Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #5170 from Azure/cefchanges/individualContent-1 

Updating to include new CEF Changes
This commit is contained in:
Anki Narravula 2022-06-09 11:57:19 +05:30 коммит произвёл GitHub
Родитель 829d5d9dc5 12d99481a8
Коммит 762fbe74df
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
9 изменённых файлов: 49 добавлений и 98 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
DataConnectors/Logstash-VMSS/logstash.conf
Просмотреть файл

@ -64,10 +64,13 @@ output {
"deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label",
"deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label",
"deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label",
"deviceCustomNumber3",
"fieldDeviceCustomNumber3",
"deviceCustomNumber3Label",
"baseEventCount",
"deviceCustomString1",
@ -131,8 +134,9 @@ output {
"destinationLatitude",
"categoryDeviceType",
"managerReceiptTime",
"agentMacAddress"
"agentMacAddress",
"reason"
]
}
}
}
}

8
DataConnectors/UniFiSG/ui-logstash.conf
Просмотреть файл

@ -381,10 +381,13 @@ output {
"deviceCustomFloatingPoint4",
"deviceCustomFloatingPoint4Label",
"deviceCustomNumber1",
"fieldDeviceCustomNumber1",
"deviceCustomNumber1Label",
"deviceCustomNumber2",
"fieldDeviceCustomNumber2",
"deviceCustomNumber2Label",
"deviceCustomNumber3",
"fieldDeviceCustomNumber3"
"deviceCustomNumber3Label",
"baseEventCount",
"deviceCustomString1",
@ -501,7 +504,8 @@ output {
"destinationGeoCountryCode3",
"destinationASNsOrg",
"destinationASN",
"destinationDnsDomain"
"destinationDnsDomain",
"reason"
]
}
}
@ -513,4 +517,4 @@ output {
# }
# }
}
}
}

20
Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml
Просмотреть файл

@ -21,7 +21,7 @@ relevantTechniques:
- T1046
query: |
CommonSecurityLog
CommonSecurityLog
| where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
// filter out common usage ports. Add ports that are legitimate for your environment
| where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
@ -30,20 +30,26 @@ query: |
| where DestinationPort !between (toint(49512) .. toint(65535))
| where Computer != ""
| where DestinationIP !startswith "10."
| extend Reason = coalesce(
column_ifexists("Reason", ""),
extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
| where AdditionalExtensions !has "reason=aged-out"
| where Reason !has "aged-out"
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
| where AdditionalExtensions !has "reason=tcp-fin"
| where Reason !has "tcp-fin"
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
// TCP RST-server - Occurs when the server sends a TCP reset to the client
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
// TCP RST-client - Occurs when the client sends a TCP reset to the server
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
// Already performed
//| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
| where count_ >= 10
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
entityMappings:
- entityType: Account
@ -58,5 +64,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

7
Parsers/Epic_Parser.csl
Просмотреть файл

@ -21,7 +21,10 @@ CommonSecurityLog
SourceUserName = replace(@'\^', @'/', SourceUserName)
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions),
workstationID = extract("workstationID=(.*?);", 1, AdditionalExtensions),
end = extract("end=(.*?);", 1, AdditionalExtensions),
end = coalesce(
extract("end=(.*?);", 1, AdditionalExtensions),
tostring(column_ifexists("EndTime", ""))
),
flag = extract("flag=(.*?);", 1, AdditionalExtensions),
AUDITSESSION = extract("AUDITSESSION=(.*?);", 1, AdditionalExtensions),
BTGREASON = extract("BTGREASON=(.*?);", 1, AdditionalExtensions),
@ -87,4 +90,4 @@ SIGNUPMETHOD = extract("SIGNUPMETHOD=(.*?);", 1, AdditionalExtensions),
PWDATTEMPTCNT = extract("PWDATTEMPTCNT=(.*?);", 1, AdditionalExtensions)
| extend AllIPs = extract_all(@"(?P<ecIP>.*?)/(?P<wsIP>.*)", dynamic(['ecIP','wsIP']), src_dest_IPs)
| extend ecIP = tostring(AllIPs[0][0])
| extend wsIP = tostring(AllIPs[0][1])
| extend wsIP = tostring(AllIPs[0][1])

10
Parsers/PAN_Parser.csl
Просмотреть файл

@ -12,9 +12,12 @@
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
//
//
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", int(null)),DeviceCustomNumber1),
DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", int(null)),DeviceCustomNumber2),
DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", int(null)),DeviceCustomNumber3),
ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
@ -47,6 +50,9 @@ CommonSecurityLog
LogProfile = DeviceCustomString6,
TotalBytes = FlexNumber1,
Flags = FlexString1
| extend start = coalesce(tostring(column_ifexists("StartTime",datetime(null))),start),
reason = coalesce(column_ifexists("Reason",""),reason),
cat = coalesce(column_ifexists("DeviceEventCategory",""),cat)
| project-away FlexString1Label,
FlexString1,
FlexNumber1Label,
@ -69,4 +75,4 @@ CommonSecurityLog
DeviceCustomNumber1,
DeviceCustomNumber2,
DeviceCustomNumber3,
AdditionalExtensions
AdditionalExtensions

