n)\\r\\n| project DeviceCustomString2, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceCustomString2\",\"exportParameterName\":\"DeviceString\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"DeviceAction\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceCustomString2\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'wildfire'\\r\\n| where '{DeviceAction}' == \\\"All\\\" or DeviceAction=='{DeviceAction}'\\r\\n| where '{DeviceString}' == \\\"All\\\" or DeviceCustomString2=='{DeviceString}'\\r\\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"Wildfire events\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## General statistics\"},\"name\":\"text - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where DeviceAction contains 'deny'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 denied files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 denied files by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where DeviceAction !contains 'deny'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed files by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Palo Alto File Category By Action Summary\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS' \\r\\n| where DeviceVendor =~ 'Palo Alto Networks' \\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file' \\r\\n| extend PACategory= coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize CategoryCount=count() by PACategory\\r\\n| sort by CategoryCount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Summary of Palo Alto file categories, by activity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"PACategory\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}}]}},\"customWidth\":\"33\",\"name\":\"Summary of Palo Alto file categories by activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'file'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceActions = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| project DeviceAction, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\\r\\n\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"SelectedDA\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Summary of file type activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Summary of file type activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where '{SelectedDA}' == \\\"All\\\" or DeviceAction == '{SelectedDA}'\\r\\n| summarize ActionCount=count() by DeviceAction, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Compare allowed and denied files, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"Compare allowed and denied files by time\"}],\"fromTemplateId\":\"sentinel-PaloAltoOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=PaloAltoOverviewWorkbook; logoFileName=paloalto_logo.svg; description=Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Palo Alto overview; templateRelativePath=PaloAltoOverview.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS Workbook with template", + "displayName": "PaloAlto-PAN-OS workbook template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('workbookTemplateSpecName2'),'/',variables('workbookVersion2'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Workbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]" + ], + "properties": { + "description": "PaloAltoNetworkThreatWorkbook Workbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Palo Alto network threat\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":43200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file';\\r\\ndata\\r\\n| summarize Count = count() by DeviceEventClassID\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\\r\\n on DeviceEventClassID\\r\\n| project-away DeviceEventClassID1, TimeGenerated\\r\\n| extend DeviceEventClassIDs = DeviceEventClassID\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \\r\\n)\\r\\n| project DeviceEventClassID, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"DeviceEventClassID\",\"exportParameterName\":\"SelectedSubtype\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by subtypes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats by subtypes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire';\\r\\ndata\\r\\n| summarize Count = count() by DeviceCustomString2\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\\r\\n on DeviceCustomString2\\r\\n| project-away DeviceCustomString21, TimeGenerated\\r\\n| extend DeviceCustomString2s = DeviceCustomString2\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \\r\\n)\\r\\n| project DeviceCustomString2, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"DeviceCustomString2\",\"exportParameterName\":\"SelectedWildfire\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"WildFire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceCustomString2\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"WildFire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and LogSeverity != 'url' and LogSeverity != 'file';\\r\\ndata\\r\\n| summarize Count = count() by LogSeverity\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity)\\r\\n on LogSeverity\\r\\n| project-away LogSeverity1, TimeGenerated\\r\\n| extend LogSeveritys = LogSeverity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend LogSeverity = 'All', LogSeveritys = '*' \\r\\n)\\r\\n| project LogSeverity, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"LogSeverity\",\"exportParameterName\":\"SelectedSeverity\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| summarize count() by bin(TimeGenerated, 1h), DeviceEventClassID\\r\\n| render timechart\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat subtypes over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat subtypes over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| summarize count() by bin(TimeGenerated, 1h), LogSeverity\\r\\n| render timechart\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat severity over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat severity over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity;\\r\\ndata\\r\\n| summarize Count = count() by ApplicationProtocol\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ApplicationProtocol)\\r\\n on ApplicationProtocol\\r\\n| project-away ApplicationProtocol1, TimeGenerated\\r\\n| extend ApplicationProtocols = ApplicationProtocol\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend ApplicationProtocol = 'All', ApplicationProtocols = '*' \\r\\n)\\r\\n| project ApplicationProtocol, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Threats by application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"All Threat Events\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where DeviceEventClassID =~ 'vulnerability' \\r\\n| extend ThreatId = coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract('cat=([^;]+)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize Amount=count() by ThreatId, LogSeverity\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top vulnerability events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Top vulnerability events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| search DeviceEventClassID:'*virus*'\\r\\n| summarize Amount=count() by RequestURL, DeviceEventClassID, DestinationIP, SourceIP, ApplicationProtocol\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Virus and malware events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RequestURL\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DestinationIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"SourceUserID\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Virus and malware events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n//| where DeviceEventClassID =~ 'correlation' \\r\\n| extend ThreatId = coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract('cat=([^;]+)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\\r\\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top correlation events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ThreatCategory\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"name\":\"Top correlation events\"}],\"fromTemplateId\":\"sentinel-PaloAltoNetworkThreat\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=PaloAltoNetworkThreatWorkbook; logoFileName=paloalto_logo.svg; description=Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.1.0; title=Palo Alto Network Threat; templateRelativePath=PaloAltoNetworkThreat.json; subtitle=; provider=Palo Alto Networks}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 1 with template", + "displayName": "PaloAlto-PAN-OS Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + ], + "properties": { + "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall", + "displayName": "Palo Alto Threat signatures from Unusual IP addresses", + "enabled": false, + "query": "let starttime = 7d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet HistThreshold = 25; \nlet CurrThreshold = 10; \nlet HistoricalThreats = CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\nlet CurrentHourThreats = CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated > ago(timeframe)\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\nCurrentHourThreats \n| where TotalEvents < CurrThreshold\n| join kind = leftanti (HistoricalThreats \n| where TotalEvents > HistThreshold) on SourceIP\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + } + ], + "tactics": [ + "Discovery", + "Exfiltration", + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "SourceIP", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 2 with template", + "displayName": "PaloAlto-PAN-OS Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + ], + "properties": { + "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/", + "displayName": "Microsoft COVID-19 file hash indicator matches", + "enabled": false, + "query": "\nlet dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "HostCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "FileHashValue", + "identifier": "Value" + }, + { + "columnName": "FileHashType", + "identifier": "Algorithm" + } + ], + "entityType": "FileHash" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 3 with template", + "displayName": "PaloAlto-PAN-OS Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + ], + "properties": { + "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586", + "displayName": "Palo Alto - potential beaconing detected", + "enabled": false, + "query": "\nlet starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n", + "queryFrequency": "P1D", + "queryPeriod": "P2D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + } + ], + "tactics": [ + "CommandAndControl" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "HostCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('analyticRuleTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 4 with template", + "displayName": "PaloAlto-PAN-OS Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + ], + "properties": { + "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('AnalyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK", + "displayName": "Palo Alto - possible internal to external port scanning", + "enabled": false, + "query": "\nCommonSecurityLog\n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\") \n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer != \"\" \n| where DestinationIP !startswith \"10.