Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #2060 from socprime/prisma_cloud_data_conn 

Palo Alto Prisma Cloud Data Connector
This commit is contained in:
v-jayakal 2021-04-09 00:03:59 -07:00 коммит произвёл GitHub
Родитель 5c968074b1 c3b140be74
Коммит e40a87e692
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
39 изменённых файлов: 2637 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

293
.script/tests/KqlvalidationsTests/CustomTables/PaloAltoPrismaCloud.json Normal file
Просмотреть файл

@ -0,0 +1,293 @@
{
"Name": "PaloAltoPrismaCloud",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Reason",
"Type": "String"
},
{
"Name": "AlertMessage",
"Type": "String"
},
{
"Name": "AlertDescription",
"Type": "String"
},
{
"Name": "AlertSeverity",
"Type": "String"
},
{
"Name": "PolicyRecommendation",
"Type": "String"
},
{
"Name": "PolicyLabels",
"Type": "String"
},
{
"Name": "PolicyLastModifiedOn",
"Type": "Double"
},
{
"Name": "PolicyLastModifiedBy",
"Type": "String"
},
{
"Name": "PolicyDeleted",
"Type": "Bool"
},
{
"Name": "PolicyRemediationDescription",
"Type": "String"
},
{
"Name": "PolicyRemediationImpact",
"Type": "String"
},
{
"Name": "PolicyRemediationCliScriptTemplate",
"Type": "String"
},
{
"Name": "History",
"Type": "String"
},
{
"Name": "ResourceDataMfaActive",
"Type": "Bool"
},
{
"Name": "ResourceDataCert1Active",
"Type": "Bool"
},
{
"Name": "ResourceDataCert2Active",
"Type": "Bool"
},
{
"Name": "ResourceDataPasswordEnabled",
"Type": "String"
},
{
"Name": "ResourceDataPasswordLastUsed",
"Type": "String"
},
{
"Name": "ResourceDataUserCreationTime",
"Type": "DateTime"
},
{
"Name": "ResourceDataAccessKey1Active",
"Type": "Bool"
},
{
"Name": "ResourceDataAccessKey2Active",
"Type": "Bool"
},
{
"Name": "ResourceDataCert1LastRotated",
"Type": "String"
},
{
"Name": "ResourceDataCert2LastRotated",
"Type": "String"
},
{
"Name": "ResourceDataPasswordLastChanged",
"Type": "String"
},
{
"Name": "ResourceDataPasswordNextRotation",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey1LastRotated",
"Type": "DateTime"
},
{
"Name": "ResourceDataAccessKey2LastRotated",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey1LastUsedDate",
"Type": "DateTime"
},
{
"Name": "ResourceDataAccessKey2LastUsedDate",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey1LastUsedRegion",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey2LastUsedRegion",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey1LastUsedService",
"Type": "String"
},
{
"Name": "ResourceDataAccessKey2LastUsedService",
"Type": "String"
},
{
"Name": "ResourceRrn",
"Type": "String"
},
{
"Name": "ResourceName",
"Type": "String"
},
{
"Name": "ResourceAccount",
"Type": "String"
},
{
"Name": "ResourceAccountId",
"Type": "String"
},
{
"Name": "ResourceCloudAccountGroups",
"Type": "String"
},
{
"Name": "ResourceRegion",
"Type": "String"
},
{
"Name": "ResourceRegionId",
"Type": "String"
},
{
"Name": "ResourceResourceType",
"Type": "String"
},
{
"Name": "ResourceResourceApiName",
"Type": "String"
},
{
"Name": "ResourceUrl",
"Type": "String"
},
{
"Name": "ResourceDataArn",
"Type": "String"
},
{
"Name": "ResourceDataUser",
"Type": "String"
},
{
"Name": "ResourceAdditionalInfoAccessKeyAge",
"Type": "String"
},
{
"Name": "ResourceAdditionalInfoInactiveSinceTs",
"Type": "String"
},
{
"Name": "ResourceCloudType",
"Type": "String"
},
{
"Name": "ResourceResourceTs",
"Type": "Double"
},
{
"Name": "AlertId",
"Type": "String"
},
{
"Name": "PolicyPolicyId",
"Type": "String"
},
{
"Name": "PolicyPolicyType",
"Type": "String"
},
{
"Name": "PolicySystemDefault",
"Type": "Bool"
},
{
"Name": "PolicyRemediable",
"Type": "Bool"
},
{
"Name": "AlertRules",
"Type": "String"
},
{
"Name": "RiskDetailRiskScoreScore",
"Type": "Double"
},
{
"Name": "RiskDetailRiskScoreMaxScore",
"Type": "Double"
},
{
"Name": "RiskDetailRating",
"Type": "String"
},
{
"Name": "RiskDetailScore",
"Type": "String"
},
{
"Name": "Status",
"Type": "String"
},
{
"Name": "FirstSeen",
"Type": "Double"
},
{
"Name": "LastSeen",
"Type": "Double"
},
{
"Name": "AlertTime",
"Type": "Double"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "ResourceId",
"Type": "String"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "ResourceType",
"Type": "String"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "UserName",
"Type": "String"
}
]
}