80
Workbooks/CiscoFirepower.json
Просмотреть файл

@ -142,9 +142,6 @@
"size": 1,
"title": "📊 Data flow over Time - TimeBrush enabled. You can click within this chart and select a subset of the data. TimeRange selected: {TimeRange:label} with Automatic Time Grain of: {TimeRange:grain}",
"color": "pink",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "TimeRange",
"timeBrushExportOnlyWhenBrushed": true,
@ -221,9 +218,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceAction\r\n| order by count_ desc",
"size": 3,
"title": "Count by Actions ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -283,9 +277,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by Protocol\r\n| order by Protocol asc, count_ desc",
"size": 3,
"title": "Count by Protocols",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -357,9 +348,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceName\r\n| order by count_ desc",
"size": 3,
"title": "Count by DeviceName",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -416,12 +404,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| order by LogSeverity desc",
"size": 3,
"title": "Count by Threats",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -495,9 +480,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by ApplicationProtocol\r\n| order by count_ desc",
"size": 0,
"title": "Count by Application Protocol ",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -571,9 +553,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| summarize count() by DeviceEventClassID\r\n| order by count_ desc",
"size": 1,
"title": "Count by EventClass",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -630,12 +609,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
"query": "CommonSecurityLog\r\n| where isnotempty(DeviceEventClassID) \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| where isnotempty(ThreatId)\r\n| where AdditionalExtensions !contains \"Not\"\r\n| summarize arg_max(TimeGenerated,*) by ThreatId\r\n",
"size": 0,
"title": "Lastest Threats by ThreatId, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
@ -737,9 +713,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction has \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by DeviceName, SourceIP",
"size": 0,
"title": "Blocks by Device, {$rowCount} - Click to check IOC status",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "SourceIP",
"exportParameterName": "IPAddress",
@ -820,9 +793,6 @@
"query": " let starttime = 14d;\r\n let endtime = 1d;\r\n let timeframe = 1h;\r\n let scorethreshold = 5;\r\n let percentotalthreshold = 50;\r\n let TimeSeriesData = CommonSecurityLog\r\n | where DeviceVendor =~ \"Cisco\"\r\n | where DeviceProduct =~ 'Firepower'\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\r\n | project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\r\n | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\r\n // Filtering specific records associated with spikes as outliers\r\n let TimeSeriesAlerts=materialize(TimeSeriesData\r\n | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\r\n | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\r\n | where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\r\n | project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\r\n let AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\r\n // Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\r\n TimeSeriesAlerts\r\n | where TimeGenerated > ago(2d)\r\n | join (\r\n CommonSecurityLog\r\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\r\n | where TimeGenerated > ago(2d)\r\n | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\r\n | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\r\n | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\r\n | extend AnomalyHour = TimeGeneratedHour\r\n ) on AnomalyHour, DeviceVendor\r\n | extend PercentTotal = round((HourlyCount / Total) * 100, 3)\r\n | where PercentTotal > percentotalthreshold\r\n | project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\r\n | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\r\n | project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\r\n | extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax",
"size": 0,
"title": "Time series anomaly detection for total volume of traffic, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -872,9 +842,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where Activity == \"File Malware Event\"\r\n| where '{ComputerList}' == DeviceAction or '{ComputerList:label}' == \"<unset>\"\r\n",
"size": 0,
"title": "File Malware Events, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -923,9 +890,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| where DestinationPort == \"80\"\r\n| where '{DeviceAction}' == DeviceAction or '{DeviceAction:label}' == \"<unset>\"\r\n",
"size": 0,
"title": "Outbound Web Traffic Port 80, {$rowCount}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@ -939,9 +903,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\"\r\n| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)\r\n| summarize by bytesOut, Computer, RequestURL, SourceUserName , SourceIP, SourceHostName, DestinationIP, DestinationPort\r\n| top 20 by bytesOut\r\n| order by bytesOut desc",
"size": 0,
"title": "Top 20 sending URLs (bytes Sent Out)",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
@ -987,9 +948,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Cisco\"\r\n| where DeviceProduct == \"Firepower\" \r\n| summarize LastLogReceived = max(TimeGenerated)| project IsConnected = LastLogReceived > ago(30d), LastLogReceived, minsSinceLastLog = datetime_diff('minute',LastLogReceived, now())",
"size": 0,
"title": "IsConnected",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1029,9 +987,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where _IsBillable = true\r\n| make-series billedData = sum(_BilledSize) on TimeGenerated from {TimeRange:start} to now() step 1d by Type",
"size": 1,
"title": "Data Ingested during {TimeRange:label}",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1077,9 +1032,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude,SourceIP, DestinationIP, DeviceName, IndicatorThreatType, ThreatConfidence, ReportReferenceLink\r\n| order by count_ desc",
"size": 0,
"title": "Count by Malicious IP",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
@ -1140,9 +1092,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where isnotempty(MaliciousIP)\r\n| summarize count() by MaliciousIP , MaliciousIPCountry, MaliciousIPLatitude, MaliciousIPLongitude\r\n| order by count_ desc",
"size": 0,
"title": "Malicious IP by Country",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
@ -1210,9 +1159,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourceIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked inbound IPs",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1239,9 +1185,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by SourcePort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked inbound Ports",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1268,9 +1211,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationIP, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked outbound IPs",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1297,9 +1237,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by DestinationPort, Computer\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked outbound Ports",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1326,9 +1263,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Protocol\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked Protocols",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1355,9 +1289,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where DeviceAction contains \"Block\"\r\n| summarize Total = count() by Computer, DeviceName\r\n| top 10 by Total\r\n//| summarize count() by DeviceAction",
"size": 0,
"title": "Top 10 Blocked Computer vs. DeviceName",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1415,7 +1346,7 @@
"{Workspace}"
],
"value": [
"Detect"
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
@ -1565,9 +1496,6 @@
"query": "CommonSecurityLog\r\n| where DeviceVendor =~ \"Cisco\"\r\n| where DeviceProduct =~ 'Firepower'\r\n| where (SourceIP in ({SourceIP}) or '{SourceIP:label}' == \"All\") \r\n and (SourcePort in ({SourcePort}) or '{SourcePort:label}' == \"All\") \r\n and (DestinationIP in ({DestinationIP}) or '{DestinationIP:label}' == \"All\") \r\n and (DestinationPort in ({DestinationPort}) or '{DestinationPort:label}' == \"All\")\r\n and (DeviceAction in ({DeviceAction}) or '{DeviceAction:label}' == \"All\")",
"size": 0,
"title": "Filtered View, count: {$rowCount}",
"timeContext": {
"durationMs": 1209600000
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
@ -1593,4 +1521,4 @@
],
"fromTemplateId": "sentinel-CiscoFirepowerWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
}