\"\n| extend Reason = coalesce(\n column_ifexists(\"Reason\", \"\"), \n extract(\"reason=(.+?)(;|$)\", 1, AdditionalExtensions),\n \"\"\n )\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \n| where Reason !has \"aged-out\" \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where Reason !has \"tcp-fin\" \n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n// Already performed\n//| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + } + ], + "tactics": [ + "Discovery" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "AccountCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "HostCustomEntity", + "identifier": "FullName" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "columnName": "IPCustomEntity", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "properties": { + "description": "PaloAlto-PAN-OS Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion4')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + } + } + }, { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2021-05-01", @@ -2409,7 +3613,7 @@ ], "metadata": { "comments": "This PaloAlto custom connector uses PAN-OS API to perform different actions on the PAN-OS VM", - "lastUpdateTime": "2022-07-29T17:29:38.367Z", + "lastUpdateTime": "2022-08-29T14:44:14.274Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -2431,8 +3635,8 @@ "hidden-sentinelContentType": "Playbook" }, "properties": { - "description": "PaloAlto-PAN-OS-BlockIP playbook", - "displayName": "PaloAlto-PAN-OS-BlockIP playbook" + "description": "PaloAlto-PAN-OS-GetSystemInfo playbook", + "displayName": "PaloAlto-PAN-OS-GetSystemInfo playbook" } }, { @@ -2448,10 +3652,1145 @@ "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 2.0.0", + "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 2.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "PaloAlto-PAN-OS-GetSystemInfo", + "type": "String", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "CustomConnectorName": { + "defaultValue": "PAN-OSXmlApiCustomConnector", + "type": "String", + "metadata": { + "description": "Name of the custom connector which interacts with PAN-OS" + } + }, + "LogAnalyticsResourceGroup": { + "type": "string", + "metadata": { + "description": "Name of the cLog Analytics Resource group for logging" + } + }, + "LogAnalyticsResourceName": { + "type": "string", + "metadata": { + "description": "Name of the Log Analytics instance for logging" + } + } + }, + "variables": { + "subscriptionId": "[[subscription().subscriptionId]", + "AzureMonitorConnectionName": "[[concat('azuremonitor-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "PaloAltoConnectorConnectionName": "[[concat('PaloAltoConnector-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('PaloAltoConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureMonitorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "For_each": { + "foreach": "@body('Run_query_and_list_results')?['value']", + "actions": { + "If_incident_is_a_Palo_Alto_incident": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Query_Palo_Alto_XML_API": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Query_Palo_Alto_XML_API')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Query_Palo_Alto_XML_API": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['paloaltoconnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/", + "queries": { + "cmd": "", + "device_name": "@{items('For_each')['MonitoringDeviceName']}", + "type": "op" + } + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_each')['AlertSource']", + "@string('PaloAlto')" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_query_and_list_results": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Run_query_and_list_results": { + "type": "ApiConnection", + "inputs": { + "body": "@{triggerBody()?['ExtendedProperties']?['Query']}\n| limit 10", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[parameters('LogAnalyticsResourceGroup')]", + "resourcename": "[[parameters('LogAnalyticsResourceName')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[variables('subscriptionId')]", + "timerange": "Set in query" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]", + "connectionName": "azuremonitorlogs", + "id": "[[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "azuresentinel", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "paloaltoconnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "connectionName": "paloaltoconnector", + "id": "[[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_PaloAltoCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Get System Info - Palo Alto PAN-OS XML API", + "description": "This playbook allows us to get System Info of a Palo Alto device for a Sentinel alert.", + "mainSteps": [ + "When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. Gets the various parameters from the alert \n\n 2. Gets the System Info for the device in the alert. \n\n 3. Creates a Sentinel Incident and updates it with the system info." + ], + "prerequisites": [ + "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. This playbook only works for Palo Alto incidents." + ], + "lastUpdateTime": "2022-07-25T00:00:00Z", + "entities": [ + "Ip" + ], + "tags": [ + "Remediation", + "Response from teams" + ], + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Get System Info - Palo Alto PAN-OS XML API", + "notes": [ + "Initial version" + ] + } + ] + } + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS-GetThreatPcap playbook", + "displayName": "PaloAlto-PAN-OS-GetThreatPcap playbook" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('playbookTemplateSpecName3'),'/',variables('playbookVersion3'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName3'))]" + ], + "properties": { + "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "PaloAlto-PAN-OS-GetThreatPcap", + "type": "String", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "CustomConnectorName": { + "defaultValue": "PAN-OSXmlApiCustomConnector", + "type": "String", + "metadata": { + "description": "Name of the custom connector which interacts with PAN-OS" + } + }, + "LogAnalyticsResourceGroup": { + "type": "string", + "metadata": { + "description": "Name of the cLog Analytics Resource group for logging" + } + }, + "LogAnalyticsResourceName": { + "type": "string", + "metadata": { + "description": "Name of the log analytics instance for logging" + } + } + }, + "variables": { + "AzureBlobConnectionName": "[[concat('azureblob-', parameters('PlaybookName'))]", + "AzureStorageName": "panosthreatpcapssa", + "subscriptionId": "[[subscription().subscriptionId]", + "AzureMonitorConnectionName": "[[concat('azuremonitor-', parameters('PlaybookName'))]", + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "ContainerName": "panosthreatpcaps", + "PaloAltoConnectorConnectionName": "[[concat('PaloAltoConnector-', parameters('PlaybookName'))]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureblob')]", + "_connection-4": "[[variables('connection-4')]", + "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-5": "[[variables('connection-5')]", + "connection-6": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-6": "[[variables('connection-6')]", + "connection-7": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuremonitorlogs')]", + "_connection-7": "[[variables('connection-7')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-04-01", + "name": "[[variables('AzureStorageName')]", + "location": "[[variables('workspace-location-inline')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false", + "allowSharedKeyAccess": "true", + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Allow" + } + } + }, + { + "name": "[[concat(variables('AzureStorageName'), '/default')]", + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2021-02-01", + "dependsOn": [ + "[[concat('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]" + ], + "properties": { + "deleteRetentionPolicy": { + "enabled": "false" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[[concat(variables('AzureStorageName'), '/default/', variables('ContainerName'))]", + "dependsOn": [ + "[[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AzureStorageName'), 'default')]", + "[[resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureBlobConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Storage/storageAccounts/', variables('AzureStorageName'))]" + ], + "properties": { + "displayName": "[[variables('AzureBlobConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + }, + "parameterValues": { + "accountName": "[[variables('AzureStorageName')]", + "accessKey": "[[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('AzureStorageName')), '2021-09-01').keys[0].value]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-5')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('PaloAltoConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-6')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureMonitorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-7')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@body('Run_query_and_list_results')?['value']", + "actions": { + "If_incident_is_a_Palo_Alto_incident": { + "actions": { + "If_PCAP_ID_Exists": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_blob_(V2)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Create_blob_(V2)')?