464
Sample Data/Custom/PaloAltoPrismaCloudAlert_CL.json Normal file
Просмотреть файл

@ -0,0 +1,464 @@
[
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "low",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::other:eu-central-1:999999999999:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:arn%3Aaws%3Alambda%3Aeu-central-1%3A999999999999%3Afunction%3ALambdaUploadFile",
"resource_id": "arn:aws:lambda:eu-central-1:999999999999:function:LambdaUploadFile",
"resource_name": "LambdaUploadFile",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Frankfurt",
"resource_regionId": "eu-central-1",
"resource_resourceType": "OTHER",
"resource_resourceApiName": "aws-lambda-list-functions",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423871430",
"id": "P-64",
"policy_policyId": "00000000-0000-0000-0000-00000000000",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "11",
"riskDetail_riskScore_maxScore": "21",
"riskDetail_rating": "B",
"riskDetail_score": "11/21",
"status": "open",
"firstSeen": "1616424563915",
"lastSeen": "1616424563915",
"alertTime": "1616424563915"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "low",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "",
"resource_id": "999999999999",
"resource_name": "AWS Account",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "global",
"resource_regionId": "",
"resource_resourceType": "PSEUDO_RESOURCE",
"resource_resourceApiName": "account-agg-entity",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423577101",
"id": "P-66",
"policy_policyId": "00000000-0000-0000-0000-00000000000",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "4",
"riskDetail_riskScore_maxScore": "44",
"riskDetail_rating": "B",
"riskDetail_score": "4/44",
"status": "open",
"firstSeen": "1616424563957",
"lastSeen": "1616424563957",
"alertTime": "1616424563957"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "low",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::other:eu-central-1:999999999999:test:arn%3Aaws%3Aacm%3Aeu-central-1%3A999999999999%3Acertificate%2Ftest",
"resource_id": "arn:aws:acm:eu-central-1:999999999999:certificate/test",
"resource_name": "*.tf.aws.cloud.test.name",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Frankfurt",
"resource_regionId": "eu-central-1",
"resource_resourceType": "OTHER",
"resource_resourceApiName": "aws-acm-describe-certificate",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423890898",
"id": "P-67",
"policy_policyId": "test",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "11",
"riskDetail_riskScore_maxScore": "34",
"riskDetail_rating": "B",
"riskDetail_score": "11/34",
"status": "open",
"firstSeen": "1616424563979",
"lastSeen": "1616424563979",
"alertTime": "1616424563979"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "medium",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::other:eu-central-1:999999999999:test:arn%3Aaws%3Alambda%3Aeu-central-1%3A999999999999%3Afunction%3ALambdaDeleteByName",
"resource_id": "arn:aws:lambda:eu-central-1:999999999999:function:LambdaDeleteByName",
"resource_name": "LambdaDeleteByName",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Frankfurt",
"resource_regionId": "eu-central-1",
"resource_resourceType": "OTHER",
"resource_resourceApiName": "aws-lambda-list-functions",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423871430",
"id": "P-68",
"policy_policyId": "test",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "10",
"riskDetail_riskScore_maxScore": "21",
"riskDetail_rating": "B",
"riskDetail_score": "10/21",
"status": "open",
"firstSeen": "1616424563997",
"lastSeen": "1616424563997",
"alertTime": "1616424563997"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "medium",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::other:eu-central-1:999999999999:test:arn%3Aaws%3Alambda%3Aeu-central-1%3A999999999999%3Afunction%3ALambdaGetAllUpdates",
"resource_id": "arn:aws:lambda:eu-central-1:999999999999:function:LambdaGetAllUpdates",
"resource_name": "LambdaGetAllUpdates",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Frankfurt",
"resource_regionId": "eu-central-1",
"resource_resourceType": "OTHER",
"resource_resourceApiName": "aws-lambda-list-functions",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423871430",
"id": "P-69",
"policy_policyId": "test",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "11",
"riskDetail_riskScore_maxScore": "21",
"riskDetail_rating": "B",
"riskDetail_score": "11/21",
"status": "open",
"firstSeen": "1616424564018",
"lastSeen": "1616424564018",
"alertTime": "1616424564018"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "medium",
"policy_recommendation": "test",
"policy_labels": "[]",
"policy_lastModifiedOn": "1616422497101",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "",
"policy_remediation_impact": "",
"policy_remediation_cliScriptTemplate": "",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::other:eu-west-3:999999999999:test:arn%3Aaws%3Alambda%3Aeu-west-3%3A999999999999%3Afunction%3AVirusTotal",
"resource_id": "arn:aws:lambda:eu-west-3:999999999999:function:VirusTotal",
"resource_name": "VirusTotal",
"resource_account": "AWS Account",
"resource_accountId": "999999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Paris",
"resource_regionId": "eu-west-3",
"resource_resourceType": "OTHER",
"resource_resourceApiName": "aws-lambda-list-functions",
"resource_url": "",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616424157777",
"id": "P-70",
"policy_policyId": "test",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "false",
"alertRules": "[]",
"riskDetail_riskScore_score": "20",
"riskDetail_riskScore_maxScore": "21",
"riskDetail_rating": "C",
"riskDetail_score": "20/21",
"status": "open",
"firstSeen": "1616424564051",
"lastSeen": "1616424564051",
"alertTime": "1616424564051"
},
{
"reason": "NEW_ALERT",
"policy_name": "test",
"policy_description": "test",
"policy_severity": "medium",
"policy_recommendation": "test",
"policy_labels": "test",
"policy_lastModifiedOn": "1595561593000",
"policy_lastModifiedBy": "test@example.com",
"policy_deleted": "false",
"policy_remediation_description": "test",
"policy_remediation_impact": "test",
"policy_remediation_cliScriptTemplate": "test",
"resource_id": "f1a71111-1111-1111-1111-ee8ba53c1725",
"history": "",
"resource_data_mfa_active": "",
"resource_data_cert_1_active": "",
"resource_data_cert_2_active": "",
"resource_data_password_enabled": "",
"resource_data_password_last_used": "",
"resource_data_user_creation_time": "",
"resource_data_access_key_1_active": "",
"resource_data_access_key_2_active": "",
"resource_data_cert_1_last_rotated": "",
"resource_data_cert_2_last_rotated": "",
"resource_data_password_last_changed": "",
"resource_data_password_next_rotation": "",
"resource_data_access_key_1_last_rotated": "",
"resource_data_access_key_2_last_rotated": "",
"resource_data_access_key_1_last_used_date": "",
"resource_data_access_key_2_last_used_date": "",
"resource_data_access_key_1_last_used_region": "",
"resource_data_access_key_2_last_used_region": "",
"resource_data_access_key_1_last_used_service": "",
"resource_data_access_key_2_last_used_service": "",
"resource_rrn": "rrn::kmsKeyRotation:eu-central-1:99999999999:xxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxx",
"resource_name": "Test",
"resource_account": "AWS Account",
"resource_accountId": "99999999999",
"resource_cloudAccountGroups": "[\n \"Default Account Group\"\n]",
"resource_region": "AWS Frankfurt",
"resource_regionId": "eu-central-1",
"resource_resourceType": "KMS_KEY_ROTATION",
"resource_resourceApiName": "aws-kms-get-key-rotation-status",
"resource_url": "https://console.aws.amazon.com/iam/home?region=eu-central-1#/encryptionKeys/eu-central-1/xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"resource_data_arn": "",
"resource_data_user": "",
"resource_additionalInfo_accessKeyAge": "",
"resource_additionalInfo_inactiveSinceTs": "",
"resource_cloudType": "aws",
"resource_resourceTs": "1616423855088",
"id": "P-79",
"policy_policyId": "497f7e2c-xxxx-xxxx-xxxx-f0f6404ac896",
"policy_policyType": "config",
"policy_systemDefault": "true",
"policy_remediable": "true",
"alertRules": "[]",
"riskDetail_riskScore_score": "20",
"riskDetail_riskScore_maxScore": "80",
"riskDetail_rating": "C",
"riskDetail_score": "20/80",
"status": "open",
"firstSeen": "1616424564314",
"lastSeen": "1616424564314",
"alertTime": "1616424564314"
}
]