4
Workbooks/PaloAltoNetworkThreat.json
Просмотреть файл

@ -422,7 +422,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions) \r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n| where DeviceEventClassID =~ 'vulnerability' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, LogSeverity\r\n| top 20 by Amount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top vulnerability events",
@ -558,7 +558,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = extract('cat=([^;]+)',1,AdditionalExtensions)\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n//| where DeviceEventClassID =~ 'correlation' \r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract('cat=([^;]+)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\r\n| top 20 by Amount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Top correlation events",

4
Workbooks/PaloAltoOverview.json
Просмотреть файл

@ -598,7 +598,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason= extract(';reason=(.*?);',1,AdditionalExtensions)\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
"query": "CommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where Activity =~ 'TRAFFIC' \r\n| where DeviceEventClassID =~ 'end' \r\n| extend Reason = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(';reason=(.*?);',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize ReasonCount= count() by Reason, TimeGenerated \r\n",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Reasons for session ending, by time",
@ -1390,7 +1390,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= extract(';cat=(.*?);',1,AdditionalExtensions) \r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount\r\n",
"query": "//Palo Alto File Category By Action Summary\r\nCommonSecurityLog\r\n| where DeviceProduct has 'PAN-OS' \r\n| where DeviceVendor =~ 'Palo Alto Networks' \r\n| where Activity =~ 'THREAT'\r\n| where \"{Destination_IP:lable}\"==\"All\" or DestinationIP in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or SourceIP in ({Source_IP})\r\n| where DeviceEventClassID =~ 'file' \r\n| extend PACategory= coalesce(\r\n column_ifexists(\"DeviceEventCategory\", \"\"),\r\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\r\n \"\"\r\n )\r\n| summarize CategoryCount=count() by PACategory\r\n| sort by CategoryCount",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Summary of Palo Alto file categories, by activity",

6
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -84,7 +84,7 @@
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "PaloAltoNetworks" ],
"previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", "PaloAltoOverviewBlack1.png", "PaloAltoOverviewWhite2.png", "PaloAltoOverviewBlack2.png", "PaloAltoOverviewWhite3.png", "PaloAltoOverviewBlack3.png" ],
"version": "1.2.0",
"version": "1.2.2",
"title": "Palo Alto overview",
"templateRelativePath": "PaloAltoOverview.json",
"subtitle": "",
@ -97,7 +97,7 @@
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "PaloAltoNetworks" ],
"previewImagesFileNames": [ "PaloAltoNetworkThreatWhite1.png", "PaloAltoNetworkThreatBlack1.png", "PaloAltoNetworkThreatWhite2.png", "PaloAltoNetworkThreatBlack2.png" ],
"version": "1.1.0",
"version": "1.1.1",
"title": "Palo Alto Network Threat",
"templateRelativePath": "PaloAltoNetworkThreat.json",
"subtitle": "",
@ -1542,7 +1542,7 @@
"dataTypesDependencies": [ "CommonSecurityLog"],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "CiscoFirepowerBlack.png", "CiscoFirepowerWhite.png" ],
"version": "1.0.0",
"version": "1.0.1",
"title": "Cisco Firepower",
"templateRelativePath": "CiscoFirepower.json",
"subtitle": "",