['Path']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Create_blob_(V2)": { + "runAfter": { + "Query_Palo_Alto_XML_API": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@body('Query_Palo_Alto_XML_API')", + "headers": { + "ReadFileMetadataFromServer": true + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureblob']['connectionId']" + } + }, + "method": "post", + "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('defendpaloaltopcapsdev'))}/files", + "queries": { + "folderPath": "pcapblobs-palo-alto", + "name": "@{concat(string('paloalto',items('For_each')['PcapID']), string(items('For_each')['TimeGenerated']), '.pcap')}", + "queryParametersSingleEncoded": true + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Query_Palo_Alto_XML_API": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['paloaltoconnector']['connectionId']" + } + }, + "method": "get", + "path": "/api/", + "queries": { + "category": "threat-pcap", + "device_name": "@items('For_each')['MonitoringDeviceName']", + "pcap-id": "@items('For_each')['PcapID']", + "search-time": "@{items('For_each')['TimeGenerated']}", + "sessionId": "@items('For_each')['SessionID']", + "type": "export" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each')['PcapID']", + "@null" + ] + } + }, + { + "not": { + "equals": [ + "@items('For_each')['PcapID']", + 0 + ] + } + } + ] + }, + "type": "If" + } + }, + "expression": { + "and": [ + { + "contains": [ + "@items('For_each')['AlertSource']", + "@string('PaloAlto')" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_query_and_list_results": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Run_query_and_list_results": { + "type": "ApiConnection", + "inputs": { + "body": "@{triggerBody()?['ExtendedProperties']?['Query']}\n| limit 10", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[parameters('LogAnalyticsResourceGroup')]", + "resourcename": "[[parameters('LogAnalyticsResourceName')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[variables('subscriptionId')]", + "timerange": "Set in query" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureblob": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureBlobConnectionName'))]", + "connectionName": "[[variables('AzureBlobConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azureblob')]" + }, + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureMonitorConnectionName'))]", + "connectionName": "[[variables('AzureMonitorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "paloaltoconnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "connectionName": "[[variables('PaloAltoConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId,'/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_PaloAltoCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "title": "Get Threat PCAP - Palo Alto PAN-OS XML API", + "description": "This playbook allows us to get a threat PCAP for a given PCAP ID.", + "mainSteps": [ + "When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. Gets the various parameters from the alert \n\n 2. Gets the PCAP from the device. \n\n 3. Puts the PCAP in Blob Storage \n\n 4. Creates a Sentinel Incident and updates it with a link to the blob." + ], + "prerequisites": [ + "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero." + ], + "lastUpdateTime": "2022-07-25T00:00:00Z", + "entities": [ + "Ip" + ], + "tags": [ + "Remediation", + "Response from teams" + ], + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Get Threat PCAP - Palo Alto PAN-OS XML API", + "notes": [ + "Initial version" + ] + } + ] + } + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS-GetURLCategoryInfo playbook", + "displayName": "PaloAlto-PAN-OS-GetURLCategoryInfo playbook" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('playbookTemplateSpecName4'),'/',variables('playbookVersion4'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]" + ], + "properties": { + "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "PaloAlto-PAN-OS-GetURLCategoryInfo", + "type": "String", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "CustomConnectorName": { + "defaultValue": "PAN-OSRestApiCustomConnector", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "PaloAltoConnectorConnectionName": "[[concat('PaloAltoConnector-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('PaloAltoConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_URLs": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "For_each_malicious_URL": { + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_HTML_table_for_URL_category_information": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

PAN-OS Playbook has collected the following information :
\n
\nGot List of address objects and also got URL filtering category Information:
\n
\nDetails of address objects:
\n
\nname :  @{outputs('Compose_body_of_address_object')?['@name']}
\nlocation :  @{outputs('Compose_body_of_address_object')?['@location']}
\nvsys :  @{outputs('Compose_body_of_address_object')?['@vsys']}
\ndescription :  @{outputs('Compose_body_of_address_object')?['description']}
\nfqdn :  @{outputs('Compose_body_of_address_object')?['fqdn']}
\n
\nDetails of URL filtering category information:
\n
\n@{body('Create_HTML_table_for_URL_category_information')}
\n

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Compose_body_of_address_object": { + "runAfter": { + "Filter_URL_from_list_of_address_objects": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@body('Filter_URL_from_list_of_address_objects')?[0]", + "description": "This composes the body of address object where URL is a member" + }, + "Create_HTML_table_for_URL_category_information": { + "runAfter": { + "Compose_body_of_address_object": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "columns": [ + { + "header": "name", + "value": "@item()?['@name']" + }, + { + "header": "location", + "value": "@item()?['@location']" + }, + { + "header": "vsys", + "value": "@item()?['@vsys']" + }, + { + "header": "description", + "value": "@item()?['description']" + } + ], + "format": "HTML", + "from": "@body('List_custom_url_categories')?['result']?['entry']" + }, + "description": "This creates HTML table for the URL filtering category information" + }, + "Filter_URL_from_list_of_address_objects": { + "type": "Query", + "inputs": { + "from": "@body('List_address_objects')?['result']?['entry']", + "where": "@contains(item()?['fqdn'], items('For_each_malicious_URL')?['Url'])" + }, + "description": "This filters the URL from the list of address objects" + } + }, + "runAfter": { + "List_custom_url_categories": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "List_address_objects": { + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "get", + "path": "/restapi/v10.0/Objects/Addresses", + "queries": { + "location": "vsys", + "vsys": "vsys1" + } + }, + "description": "This Lists all the address objects present in the PAN-OS" + }, + "List_custom_url_categories": { + "runAfter": { + "List_address_objects": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "get", + "path": "/restapi/v10.0/Objects/CustomURLCategories", + "queries": { + "location": "vsys", + "vsys": "vsys1" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "PaloAltoConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "connectionName": "[[variables('PaloAltoConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, parameters('CustomConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_PaloAltoCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "comments": "This playbook uses the PaloAlto connector to automatically enrich incidents generated by Sentinel for address object details and URL filtering category information from PAN-OS", + "title": "PaloAlto-PAN-OS-GetURLCategoryInfo", + "description": " When a new sentinal incident is created, this playbook gets triggered and performs below actions:", + "mainSteps": [ + "1. Fetches the address group details and URL filtering category information from PAN-OS \n\n 2. Updates all the collected information in incident \n\n ![PaloAlto-PAN-OS-GetURLCategoryInfo](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/designerscreenshot.PNG?raw=true)" + ], + "prerequisites": [ + "1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)" + ], + "lastUpdateTime": "2022-07-25T00:00:00Z", + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook"], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "PaloAlto-PAN-OS-GetURLCategoryInfo", + "notes": [ + "Initial version" + ] + } + ] + } + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS-BlockIP playbook", + "displayName": "PaloAlto-PAN-OS-BlockIP playbook" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('playbookTemplateSpecName5'),'/',variables('playbookVersion5'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]" + ], + "properties": { + "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", "parameters": { "PlaybookName": { "defaultValue": "PaloAlto-PAN-OS-BlockIP", @@ -2480,13 +4819,17 @@ "metadata": { "description": "Address Group" } + }, + "CustomConnectorName": { + "defaultValue": "PAN-OSRestApiCustomConnector", + "type": "string" } }, "variables": { "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", "TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]", "PaloAltoConnectorConnectionName": "[[concat('PaloAltoConnector-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/PaloAltoConnector')]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", "_connection-1": "[[variables('connection-1')]", "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-2": "[[variables('connection-2')]", @@ -3068,7 +5411,8 @@ }, "type": "AppendToArrayVariable", "inputs": { - "name": "AdaptiveCardBody" + "name": "AdaptiveCardBody", + "value": {} }, "description": "append security policies which the IP address is exist" } @@ -3199,7 +5543,7 @@ "value": [ { "size": "Large", - "text": "Suspicious IP - Azure Sentinel", + "text": "Suspicious IP - Microsoft Sentinel", "type": "TextBlock", "weight": "Bolder", "wrap": true @@ -3401,7 +5745,7 @@ "inputs": { "body": { "body": { - "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Azure Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", "recipient": { "channelId": "[[parameters('Teams ChannelId')]" }, @@ -3459,17 +5803,17 @@ "PaloAltoConnector": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", "connectionName": "[[variables('PaloAltoConnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/PaloAltoConnector')]" + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" }, "azuresentinel": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', [parameters('location')], '/managedApis/azuresentinel')]" + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]" }, "teams": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', [parameters('location')], '/managedApis/teams')]" + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" } } } @@ -3482,12 +5826,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", "name": "PaloAlto-PAN-OS", @@ -3502,6 +5846,15 @@ "email": "support@microsoft.com", "tier": "Microsoft", "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_PaloAltoCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] } } } @@ -3511,7 +5864,7 @@ "title": "PaloAlto-PAN-OS-BlockIP", "description": "This playbook allows blocking/unblocking IPs in PaloAlto, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule.", "mainSteps": [ - "When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](./designerscreenshot.PNG) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](./AdaptiveCardtoBlockorUnblock.PNG) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](./SummarizedAdaptiveCard.PNG)" + "When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/SummarizedAdaptiveCard.PNG?raw=true)" ], "prerequisites": [ "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks." @@ -3540,6 +5893,1141 @@ } } }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2021-05-01", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "properties": { + "description": "PaloAlto-PAN-OS-BlockURL playbook", + "displayName": "PaloAlto-PAN-OS-BlockURL playbook" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2021-05-01", + "name": "[concat(variables('playbookTemplateSpecName6'),'/',variables('playbookVersion6'))]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "Playbook" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]" + ], + "properties": { + "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 2.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "PaloAlto-PAN-OS-BlockURL", + "type": "String", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "CustomConnectorName": { + "defaultValue": "PAN-OSRestApiCustomConnector", + "type": "string" + }, + "Teams GroupId": { + "defaultValue": "TeamgroupId", + "type": "String", + "metadata": { + "description": "GroupId of the Team channel" + } + }, + "Teams ChannelId": { + "defaultValue": "TeamChannelId", + "type": "String", + "metadata": { + "description": "Team ChannelId" + } + }, + "Address Group": { + "defaultValue": "AddressGroup", + "type": "String", + "metadata": { + "description": "Address Group" + } + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('teamsconnector-', parameters('PlaybookName'))]", + "PaloAltoConnectorConnectionName": "[[concat('PaloAltoConnector-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('PaloAltoConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Compose_product_name": { + "runAfter": { + "Select_alert_product_names": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@body('Select_alert_product_names')?[0]?['text']", + "description": "compose to select the incident alert product name" + }, + "Condition_based_on_the_incident_configuration_from_adaptive_card": { + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

PAN-OS Playbook ran and performed the following actions:
\n@{variables('URLAddressAction')}
\n
\n
\n
\nActions taken on Sentinel : Add comment to incident and closure with classification reason  @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Update_incident": { + "runAfter": { + "Add_comment_to_incident_(V3)": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "classification": { + "ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}" + }, + "incidentArmId": "@triggerBody()?['object']?['id']", + "severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentSeverity']}", + "status": "Closed" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']", + "Change incident configuration" + ] + } + ] + }, + "type": "If", + "description": "This decides the action taken on the summarized adaptive card" + }, + "Entities_-_Get_URLs": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "For_each_malicious_URL": { + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "actions": { + "Condition_based_on_user_inputs_from_the_adaptive_card": { + "actions": { + "Condition__to_check_if_user_chosen_Block": { + "actions": { + "Create_an_address_object": { + "type": "ApiConnection", + "inputs": { + "body": { + "entry": [ + { + "@@name": "@items('For_each_malicious_URL')?['Url']", + "description": "@items('For_each_malicious_URL')?['Url']", + "fqdn": "@items('For_each_malicious_URL')?['Url']" + } + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "post", + "path": "/restapi/v10.0/Objects/Addresses", + "queries": { + "address type": "[variables('blanks')]", + "location": "vsys", + "name": "@items('For_each_malicious_URL')?['Url']", + "vsys": "vsys1" + } + }, + "description": "This creates a new address object for the malicious URL" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']", + "Block URL ( add to @{outputs('Configured_address_group')} address group )" + ] + }, + { + "equals": [ + "@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))", + 0 + ] + } + ] + }, + "type": "If", + "description": "This check if user chooses Block URL" + }, + "Condition_to_check_the_edit_an_address_object_group_status": { + "actions": { + "Condition_to_check_the_action_of_adaptive_card_to_set_the_action_summary": { + "actions": { + "Append_success_status_Blocked_URL_status_to_summary_card": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "URLAddressAction", + "value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : Blocked by \n adding to @{outputs('Configured_address_group')} , Status : Success" + }, + "description": "append action taken to summarize on the adaptive card" + } + }, + "else": { + "actions": { + "Append_success_status_UnBlocked_URL_status_to_summary_card": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "URLAddressAction", + "value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : UnBlocked by \n adding to @{outputs('Configured_address_group')} , Status : Success" + }, + "description": "append action taken to summarize on the adaptive card" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']", + "Block URL ( add to @{outputs('Configured_address_group')} address group )" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Update_an_address_object_group": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_failure_status_to_summary_card": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "URLAddressAction", + "value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Failure" + }, + "description": "append action taken to summarize on the adaptive card" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_an_address_object_group')?['@status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Update_an_address_object_group": { + "runAfter": { + "Condition__to_check_if_user_chosen_Block": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "entry": { + "@@name": "[[parameters('Address Group')]", + "static": { + "member": "@{variables('AddressGroupMembers')}" + } + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "put", + "path": "/restapi/v10.0/Objects/AddressGroups", + "queries": { + "location": "vsys", + "name": "[[parameters('Address Group')]", + "vsys": "vsys1" + } + } + } + }, + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_to_array_variable_URL_address_action_chosen": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "URLAddressAction", + "value": "URL Address : @{items('For_each_malicious_URL')?['Url']}, Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Success " + }, + "description": "This appends the action taken on URL to the list of existing actions" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']", + "Ignore" + ] + } + } + ] + }, + "type": "If", + "description": "condition to check the submit action is block / unblock or Ignore" + }, + "Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": { + "actions": { + "Condition_to_check_if_URL_already_present_in_predefined_address_group": { + "actions": { + "Append_address_group_text": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "text": "The URL @{items('For_each_malicious_URL')?['Url']} is already a member of the blocked address group @{outputs('Configured_address_group')}", + "type": "TextBlock", + "wrap": true + } + }, + "description": "append address group text to adaptive card dynamically" + }, + "Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": { + "runAfter": { + "Set_dynamic_action_name": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@variables('AddressGroupMembers')", + "where": "@not(equals(item(), items('For_each_malicious_URL')?['Url']))" + }, + "description": "This filters the URL address from predefined address group to unreference/unblock URL" + }, + "Set_dynamic_action_name": { + "runAfter": { + "Append_address_group_text": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ActionName", + "value": "UnBlock URL" + }, + "description": "variable to set action name dynamically" + }, + "unreference_URL_address_from_the_existing_group_members": { + "runAfter": { + "Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "AddressGroupMembers", + "value": "@body('Filter_array_URL_address_from_the_list_of_address_objects_to_unreference')" + }, + "description": "unreference URL address from the group members and update" + } + }, + "else": { + "actions": { + "Append_URL_address_to_the_address_group_members": { + "runAfter": { + "Append_address_group_text_to_adaptive_card_body": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AddressGroupMembers", + "value": "@items('For_each_malicious_URL')?['Url']" + }, + "description": "append URL address to the address group members" + }, + "Append_address_group_text_to_adaptive_card_body": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "text": "The URL @{items('For_each_malicious_URL')?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}", + "type": "TextBlock", + "wrap": true + } + }, + "description": "append address group text to adaptive card dynamically" + }, + "Set_dynamic_action_name_to_variable_Action_name": { + "runAfter": { + "Append_URL_address_to_the_address_group_members": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ActionName", + "value": "Block URL" + }, + "description": "set action name dynamically" + } + } + }, + "expression": { + "and": [ + { + "contains": [ + "@variables('AddressGroupMembers')", + "@items('For_each_malicious_URL')?['Url']" + ] + } + ] + }, + "type": "If", + "description": "condition to check the malicious URL address is present in the predefined address group and the URL is part of static member" + } + }, + "runAfter": { + "Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_URL_to_array_of_address_group_members": { + "runAfter": { + "Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AddressGroupMembers", + "value": "@items('For_each_malicious_URL')?