92
Sample Data/Custom/PaloAltoPrismaCloudAudit_CL.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
[
{
"timestamp": "1616422607498",
"user": "00000000-0000-0000-0000-000000000000",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via SSO-SAML.",
"result": "Successful"
},
{
"timestamp": "1616423855485",
"user": "00000000-0000-0000-0000-000000000000",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via SSO-SAML.",
"result": "Successful"
},
{
"timestamp": "1616423870400",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "00000000-0000-0000-0000-000000000000",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via SSO-SAML.",
"result": "Successful"
},
{
"timestamp": "1616423978545",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "User Management",
"resourceName": "00000000-0000-0000-0000-000000000000",
"action": "'test@example.com'(with role 'System Admin':'System Admin') created access key 'testapi'",
"result": "Successful"
},
{
"timestamp": "1616424686681",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via SSO-SAML.",
"result": "Successful"
},
{
"timestamp": "1616425756546",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via access key.",
"result": "Successful"
},
{
"timestamp": "1616581253243",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via access key.",
"result": "Successful"
},
{
"timestamp": "1616581319342",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via access key.",
"result": "Successful"
},
{
"timestamp": "1616581390055",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via access key.",
"result": "Successful"
},
{
"timestamp": "1616581454638",
"user": "test@example.com",
"IPAddress": "10.10.10.10",
"ResourceType": "Login",
"resourceName": "test@example.com",
"action": "'test@example.com'(with role 'System Admin':'System Admin') logged in via access key.",
"result": "Successful"
}
]

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 777d4993-31bb-4d45-b949-84f58e09fa2f
name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
description: |
'Detects access keys which were not rotated for 90 days.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'access keys are not rotated for 90 days'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 4264e133-eec2-438f-af85-05e869308f94
name: Palo Alto Prisma Cloud - Network ACL allow all outbound traffic
description: |
'Detects network ACLs with outbound rule to allow all traffic.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'Network ACLs with Outbound rule to allow All Traffic'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: df89f4bf-720e-41c5-a209-15e41e400d35
name: Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server administration ports
description: |
'Detects Network ACLs allow ingress traffic to server administration ports.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'Network ACLs allow ingress traffic to server administration ports'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 6098b34a-1e6b-440a-9e3b-fb4d5944ade1
name: Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic
description: |
'Detects Network ACLs with Inbound rule to allow All Traffic.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'Network ACLs with Inbound rule to allow All Traffic'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

31
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: bd602b90-f7f9-4ae9-bf8c-3672a24deb39
name: Palo Alto Prisma Cloud - Anomalous access key usage
description: |
'Detects anomalous API key usage activity.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let threashold = 10;
PaloAltoPrismaCloud
| where ResourceType =~ 'Login'
| where EventResult =~ 'Failed'
| where EventMessage has 'access key'
| summarize count() by UserName, bin(TimeGenerated, 5m)
| where count_ > threashold
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

30
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 617b02d8-0f47-4f3c-afed-1926a45e7b28
name: Palo Alto Prisma Cloud - Maximum risk score alert
description: |
'Detects alerts with maximum risk score value.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| extend r_score = 0.85 * toint(RiskDetailRiskScoreMaxScore)
| extend i_RiskDetailRiskScoreScore = toint(RiskDetailRiskScoreScore)
| where i_RiskDetailRiskScoreScore > r_score
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

32
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: c5bf680f-fa37-47c3-9f38-e839a9b99c05
name: Palo Alto Prisma Cloud - High severity alert opened for several days
description: |
'Detects high severity alert which is opened for several days.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| where Status =~ 'open'
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| project AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: ac76d9c0-17a3-4aaa-a341-48f4c0b1c882
name: Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions
description: |
'Detects IAM Groups with Administrator Access Permissions.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'IAM Groups with Administrator Access Permissions'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

27
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 7f78fa52-9833-41de-b5c5-76e61b8af9c1
name: Palo Alto Prisma Cloud - Inactive user
description: |
'Detects users inactive for 30 days.'
severity: Low
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where Status =~ 'open'
| where AlertMessage has 'Inactive users for more than 30 days'
| extend AccountCustomEntity = ResourceId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

28
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 119a574d-f37a-403a-a67a-4d6f5083d9cf
name: Palo Alto Prisma Cloud - Maximum risk score alert
description: |
'Detects alerts with maximum risk score value.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where RiskDetailRiskScoreScore == RiskDetailRiskScoreMaxScore
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

31
Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: 4f688252-bf9b-4136-87bf-d540b5be1050
name: Palo Alto Prisma Cloud - Multiple failed logins for user
description: |
'Detects multiple failed logins for the same user account.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
let threashold = 10;
PaloAltoPrismaCloud
| where ResourceType =~ 'Login'
| where EventResult =~ 'Failed'
| where EventMessage !has 'access key'
| summarize count() by UserName, bin(TimeGenerated, 5m)
| where count_ > threashold
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

11
Solutions/PaloAltoPrismaCloud/Data Connectors/AzureFunctionPrismaCloud/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "main.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */2 * * * *"
}
]
}