['Url']" + }, + "description": "append the Malicious URL address to the existing group members to block / unblock from the predefined address group" + }, + "Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "text": "The URL @{items('For_each_malicious_URL')?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}", + "type": "TextBlock", + "wrap": true + } + }, + "description": "This appends the text to display If URL is not a member of security policy rules" + }, + "Set_variable_to_Block_URL": { + "runAfter": { + "Append_URL_to_array_of_address_group_members": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ActionName", + "value": "Block URL" + }, + "description": "This sets the variable block URL" + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))", + 0 + ] + } + ] + }, + "type": "If", + "description": "This checks if URL is a member of any of the list of address objects" + }, + "Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": { + "actions": { + "Append_policy_text": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "text": "It is also member of the following security policy rules", + "type": "TextBlock" + } + }, + "description": "dynamic policy text based on security policies" + }, + "Append_security_policies": { + "runAfter": { + "Append_policy_text": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "columns": [ + { + "items": "@body('Select_security_policy_rules')", + "type": "Column" + } + ], + "type": "ColumnSet" + } + }, + "description": "append security policies which the URL address is exist" + } + }, + "runAfter": { + "Select_security_policy_rules": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_policy_text_to_adaptive_card_body_variable": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": { + "text": "It is not a member of any other Policy Rules", + "type": "TextBlock" + } + }, + "description": "dynamic policy text based on security policies" + }, + "Append_security_policies_to_adaptive_card_body_variable": { + "runAfter": { + "Append_policy_text_to_adaptive_card_body_variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": {} + }, + "description": "append security policies which the URL address is exist" + } + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Select_security_policy_rules'))", + 0 + ] + } + ] + }, + "type": "If", + "description": "condition to check if the URL address is present in the existing security policy rules to conditionally apply the policy text and security policy rules" + }, + "Configured_address_group": { + "runAfter": { + "Set_variable_address_group_members": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@body('List_address_groups')?['result']?['entry']?[0]?['@name']", + "description": "compose predefined address group" + }, + "Filter_array_URL_from_list_of_security_rules": { + "runAfter": { + "Configured_address_group": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('List_security_rules')?['result']?['entry']", + "where": "@contains(item()?['destination']?['member'], items('For_each_malicious_URL')?['Url'])" + }, + "description": "This filters all the security rules in which this URL is a member" + }, + "Filter_array_of_URL_address_from_list_of_address_objects": { + "runAfter": { + "Set_variable_adaptive_card_body": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('List_address_objects')?['result']?['entry']", + "where": "@equals(item()?['fqdn'], items('For_each_malicious_URL')?['Url'])" + }, + "description": "This filters the list of address objects in which this URL is a member " + }, + "List_address_groups": { + "runAfter": { + "Filter_array_of_URL_address_from_list_of_address_objects": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "get", + "path": "/restapi/v10.0/Objects/AddressGroups", + "queries": { + "location": "vsys", + "name": "[[parameters('Address Group')]", + "vsys": "vsys1" + } + }, + "description": "This gets complete list of address object groups present in the PAN-OS" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": { + "runAfter": { + "Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":@{variables('AdaptiveCardBody')} ,\n \"actions\": [\n {\n \"title\": \"@{variables('ActionName')} ( add to @{outputs('Configured_address_group')} address group )\",\n \"type\": \"Action.Submit\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[[parameters('Teams ChannelId')]" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "[[parameters('Teams GroupId')]" + } + } + }, + "Select_security_policy_rules": { + "runAfter": { + "Filter_array_URL_from_list_of_security_rules": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Filter_array_URL_from_list_of_security_rules')", + "select": { + "text": " @{item()?['@name']}, action : @{item()?['action']}", + "type": "TextBlock", + "weight": "bolder" + } + }, + "description": "prepare columns list to show the security policy rules in the adaptive card if URL address is present" + }, + "Set_variable_adaptive_card_body": { + "type": "SetVariable", + "inputs": { + "name": "AdaptiveCardBody", + "value": [ + { + "size": "Large", + "text": "Suspicious URL - Microsoft Sentinel", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "Possible Comprised URL @{items('For_each_malicious_URL')?['Url']} detected by the provider : @{outputs('Compose_product_name')}", + "type": "TextBlock", + "wrap": true + }, + { + "text": "@{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']}", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "Incident description", + "type": "TextBlock", + "weight": "Bolder", + "wrap": true + }, + { + "text": "@{triggerBody()?['object']?['properties']?['description']}", + "type": "TextBlock", + "wrap": true + }, + { + "text": "[[[[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})", + "type": "TextBlock", + "wrap": true + }, + { + "size": "Medium", + "text": "Response in PAN-OS", + "type": "TextBlock", + "weight": "Bolder" + }, + { + "size": "Small", + "style": "Person", + "type": "Image", + "url": "https://avatars2.githubusercontent.com/u/4855743?s=280&v=4" + } + ] + }, + "description": "variable to hold adaptive card body" + }, + "Set_variable_address_group_members": { + "runAfter": { + "List_address_groups": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "AddressGroupMembers", + "value": "@body('List_address_groups')?['result']?['entry']?[0]?['static']?['member']" + }, + "description": "assign list of address group members" + } + }, + "runAfter": { + "List_security_rules": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_variable_URL_address_action": { + "runAfter": { + "Initialize_variable_address_group_members": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "URLAddressAction", + "type": "array" + } + ] + }, + "description": "This holds the action taken on each URL " + }, + "Initialize_variable_action_name": { + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ActionName", + "type": "string" + } + ] + }, + "description": "variable to store action name to be displayed on adaptive card" + }, + "Initialize_variable_adaptive_card_body": { + "runAfter": { + "Initialize_variable_action_name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AdaptiveCardBody", + "type": "array" + } + ] + }, + "description": "variable to store adaptive card body json" + }, + "Initialize_variable_address_group_members": { + "runAfter": { + "Initialize_variable_adaptive_card_body": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "AddressGroupMembers", + "type": "array" + } + ] + }, + "description": "variable to store the list of address group members" + }, + "List_address_objects": { + "runAfter": { + "Compose_product_name": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "get", + "path": "/restapi/v10.0/Objects/Addresses", + "queries": { + "location": "vsys", + "vsys": "vsys1" + } + }, + "description": "This gets complete list of address object present in the PAN-OS" + }, + "List_security_rules": { + "runAfter": { + "List_address_objects": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['PaloAltoConnector']['connectionId']" + } + }, + "method": "get", + "path": "/restapi/v10.0/Policies/SecurityRules", + "queries": { + "location": "vsys", + "vsys": "vsys1" + } + }, + "description": "This gets complete list of security policy rules present in the PAN-OS" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { + "runAfter": { + "Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on URL's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Azure Sentinal incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[[parameters('Teams ChannelId')]" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "[[parameters('Teams GroupId')]" + } + } + }, + "Select_alert_product_names": { + "runAfter": { + "Initialize_variable_URL_address_action": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames']", + "select": { + "text": "@item()" + } + }, + "description": "data operator to select the alert product name" + }, + "Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": { + "runAfter": { + "For_each_malicious_URL": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@variables('URLAddressAction')", + "select": { + "text": "@item()", + "type": "TextBlock" + } + }, + "description": "This is used to compose the list of actions taken by SOC on respective URL addresses" + } + } + }, + "parameters": { + "$connections": { + "value": { + "PaloAltoConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloAltoConnectorConnectionName'))]", + "connectionName": "[[variables('PaloAltoConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]" + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/teams')]" + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "PaloAlto-PAN-OS", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_PaloAltoCustomConnector')]", + "version": "[variables('playbookVersion1')]" + } + ] + } + } + } + ], + "metadata": { + "comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.", + "title": "PaloAlto-PAN-OS-BlockURL", + "description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.", + "prerequisites": [ + "1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks." + ], + "mainSteps": [ + "When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group. \n\n 2. The SOC can act on risky URL based on the information provided in the adaptive card, or ignore. \n\n ![PaloAlto-PAN-OS-BlockURL](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/SummarizedAdaptiveCard.PNG?raw=true)" + ], + "lastUpdateTime": "2022-07-22T00:00:00Z", + "entities": [ + "Url" + ], + "tags": [ + "Remediation", + "Response from teams" + ], + "postDeployment": [ + "**a. Authorize connections** \n\n Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n **b. Configurations in Sentinel** \n\n 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky URL \n\n 2. Configure the automation rules to trigger this playbook" + ], + "releaseNotes": [ + { + "version": "1.0.0", + "title": "PaloAlto-PAN-OS-BlockURL", + "notes": [ + "Initial version" + ] + } + ] + } + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", @@ -3568,6 +7056,46 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId1')]", + "version": "[variables('huntingQueryVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId3')]", + "version": "[variables('analyticRuleVersion3')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId4')]", + "version": "[variables('analyticRuleVersion4')]" + }, { "kind": "LogicAppsCustomConnector", "contentId": "[variables('_PaloAltoCustomConnector')]", @@ -3575,8 +7103,28 @@ }, { "kind": "Playbook", - "contentId": "[variables('_PaloAlto-PAN-OS-BlockIP')]", + "contentId": "[variables('_PaloAlto-PAN-OS-GetSystemInfo')]", "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_PaloAlto-PAN-OS-GetThreatPCAP')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_PaloAlto-PAN-OS-GetURLCategoryInfo')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_PaloAlto-PAN-OS-BlockIP')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_PaloAlto-PAN-OS-BlockURL')]", + "version": "[variables('playbookVersion6')]" } ] }, diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json index e0ca31da49..d2784a46aa 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/azuredeploy.json @@ -5,7 +5,7 @@ "comments": "This playbook uses the PaloAlto connector to take necessary actions on IP address like Block IP/Unblock IP from predefined address group and also gives an option to close the incident.", "title": "PaloAlto-PAN-OS-BlockIP", "description": "This playbook allows blocking/unblocking IPs in PaloAlto, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule.", - "mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](./designerscreenshot.PNG) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](./AdaptiveCardtoBlockorUnblock.PNG) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](./SummarizedAdaptiveCard.PNG)"], + "mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, IP address, list of existing security policy rules in which IP is a member of and provides an option to Block/Unblock IP Address to predefined address group or Ignore. \n\n 2. The SOC can take action on risky IP based on the information provided in the adaptive card. \n\n ![PaloAlto-PAN-OS-BlockIP](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky IP for taking actions like block/unblock/ignore:** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on IP and the incident configuration:** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockIP/SummarizedAdaptiveCard.PNG?raw=true)"], "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."], "lastUpdateTime": "2022-07-22T00:00:00.000Z", "entities": ["Ip"], @@ -790,7 +790,7 @@ "value": [ { "size": "Large", - "text": "Suspicious IP - Azure Sentinel", + "text": "Suspicious IP - Microsoft Sentinel", "type": "TextBlock", "weight": "Bolder", "wrap": true diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json index 8371007f0a..3cb72ee516 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/azuredeploy.json @@ -6,7 +6,7 @@ "title": "PaloAlto-PAN-OS-BlockURL", "description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.", "prerequisites": ["1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."], - "mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group. \n\n 2. The SOC can act on risky URL based on the information provided in the adaptive card, or ignore. \n\n ![PaloAlto-PAN-OS-BlockURL](./designerScreenshot.PNG) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::** \n\n ![Adaptive Card example](./AdaptiveCardtoBlockorUnblock.PNG) \n\n **This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::** \n\n ![Consolidated Adaptive Card example](./SummarizedAdaptiveCard.PNG)"], + "mainSteps": ["When a new Sentinel incident is created, this playbook gets triggered and performs below actions: \n\n 1. An adaptive card is sent to the SOC channel providing Incident information, URL address, list of existing security policy rules in which URL is a member of and provides an option to Block/Unblock URL Address by adding/removing it to/from the predefined address group. \n\n 2. The SOC can act on risky URL based on the information provided in the adaptive card, or ignore. \n\n ![PaloAlto-PAN-OS-BlockURL](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/designerscreenshot.PNG?raw=true) \n\n **This is the adaptive card SOC will receive when playbook is triggered for each risky URL for taking actions like block/unblock/ignore ::** \n\n ![Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/AdaptiveCardtoBlockorUnblock.PNG?raw=true) \n\n **This is the consolidate adaptive card about the summary of actions taken on URL and the incident configuration ::** \n\n ![Consolidated Adaptive Card example](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-BlockURL/SummarizedAdaptiveCard.PNG?raw=true)"], "lastUpdateTime": "2022-07-22T00:00:00.000Z", "entities": ["Url"], "tags": ["Remediation", "Response from teams"], diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json index 5915ea06d1..c46e398364 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json @@ -15,7 +15,7 @@ "author": { "name": "Smitha Sundareswaran" }, - "postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook", + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"], "releaseNotes": [ { "version": "1.0.0", diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json index 63fd91a82c..7bb27ae7a3 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetThreatPCAP/azuredeploy.json @@ -15,7 +15,7 @@ "author": { "name": "Smitha Sundareswaran" }, - "postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook", + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"], "releaseNotes": [ { "version": "1.0.0", diff --git a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/azuredeploy.json b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/azuredeploy.json index 54ab4ecf48..6d08e019ec 100644 --- a/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/azuredeploy.json +++ b/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/azuredeploy.json @@ -5,7 +5,7 @@ "comments": "This playbook uses the PaloAlto connector to automatically enrich incidents generated by Sentinel for address object details and URL filtering category information from PAN-OS", "title": "PaloAlto-PAN-OS-GetURLCategoryInfo", "description": " When a new sentinal incident is created, this playbook gets triggered and performs below actions:", - "mainSteps": ["1. Fetches the address group details and URL filtering category information from PAN-OS \n\n 2. Updates all the collected information in incident \n\n ![PaloAlto-PAN-OS-GetURLCategoryInfo](./designerscreenshot.PNG)"], + "mainSteps": ["1. Fetches the address group details and URL filtering category information from PAN-OS \n\n 2. Updates all the collected information in incident \n\n ![PaloAlto-PAN-OS-GetURLCategoryInfo](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetURLCategoryInfo/designerscreenshot.PNG?raw=true)"], "prerequisites": ["1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://paloaltolactest.trafficmanager.net/restapi-doc/#tag/key-generation)"], "lastUpdateTime": "2022-07-25T00:00:00.000Z", "entities": [], @@ -16,7 +16,7 @@ "author": { "name": "Sindhu Talluri, PAN-OS" }, - "postDeployment": "** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook", + "postDeployment": ["** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook"], "releaseNotes": [ { "version": "1.0.0", diff --git a/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json b/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json new file mode 100644 index 0000000000..87cd06dd9d --- /dev/null +++ b/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json @@ -0,0 +1,621 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Palo Alto network threat\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "query": "", + "crossComponentResources": [], + "parameters": [ + { + "id": "d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 43200000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file';\r\ndata\r\n| summarize Count = count() by DeviceEventClassID\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\r\n on DeviceEventClassID\r\n| project-away DeviceEventClassID1, TimeGenerated\r\n| extend DeviceEventClassIDs = DeviceEventClassID\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \r\n)\r\n| project DeviceEventClassID, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 3, + "exportFieldName": "DeviceEventClassID", + "exportParameterName": "SelectedSubtype", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Threats, by subtypes", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceEventClassID", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Threats by subtypes" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire';\r\ndata\r\n| summarize Count = count() by DeviceCustomString2\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\r\n on DeviceCustomString2\r\n| project-away DeviceCustomString21, TimeGenerated\r\n| extend DeviceCustomString2s = DeviceCustomString2\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \r\n)\r\n| project DeviceCustomString2, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 3, + "exportFieldName": "DeviceCustomString2", + "exportParameterName": "SelectedWildfire", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "WildFire verdicts", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceCustomString2", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "WildFire verdicts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and LogSeverity != 'url' and LogSeverity != 'file';\r\ndata\r\n| summarize Count = count() by LogSeverity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity)\r\n on LogSeverity\r\n| project-away LogSeverity1, TimeGenerated\r\n| extend