224
Solutions/PaloAltoPrismaCloud/Data Connectors/AzureFunctionPrismaCloud/main.py Normal file
Просмотреть файл

@ -0,0 +1,224 @@
import asyncio
import aiohttp
import json
import time
import os
import re
import logging
import azure.functions as func
from .state_manager_async import StateManagerAsync
from .sentinel_connector_async import AzureSentinelMultiConnectorAsync
logging.getLogger('azure.core.pipeline.policies.http_logging_policy').setLevel(logging.ERROR)
WORKSPACE_ID = os.environ['AzureSentinelWorkspaceId']
SHARED_KEY = os.environ['AzureSentinelSharedKey']
API_URL = os.environ['PrismaCloudAPIUrl']
USER = os.environ['PrismaCloudAccessKeyID']
PASSWORD = os.environ['PrismaCloudSecretKey']
FILE_SHARE_CONN_STRING = os.environ['AzureWebJobsStorage']
ALERT_LOG_TYPE = 'PaloAltoPrismaCloudAlert'
AUDIT_LOG_TYPE = 'PaloAltoPrismaCloudAudit'
# if ts of last event is older than now - MAX_PERIOD_MINUTES -> script will get events from now - MAX_PERIOD_MINUTES
MAX_PERIOD_MINUTES = 60 * 24 * 7
LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri')
if not LOG_ANALYTICS_URI or str(LOG_ANALYTICS_URI).isspace():
LOG_ANALYTICS_URI = 'https://' + WORKSPACE_ID + '.ods.opinsights.azure.com'
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern, str(LOG_ANALYTICS_URI))
if not match:
raise Exception("Invalid Log Analytics Uri.")
async def main(mytimer: func.TimerRequest):
logging.info('Script started.')
prisma = PrismaCloudConnector(API_URL, USER, PASSWORD)
tasks = [
prisma.process_alerts(),
prisma.process_audit_logs()
]
await asyncio.gather(*tasks)
logging.info('Program finished. {} events have been sent.'.format(prisma.sentinel.successfull_sent_events_number))
class PrismaCloudConnector:
def __init__(self, api_url, username, password):
self.api_url = api_url
self.__username = username
self.__password = password
self._token = None
self._auth_lock = asyncio.Lock()
self.alerts_state_manager = StateManagerAsync(FILE_SHARE_CONN_STRING, share_name='prismacloudcheckpoint', file_path='prismacloudlastalert')
self.auditlogs_state_manager = StateManagerAsync(FILE_SHARE_CONN_STRING, share_name='prismacloudcheckpoint', file_path='prismacloudlastauditlog')
self.sentinel = AzureSentinelMultiConnectorAsync(LOG_ANALYTICS_URI, WORKSPACE_ID, SHARED_KEY, queue_size=10000)
self.sent_alerts = 0
self.sent_audit_logs = 0
self.last_alert_ts = None
self.last_audit_ts = None
async def process_alerts(self):
last_alert_ts_ms = await self.alerts_state_manager.get()
max_period = (int(time.time()) - MAX_PERIOD_MINUTES * 60) * 1000
if not last_alert_ts_ms or int(last_alert_ts_ms) < max_period:
alert_start_ts_ms = max_period
logging.info('Last alert was too long ago or there is no info about last alert timestamp.')
else:
alert_start_ts_ms = int(last_alert_ts_ms) + 1
logging.info('Starting searching alerts from {}'.format(alert_start_ts_ms))
async for alert in self.get_alerts(start_time=alert_start_ts_ms):
last_alert_ts_ms = alert['alertTime']
alert = self.clear_alert(alert)
await self.sentinel.send(alert, log_type=ALERT_LOG_TYPE)
self.sent_alerts += 1
self.last_alert_ts = last_alert_ts_ms
conn = self.sentinel.get_log_type_connector(ALERT_LOG_TYPE)
if conn:
await conn.flush()
logging.info('{} alerts have been sent'.format(self.sent_alerts))
await self.save_alert_checkpoint()
async def process_audit_logs(self):
last_log_ts_ms = await self.auditlogs_state_manager.get()
max_period = (int(time.time()) - MAX_PERIOD_MINUTES * 60) * 1000
if not last_log_ts_ms or int(last_log_ts_ms) < max_period:
log_start_ts_ms = max_period
logging.info('Last audit log was too long ago or there is no info about last log timestamp.')
else:
log_start_ts_ms = int(last_log_ts_ms) + 1
logging.info('Starting searching audit logs from {}'.format(log_start_ts_ms))
async for event in self.get_audit_logs(start_time=log_start_ts_ms):
if not last_log_ts_ms:
last_log_ts_ms = event['timestamp']
elif event['timestamp'] > int(last_log_ts_ms):
last_log_ts_ms = event['timestamp']
await self.sentinel.send(event, log_type=AUDIT_LOG_TYPE)
self.sent_audit_logs += 1
self.last_audit_ts = last_log_ts_ms
conn = self.sentinel.get_log_type_connector(AUDIT_LOG_TYPE)
if conn:
await conn.flush()
logging.info('{} audit logs have been sent'.format(self.sent_audit_logs))
await self.save_audit_checkpoint()
async def _authorize(self):
async with self._auth_lock:
if not self._token:
uri = self.api_url + '/login'
headers = {
"Accept": "application/json; charset=UTF-8",
"Content-Type": "application/json; charset=UTF-8"
}
data = {
'username': self.__username,
'password': self.__password
}
data = json.dumps(data)
async with aiohttp.ClientSession() as session:
async with session.post(uri, data=data, headers=headers) as response:
if response.status != 200:
raise Exception('Error while getting Prisma Cloud auth token. HTTP status code: {}'.format(response.status))
res = await response.text()
res = json.loads(res)
self._token = res['token']
logging.info('Auth token for Prisma Cloud was obtained.')
async def get_alerts(self, start_time):
await self._authorize()
uri = self.api_url + '/v2/alert'
headers = {
'x-redlock-auth': self._token,
"Accept": "application/json; charset=UTF-8",
"Content-Type": "application/json; charset=UTF-8"
}
async with aiohttp.ClientSession() as session:
unix_ts_now = (int(time.time()) - 10) * 1000
data = {
"timeRange": {
"type": "absolute",
"value": {
"startTime": start_time,
"endTime": unix_ts_now
}
},
"sortBy": ["alertTime:asc"],
"detailed": True
}
data = json.dumps(data)
async with session.post(uri, headers=headers, data=data) as response:
if response.status != 200:
raise Exception('Error while getting alerts. HTTP status code: {}'.format(response.status))
res = await response.text()
res = json.loads(res)
for item in res['items']:
yield item
while 'nextPageToken' in res:
data = {
'pageToken': res['nextPageToken']
}
data = json.dumps(data)
async with session.post(uri, headers=headers, data=data) as response:
if response.status != 200:
raise Exception('Error while getting alerts. HTTP status code: {}'.format(response.status))
res = await response.text()
res = json.loads(res)
for item in res['items']:
yield item
@staticmethod
def clear_alert(alert):
if 'resource' in alert and 'data' in alert['resource']:
del alert['resource']['data']
return alert
async def get_audit_logs(self, start_time):
await self._authorize()
uri = self.api_url + '/audit/redlock'
headers = {
'x-redlock-auth': self._token,
"Accept": "*/*",
"Content-Type": "application/json"
}
async with aiohttp.ClientSession() as session:
unix_ts_now = (int(time.time()) - 10) * 1000
params = {
'timeType': 'absolute',
'startTime': start_time,
'endTime': unix_ts_now
}
async with session.get(uri, headers=headers, params=params) as response:
if response.status != 200:
raise Exception('Error while getting audit logs. HTTP status code: {}'.format(response.status))
res = await response.text()
res = json.loads(res)
for item in res:
yield item
async def save_alert_checkpoint(self):
if self.last_alert_ts:
await self.alerts_state_manager.post(str(self.last_alert_ts))
logging.info('Last alert ts saved - {}'.format(self.last_alert_ts))
async def save_audit_checkpoint(self):
if self.last_audit_ts:
await self.auditlogs_state_manager.post(str(self.last_audit_ts))
logging.info('Last audit ts saved - {}'.format(self.last_audit_ts))