LogSeveritys = LogSeverity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend LogSeverity = 'All', LogSeveritys = '*' \r\n)\r\n| project LogSeverity, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 3, + "exportFieldName": "LogSeverity", + "exportParameterName": "SelectedSeverity", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Threats severity", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "LogSeverity", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "LogSeverity", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Threats severity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| summarize count() by bin(TimeGenerated, 1h), DeviceEventClassID\r\n| render timechart\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Threat subtypes over time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "37.5", + "name": "Threat subtypes over time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| summarize count() by bin(TimeGenerated, 1h), LogSeverity\r\n| render timechart\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Threat severity over time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "37.5", + "name": "Threat severity over time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity;\r\ndata\r\n| summarize Count = count() by ApplicationProtocol\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ApplicationProtocol)\r\n on ApplicationProtocol\r\n| project-away ApplicationProtocol1, TimeGenerated\r\n| extend ApplicationProtocols = ApplicationProtocol\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend ApplicationProtocol = 'All', ApplicationProtocols = '*' \r\n)\r\n| project ApplicationProtocol, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Threats, by application", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "ApplicationProtocol", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "Threats by application" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}'==DeviceEventClassID\r\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}'==DeviceCustomString2\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}'==LogSeverity\r\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Threat events", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "labelSettings": [] + } + }, + "name": "All Threat Events" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top vulnerability events", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatId", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Amount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "filter": true, + "labelSettings": [] + } + }, + "customWidth": "50", + "name": "Top vulnerability events" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| search DeviceEventClassID:'*virus*'\r\n| summarize Amount=count() by RequestURL, DeviceEventClassID, DestinationIP, SourceIP, ApplicationProtocol\r\n| top 20 by Amount", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Virus and malware events", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "RequestURL", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "DeviceEventClassID", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "DestinationIP", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "SourceIP", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Amount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + }, + { + "columnMatch": "SourceUserID", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "filter": true, + "labelSettings": [] + } + }, + "customWidth": "50", + "name": "Virus and malware events" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top correlation events", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatId", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ThreatCategory", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Amount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + }, + { + "columnMatch": "count_", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "name": "Top correlation events" + } + ], + "styleSettings": {}, + "fromTemplateId": "sentinel-PaloAltoNetworkThreat", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json b/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json new file mode 100644 index 0000000000..8f5113518f --- /dev/null +++ b/Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json @@ -0,0 +1,1509 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "
Palo Alto Networks overview
" + }, + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "query": "", + "crossComponentResources": [], + "parameters": [ + { + "id": "a5c18655-3e2d-4d12-8ba4-82e57b296581", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + }, + { + "id": "32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55", + "version": "KqlParameterItem/1.0", + "name": "Source_IP", + "label": "Source IP", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| summarize Count = count()/1000 by SourceIP\r\n| where SourceIP != \"\"\r\n| order by Count desc, SourceIP asc\r\n| project Value = SourceIP, Label = strcat(SourceIP, \" - \", Count, \"k\"), Selected = false\r\n", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 1800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b937ca33-bc62-4183-bc0f-9ad8306dc36a", + "version": "KqlParameterItem/1.0", + "name": "Destination_IP", + "label": "Destination IP", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| summarize Count = count()/1000 by DestinationIP\r\n| where DestinationIP != \"\"\r\n| order by Count desc, DestinationIP asc\r\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" - \", Count, \"k\"), Selected = false", + "value": [ + "value::all" + ], + "typeSettings": { + "limitSelectTo": 10, + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "query": "", + "crossComponentResources": [], + "parameters": [ + { + "id": "7f28bae3-a11f-408a-832f-77a0f3e633d7", + "version": "KqlParameterItem/1.0", + "name": "EventClass", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| distinct DeviceEventClassID", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 35" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass});\r\ndata\r\n| summarize Count = count() by Activity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\r\n on Activity\r\n| project-away Activity1, TimeGenerated\r\n| extend Activitys = Activity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Activity = 'All', Activitys = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "exportFieldName": "Activity", + "exportParameterName": "activities", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Activities, by volume", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Activity", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 8, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + { + "columnMatch": "Activitys", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey1", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "name": "all activities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize LogVolume=count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", + "size": 0, + "aggregation": 3, + "exportToExcelOptions": "visible", + "title": "Event trend, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "DeviceEventClassID", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "LogVolume", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "Event trend by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//trend by sevearity\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or DeviceEventClassID in ({EventClass})\r\n| where '{activities}' == \"All\" or Activity == '{activities}'\r\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), LogSeverity\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Events severity, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "LogSeverity", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "LogSeverity", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "Events severity over time" + }, + { + "type": 1, + "content": { + "json": "---\r\n### Traffic events summary" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceEventClassID\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\r\n on DeviceEventClassID\r\n| project-away DeviceEventClassID1, TimeGenerated\r\n| extend DeviceEventClassIDs = DeviceEventClassID\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "exportFieldName": "DeviceEventClassID", + "exportParameterName": "EventClass", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Device events Id summary - click to filter the graph below", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceEventClassID", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "Traffic event summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ \"Traffic\";\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceAction = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "exportFieldName": "DeviceAction", + "exportParameterName": "DeviceAction", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Device action summary - click to filter the graph below", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceAction", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + { + "columnMatch": "jkey", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey1", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "DeviceActions", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceAction", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Traffic activity summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| where '{EventClass}' == \"All\" or DeviceEventClassID=='{EventClass}'\r\n| summarize EventCount= count() by DeviceAction, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Device action, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "Traffic activity by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where Activity =~ \"Traffic\"\r\n| summarize EventCount= count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Device events Id, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "Traffic class ID by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Reasons for session ending, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "customWidth": "50", + "name": "Reasons for session ending" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "// Data sent outbound vs inbound\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC'\r\n| extend Direction=iff(DeviceCustomString4=~'Trust','Outbound' ,'Inbound' )\r\n| summarize DataSentOutBoundMB=sumif(SentBytes, Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(ReceivedBytes, Direction=~'Inbound')/1048576 by TimeGenerated\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Sent and received data, by volume", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "customWidth": "50", + "name": "Sent and received data by volume" + }, + { + "type": 1, + "content": { + "json": "---\r\n## Web filter" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 blocked URLs, by application protocol", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "purple", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "Top 5 blocked URLs by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 URL blocked, by category", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CategoryName", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "CategoryCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "op 5 URL blocked by category" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('block-url', 'block-continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 blocked URLs", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "25", + "name": "Top 5 blocked URLs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 URLs, by application protocols", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "Top 5 URLs by application protocols" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize URLCount=count() by RequestURL\r\n| top 5 by URLCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 allowed URLs", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "RequestURL", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "URLCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "Top 5 allowed URLs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "URL threat event summary", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceAction", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ActionCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "URL threat event summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction contains 'block'\r\n| extend PAReferer= extract(';PanOSReferer=(.*?);',1,AdditionalExtensions)\r\n| where PAReferer !=''\r\n| summarize RefererCount= count() by PAReferer\r\n| top 5 by RefererCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 referrers for blocked URLs", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "25", + "name": "Top 5 referrers for blocked URLs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize CategoryCount=count() by DeviceCustomString2\r\n| project-rename CategoryName= DeviceCustomString2\r\n| top 5 by CategoryCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 allowed URLs, by category", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CategoryName", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "CategoryCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "25", + "name": "Top 5 allowed URLs, by category" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction !contains 'block'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 allowed URLs, by application protocol", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Top 5 allowed URLs by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'url'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Web filter ativity, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceAction", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ActionCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Web filter ativity by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'url'\r\n| where DeviceAction in ('alert', 'continue')\r\n| summarize IPCount=count() by SourceIP\r\n| top 5 by IPCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 allowed web traffic source IP addresses", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "SourceIP", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "IPCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Top 5 allowed web traffic source IP addresses" + }, + { + "type": 1, + "content": { + "json": "---\r\n## Wildfire" + }, + "name": "text - 24" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Wildfire events, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "customWidth": "50", + "name": "Wildfire events, by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 4, + "exportFieldName": "DeviceAction", + "exportParameterName": "DeviceAction", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Top 5 Wildfire activities", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceAction", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "grayBlue", + "showIcon": true + } + }, + { + "columnMatch": "DeviceActions", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey1", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + } + ], + "sortBy": [ + { + "itemKey": "DeviceAction", + "sortOrder": 1 + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceAction", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "Top 5 Wildfire activities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceCustomString2\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\r\n on DeviceCustomString2\r\n| project-away DeviceCustomString21, TimeGenerated\r\n| extend DeviceCustomString2s = DeviceCustomString2\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \r\n)\r\n| project DeviceCustomString2, Count, Trend\r\n| order by Count desc\r\n| take 10", + "size": 4, + "exportFieldName": "DeviceCustomString2", + "exportParameterName": "DeviceString", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Top 5 Wildfire verdicts", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "DeviceAction", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "grayBlue", + "showIcon": true + } + }, + { + "columnMatch": "DeviceActions", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey1", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + } + ], + "sortBy": [ + { + "itemKey": "DeviceAction", + "sortOrder": 1 + } + ], + "labelSettings": [] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceCustomString2", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "Top 5 Wildfire verdicts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'wildfire'\r\n| where '{DeviceAction}' == \"All\" or DeviceAction=='{DeviceAction}'\r\n| where '{DeviceString}' == \"All\" or DeviceCustomString2=='{DeviceString}'\r\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Wildfire events", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true, + "labelSettings": [] + } + }, + "name": "Wildfire events" + }, + { + "type": 1, + "content": { + "json": "---\r\n## General statistics" + }, + "name": "text - 30" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 denied files, by application protocol", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Top 5 denied files by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file'\r\n| where DeviceAction !contains 'deny'\r\n| summarize ProtocolCount=count() by ApplicationProtocol\r\n| top 5 by ProtocolCount desc\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Top 5 allowed files, by application protocol", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ApplicationProtocol", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Top 5 allowed files by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Summary of Palo Alto file categories, by activity", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "PACategory", + "formatter": 0, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "CategoryCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + } + ], + "labelSettings": [] + } + }, + "customWidth": "33", + "name": "Summary of Palo Alto file categories by activity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP});\r\ndata\r\n| summarize Count = count() by DeviceAction\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\r\n on DeviceAction\r\n| project-away DeviceAction1, TimeGenerated\r\n| extend DeviceActions = DeviceAction\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend DeviceAction = 'All', DeviceActions = '*' \r\n)\r\n| project DeviceAction, Count, Trend\r\n| order by Count desc\r\n| take 10\r\n", + "size": 4, + "exportFieldName": "DeviceAction", + "exportParameterName": "SelectedDA", + "exportDefaultValue": "All", + "exportToExcelOptions": "visible", + "title": "Summary of file type activities", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "DeviceAction", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "Summary of file type activities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where Activity =~ 'THREAT'\r\n| where DeviceEventClassID =~ 'file'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where '{SelectedDA}' == \"All\" or DeviceAction == '{SelectedDA}'\r\n| summarize ActionCount=count() by DeviceAction, bin(TimeGenerated, {TimeRange:grain})\r\n", + "size": 0, + "exportToExcelOptions": "visible", + "title": "Compare allowed and denied files, by time", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "Compare allowed and denied files by time" + } + ], + "styleSettings": {}, + "fromTemplateId": "sentinel-PaloAltoOverview", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json index 8e2075e026..086f9a66bf 100644 --- a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json +++ b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json @@ -2,7 +2,23 @@ "Name": "PaloAlto-PAN-OS", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "[PAN-OS](https://docs.paloaltonetworks.com/pan-os) is the software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into PAN-OS natively -- App-ID, Content-ID, Device-ID, and User-ID -- you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.", + "Description": "The [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. . **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)", + "Data Connectors": [ + "Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json" + ], + "Hunting Queries": [ + "Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml" + ], + "Workbooks": [ + "Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoOverview.json", + "Solutions/PaloAlto-PAN-OS/Workbooks/PaloAltoNetworkThreat.json" + ], + "Analytic Rules": [ + "Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml", + "Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml", + "Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml", + "Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml" + ], "Playbooks": [ "Solutions/PaloAlto-PAN-OS/Playbooks/PaloAltoCustomConnector/azuredeploy.json", "Solutions/PaloAlto-PAN-OS/Playbooks/PaloAlto-PAN-OS-GetSystemInfo/azuredeploy.json",