117
Solutions/PaloAltoPrismaCloud/Data Connectors/AzureFunctionPrismaCloud/sentinel_connector_async.py Normal file
Просмотреть файл

@ -0,0 +1,117 @@
import datetime
import logging
import json
import hashlib
import hmac
import base64
import aiohttp
import asyncio
from collections import deque
class AzureSentinelConnectorAsync:
def __init__(self, log_analytics_uri, workspace_id, shared_key, log_type, queue_size=1000, queue_size_bytes=25 * (2**20)):
self.log_analytics_uri = log_analytics_uri
self.workspace_id = workspace_id
self.shared_key = shared_key
self.log_type = log_type
self.queue_size = queue_size
self.queue_size_bytes = queue_size_bytes
self._queue = deque()
self.successfull_sent_events_number = 0
self.lock = asyncio.Lock()
async def send(self, event):
events = None
async with self.lock:
self._queue.append(event)
if len(self._queue) >= self.queue_size:
events = list(self._queue)
self._queue.clear()
if events:
await self._flush(events)
async def flush(self):
await self._flush(list(self._queue))
async def _flush(self, data: list):
if data:
data = self._split_big_request(data)
async with aiohttp.ClientSession() as session:
tasks = [self._post_data(session, self.workspace_id, self.shared_key, d, self.log_type) for d in data]
await asyncio.gather(*tasks)
def _build_signature(self, workspace_id, shared_key, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(workspace_id, encoded_hash)
return authorization
async def _post_data(self, session: aiohttp.ClientSession, workspace_id, shared_key, body, log_type):
logging.info('Start sending data to sentinel')
events_number = len(body)
body = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = self._build_signature(workspace_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = self.log_analytics_uri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
async with session.post(uri, data=body, headers=headers) as response:
if (response.status >= 200 and response.status <= 299):
logging.info('{} events have been successfully sent to Azure Sentinel'.format(events_number))
self.successfull_sent_events_number += events_number
else:
raise Exception("Error during sending events to Azure Sentinel. Response code: {}".format(response.status))
def _check_size(self, queue):
data_bytes_len = len(json.dumps(queue).encode())
return data_bytes_len < self.queue_size_bytes
def _split_big_request(self, queue):
if self._check_size(queue):
return [queue]
else:
middle = int(len(queue) / 2)
queues_list = [queue[:middle], queue[middle:]]
return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1])
class AzureSentinelMultiConnectorAsync:
def __init__(self, log_analytics_uri, workspace_id, shared_key, queue_size=1000, queue_size_bytes=25 * (2**20)):
self.log_analytics_uri = log_analytics_uri
self.workspace_id = workspace_id
self.shared_key = shared_key
self.queue_size = queue_size
self.queue_size_bytes = queue_size_bytes
self.connectors = dict()
async def send(self, event, log_type):
if log_type not in self.connectors:
self.connectors[log_type] = AzureSentinelConnectorAsync(self.log_analytics_uri, self.workspace_id, self.shared_key, log_type, self.queue_size, self.queue_size_bytes)
conn = self.connectors[log_type]
await conn.send(event)
async def flush(self):
if self.connectors:
tasks = [conn.flush() for conn in self.connectors.values()]
await asyncio.gather(*tasks)
@property
def successfull_sent_events_number(self):
return sum([conn.successfull_sent_events_number for conn in self.connectors.values()])
def get_log_type_connector(self, log_type):
return self.connectors.get(log_type)

40
Solutions/PaloAltoPrismaCloud/Data Connectors/AzureFunctionPrismaCloud/state_manager_async.py Normal file
Просмотреть файл

@ -0,0 +1,40 @@
from azure.storage.fileshare.aio import ShareClient
from azure.storage.fileshare.aio import ShareFileClient
from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError
class StateManagerAsync:
def __init__(self, connection_string, share_name='funcstatemarkershare', file_path='funcstatemarkerfile'):
self.connection_string = connection_string
self.share_name = share_name
self.file_path = file_path
def _get_file_cli(self):
return ShareFileClient.from_connection_string(conn_str=self.connection_string, share_name=self.share_name, file_path=self.file_path)
def _get_share_cli(self):
return ShareClient.from_connection_string(conn_str=self.connection_string, share_name=self.share_name)
async def post(self, marker_text: str):
file_cli = self._get_file_cli()
async with file_cli:
try:
await file_cli.upload_file(marker_text)
except ResourceNotFoundError:
share_cli = self._get_share_cli()
async with share_cli:
try:
await share_cli.create_share()
except ResourceExistsError:
pass
await file_cli.upload_file(marker_text)
async def get(self):
file_cli = self._get_file_cli()
async with file_cli:
try:
cor = await file_cli.download_file()
f = await cor.readall()
return f.decode()
except ResourceNotFoundError:
return None

Двоичные данные
Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloudConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

144
Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloud_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,144 @@
{
"id": "PaloAltoPrismaCloud",
"title": "Palo Alto Prisma Cloud",
"publisher": "Palo Alto",
"descriptionMarkdown": "The Palo Alto Prisma Cloud data connector provides the capability to ingest [Prisma Cloud alerts](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/prisma-cloud-alert-notifications.html) and audit logs into Azure Sentinel using the Prisma Cloud API. Refer to [Prisma Cloud documentation](https://api.docs.prismacloud.io/reference) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoPrismaCloud**](https://aka.ms/sentinel-PaloAltoPrismaCloud-parser) which is deployed with the Azure Sentinel Solution.",
"graphQueries": [
{
"metricName": "Prisma Cloud alerts",
"legend": "PaloAltoPrismaCloudAlert_CL",
"baseQuery": "PaloAltoPrismaCloudAlert_CL"
},
{
"metricName": "Prisma Cloud audit logs",
"legend": "PaloAltoPrismaCloudAudit_CL",
"baseQuery": "PaloAltoPrismaCloudAudit_CL"
}
],
"sampleQueries": [
{
"description" : "All Prisma Cloud alerts",
"query": "PaloAltoPrismaCloudAlert_CL\n| sort by TimeGenerated desc"
},
{
"description" : "All Prisma Cloud audit logs",
"query": "PaloAltoPrismaCloudAudit_CL\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "PaloAltoPrismaCloudAlert_CL",
"lastDataReceivedQuery": "PaloAltoPrismaCloudAlert_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "PaloAltoPrismaCloudAudit_CL",
"lastDataReceivedQuery": "PaloAltoPrismaCloudAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"PaloAltoPrismaCloudAlert_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)",
"PaloAltoPrismaCloudAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Palo Alto Prisma Cloud API Credentials",
"description": "**Prisma Cloud API Url**, **Prisma Cloud Access Key ID**, **Prisma Cloud Secret Key** are required for Prisma Cloud API connection. See the documentation to learn more about [creating Prisma Cloud Access Key](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) and about [obtaining Prisma Cloud API Url](https://api.docs.prismacloud.io/reference)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Palo Alto Prisma Cloud REST API to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoPrismaCloud**](https://aka.ms/sentinel-PaloAltoPrismaCloud-parser) which is deployed with the Azure Sentinel Solution."
},
{
"title": "",
"description": "**STEP 1 - Configuration of the Prisma Cloud**\n\nFollow the documentation to [create Prisma Cloud Access Key](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) and [obtain Prisma Cloud API Url](https://api.docs.prismacloud.io/reference)"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Prisma Cloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Prisma Cloud API credentials, readily available.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Prisma Cloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-PaloAltoPrismaCloud-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Prisma Cloud API Url**, **Prisma Cloud Access Key ID**, **Prisma Cloud Secret Key**, **Azure Sentinel Workspace Id**, **Azure Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Prisma Cloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-PaloAltoPrismaCloud-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. PrismaCloud).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tPrismaCloudAPIUrl\n\t\tPrismaCloudAccessKeyID\n\t\tPrismaCloudSecretKey\n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
}
]
}

205
Solutions/PaloAltoPrismaCloud/Data Connectors/azuredeploy_PrismaCloud_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,205 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "PrismaCloud",
"type": "string",
"minLength": 1,
"maxLength": 11
},
"PrismaCloudAPIUrl": {
"type": "string",
"defaultValue": ""
},
"PrismaCloudAccessKeyID": {
"type": "string",
"defaultValue": ""
},
"PrismaCloudSecretKey": {
"type": "securestring",
"defaultValue": ""
},
"AzureSentinelWorkspaceId": {
"type": "string",
"defaultValue": ""
},
"AzureSentinelSharedKey": {
"type": "securestring",
"defaultValue": ""
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('AzureSentinelWorkspaceId')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"PrismaCloudAPIUrl": "[parameters('PrismaCloudAPIUrl')]",
"PrismaCloudSecretKey": "[parameters('PrismaCloudSecretKey')]",
"PrismaCloudAccessKeyID": "[parameters('PrismaCloudAccessKeyID')]",
"AzureSentinelWorkspaceId": "[parameters('AzureSentinelWorkspaceId')]",
"AzureSentinelSharedKey": "[parameters('AzureSentinelSharedKey')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-PaloAltoPrismaCloud-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
Solutions/PaloAltoPrismaCloud/Data Connectors/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
Solutions/PaloAltoPrismaCloud/Data Connectors/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

3
Solutions/PaloAltoPrismaCloud/Data Connectors/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,3 @@
azure-functions
aiohttp==3.7.4.post0
azure-storage-file-share==12.4.1

30
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudAccessKeysUsed.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: f2e509e5-6eda-4626-a167-2875eb9c48af
name: Palo Alto Prisma Cloud - Access keys used
description: |
'Query searches for access keys used for programmatic access.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(30d)
| where ResourceType =~ 'Login'
| where EventMessage has 'access key'
| summarize by UserName, SrcIpAddr
| extend IPCustomEntity = SrcIpAddr
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

26
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudFailedLoginsSources.yaml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
id: 21b4c55b-3a86-40a4-81c4-31945e8f7562
name: Palo Alto Prisma Cloud - Top sources of failed logins
description: |
'Query searches for top source IP addresses of failed logins.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where ResourceType =~ 'Login'
| where EventMessage !has 'access key'
| summarize count() by SrcIpAddr
| order by count_ desc
| extend IPCustomEntity = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

26
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudFailedLoginsUsers.yaml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
id: 4c17ad45-fe78-4639-98cc-3b2fd173b053
name: Palo Alto Prisma Cloud - Top users by failed logins
description: |
'Query searches for users who have large number of failed logins.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where ResourceType =~ 'Login'
| where EventMessage !has 'access key'
| summarize count() by UserName
| order by count_ desc
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

27
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudHighRiskScoreOpenedAlerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 23a0867f-a522-4b34-acf4-0eadf75fc1e7
name: Palo Alto Prisma Cloud - High risk score opened alerts
description: |
'Query searches for alerts with high risk score value.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| extend r_score = 0.85 * toint(RiskDetailRiskScoreMaxScore)
| extend i_RiskDetailRiskScoreScore = toint(RiskDetailRiskScoreScore)
| where i_RiskDetailRiskScoreScore > r_score
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudHighSeverityAlerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
id: dde04bfe-7237-4205-a447-258201e369e4
name: Palo Alto Prisma Cloud - High severity alerts
description: |
'Query searches for high severity alerts.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

31
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudNewUsers.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: fd92609a-71bd-4da7-8388-e80147757e63
name: Palo Alto Prisma Cloud - New users
description: |
'Query searches for new users.'
severity: Low
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let known_users =
PaloAltoPrismaCloud
| where TimeGenerated between (ago(30d) .. (1d))
| where ResourceType =~ 'Login'
| where EventMessage !has 'access key'
| summarize makeset(UserName);
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where ResourceType =~ 'Login'
| where EventMessage !has 'access key'
| where UserName !in (known_users)
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

24
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudOpenedAlerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,24 @@
id: 4a09caf2-08a2-4c1d-981d-bb734de12a29
name: Palo Alto Prisma Cloud - Opened alerts
description: |
'Query searches opened alerts.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

25
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudTopResources.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 08ab5107-5c4e-4baf-b0f4-bf75c044f8b1
name: Palo Alto Prisma Cloud - Top recources with alerts
description: |
'Query searches for resources which appeared in different alerts.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| where Reason =~ 'NEW_ALERT'
| summarize count() by ResourceName
| order by count_ desc
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

23
Solutions/PaloAltoPrismaCloud/Hunting Queries/PaloAltoPrismaCloudUpdatedResources.yaml Normal file
Просмотреть файл

@ -0,0 +1,23 @@
id: d0a145c5-546d-48df-a5d7-8866f3bbe24f
name: Palo Alto Prisma Cloud - Updated resources
description: |
'Query searches recently updated resources.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
tactics:
- InitialAccess
relevantTechniques:
- T1133
query: |
PaloAltoPrismaCloud
| where TimeGenerated > ago(24h)
| Reason =~ 'RESOURCE_UPDATED'
| extend AccountCustomEntity = UserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity

167
Solutions/PaloAltoPrismaCloud/Parsers/PaloAltoPrismaCloud.txt Normal file
Просмотреть файл

@ -0,0 +1,167 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as PaloAltoPrismaCloud.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PaloAltoPrismaCloud | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Audit_view = view () {
PaloAltoPrismaCloudAudit_CL
| where isnotempty(user_g)
| extend
EventType='PaloAltoPrismaCloudAudit',
user=iff(isnotempty(column_ifexists('user_s', '')), column_ifexists('user_s', ''), column_ifexists('user_g', '')),
resourceName=iff(isnotempty(column_ifexists('resourceName_s', '')), column_ifexists('resourceName_s', ''), column_ifexists('resourceName_g', '')),
timestamp_d=column_ifexists('timestamp_d', ''),
IPAddress=column_ifexists('IPAddress', ''),
ResourceType=column_ifexists('ResourceType', ''),
action_s=column_ifexists('action_s', ''),
result_s=column_ifexists('result_s', '')
| project-rename
UserName=user,
ResourceName=resourceName,
EventEndTime=timestamp_d,
SrcIpAddr=IPAddress,
EventMessage=action_s,
EventResult=result_s
| project-away
user_g,
user_s,
resourceName_s,
resourceName_g
};
let Alert_view = view () {
PaloAltoPrismaCloudAlert_CL
| extend
EventType='PaloAltoPrismaCloudAlert',
reason_s=column_ifexists('reason_s', ''),
policy_name_s=column_ifexists('policy_name_s', ''),
policy_description_s=column_ifexists('policy_description_s', ''),
policy_severity_s=column_ifexists('policy_severity_s', ''),
policy_recommendation_s=column_ifexists('policy_recommendation_s', ''),
policy_labels_s=column_ifexists('policy_labels_s', ''),
policy_lastModifiedOn_d=column_ifexists('policy_lastModifiedOn_d', ''),
policy_lastModifiedBy_s=column_ifexists('policy_lastModifiedBy_s', ''),
policy_deleted_b=column_ifexists('policy_deleted_b', ''),
policy_remediation_description_s=column_ifexists('policy_remediation_description_s', ''),
policy_remediation_impact_s=column_ifexists('policy_remediation_impact_s', ''),
policy_remediation_cliScriptTemplate_s=column_ifexists('policy_remediation_cliScriptTemplate_s', ''),
history_s=column_ifexists('history_s', ''),
resource_data_mfa_active_b=column_ifexists('resource_data_mfa_active_b', ''),
resource_data_cert_1_active_b=column_ifexists('resource_data_cert_1_active_b', ''),
resource_data_cert_2_active_b=column_ifexists('resource_data_cert_2_active_b', ''),
resource_data_password_enabled_s=column_ifexists('resource_data_password_enabled_s', ''),
resource_data_password_last_used_s=column_ifexists('resource_data_password_last_used_s', ''),
resource_data_user_creation_time_t=column_ifexists('resource_data_user_creation_time_t', ''),
resource_data_access_key_1_active_b=column_ifexists('resource_data_access_key_1_active_b', ''),
resource_data_access_key_2_active_b=column_ifexists('resource_data_access_key_2_active_b', ''),
resource_data_cert_1_last_rotated_s=column_ifexists('resource_data_cert_1_last_rotated_s', ''),
resource_data_cert_2_last_rotated_s=column_ifexists('resource_data_cert_2_last_rotated_s', ''),
resource_data_password_last_changed_s=column_ifexists('resource_data_password_last_changed_s', ''),
resource_data_password_next_rotation_s=column_ifexists('resource_data_password_next_rotation_s', ''),
resource_data_access_key_1_last_rotated_t=column_ifexists('resource_data_access_key_1_last_rotated_t', ''),
resource_data_access_key_2_last_rotated_s=column_ifexists('resource_data_access_key_2_last_rotated_s', ''),
resource_data_access_key_1_last_used_date_t=column_ifexists('resource_data_access_key_1_last_used_date_t', ''),
resource_data_access_key_2_last_used_date_s=column_ifexists('resource_data_access_key_2_last_used_date_s', ''),
resource_data_access_key_1_last_used_region_s=column_ifexists('resource_data_access_key_1_last_used_region_s', ''),
resource_data_access_key_2_last_used_region_s=column_ifexists('resource_data_access_key_2_last_used_region_s', ''),
resource_data_access_key_1_last_used_service_s=column_ifexists('resource_data_access_key_1_last_used_service_s', ''),
resource_data_access_key_2_last_used_service_s=column_ifexists('resource_data_access_key_2_last_used_service_s', ''),
resource_rrn_s=column_ifexists('resource_rrn_s', ''),
resource_name_s=column_ifexists('resource_name_s', ''),
resource_account_s=column_ifexists('resource_account_s', ''),
resource_accountId_s=column_ifexists('resource_accountId_s', ''),
resource_cloudAccountGroups_s=column_ifexists('resource_cloudAccountGroups_s', ''),
resource_region_s=column_ifexists('resource_region_s', ''),
resource_regionId_s=column_ifexists('resource_regionId_s', ''),
resource_resourceType_s=column_ifexists('resource_resourceType_s', ''),
resource_resourceApiName_s=column_ifexists('resource_resourceApiName_s', ''),
resource_url_s=column_ifexists('resource_url_s', ''),
resource_data_arn_s=column_ifexists('resource_data_arn_s', ''),
resource_data_user_s=column_ifexists('resource_data_user_s', ''),
resource_additionalInfo_accessKeyAge_s=column_ifexists('resource_additionalInfo_accessKeyAge_s', ''),
resource_additionalInfo_inactiveSinceTs_s=column_ifexists('resource_additionalInfo_inactiveSinceTs_s', ''),
resource_cloudType_s=column_ifexists('resource_cloudType_s', ''),
resource_resourceTs_d=column_ifexists('resource_resourceTs_d', ''),
id_s=column_ifexists('id_s', ''),
policy_policyId_g=column_ifexists('policy_policyId_g', ''),
policy_policyType_s=column_ifexists('policy_policyType_s', ''),
policy_systemDefault_b=column_ifexists('policy_systemDefault_b', ''),
policy_remediable_b=column_ifexists('policy_remediable_b', ''),
alertRules_s=column_ifexists('alertRules_s', ''),
riskDetail_riskScore_score_d=column_ifexists('riskDetail_riskScore_score_d', ''),
riskDetail_riskScore_maxScore_d=column_ifexists('riskDetail_riskScore_maxScore_d', ''),
riskDetail_rating_s=column_ifexists('riskDetail_rating_s', ''),
riskDetail_score_s=column_ifexists('riskDetail_score_s', ''),
status_s=column_ifexists('status_s', ''),
firstSeen_d=column_ifexists('firstSeen_d', ''),
lastSeen_d=column_ifexists('lastSeen_d', ''),
alertTime_d=column_ifexists('alertTime_d', ''),
resource_id=iff(isnotempty(column_ifexists('resource_id_s', '')), column_ifexists('resource_id_s', ''), column_ifexists('resource_id_g', ''))
| project-rename
Reason=reason_s,
AlertMessage=policy_name_s,
AlertDescription=policy_description_s,
AlertSeverity=policy_severity_s,
PolicyRecommendation=policy_recommendation_s,
PolicyLabels=policy_labels_s,
PolicyLastModifiedOn=policy_lastModifiedOn_d,
PolicyLastModifiedBy=policy_lastModifiedBy_s,
PolicyDeleted=policy_deleted_b,
PolicyRemediationDescription=policy_remediation_description_s,
PolicyRemediationImpact=policy_remediation_impact_s,
PolicyRemediationCliScriptTemplate=policy_remediation_cliScriptTemplate_s,
ResourceId=resource_id,
History=history_s,
ResourceDataMfaActive=resource_data_mfa_active_b,
ResourceDataCert1Active=resource_data_cert_1_active_b,
ResourceDataCert2Active=resource_data_cert_2_active_b,
ResourceDataPasswordEnabled=resource_data_password_enabled_s,
ResourceDataPasswordLastUsed=resource_data_password_last_used_s,
ResourceDataUserCreationTime=resource_data_user_creation_time_t,
ResourceDataAccessKey1Active=resource_data_access_key_1_active_b,
ResourceDataAccessKey2Active=resource_data_access_key_2_active_b,
ResourceDataCert1LastRotated=resource_data_cert_1_last_rotated_s,
ResourceDataCert2LastRotated=resource_data_cert_2_last_rotated_s,
ResourceDataPasswordLastChanged=resource_data_password_last_changed_s,
ResourceDataPasswordNextRotation=resource_data_password_next_rotation_s,
ResourceDataAccessKey1LastRotated=resource_data_access_key_1_last_rotated_t,
ResourceDataAccessKey2LastRotated=resource_data_access_key_2_last_rotated_s,
ResourceDataAccessKey1LastUsedDate=resource_data_access_key_1_last_used_date_t,
ResourceDataAccessKey2LastUsedDate=resource_data_access_key_2_last_used_date_s,
ResourceDataAccessKey1LastUsedRegion=resource_data_access_key_1_last_used_region_s,
ResourceDataAccessKey2LastUsedRegion=resource_data_access_key_2_last_used_region_s,
ResourceDataAccessKey1LastUsedService=resource_data_access_key_1_last_used_service_s,
ResourceDataAccessKey2LastUsedService=resource_data_access_key_2_last_used_service_s,
ResourceRrn=resource_rrn_s,
ResourceName=resource_name_s,
ResourceAccount=resource_account_s,
ResourceAccountId=resource_accountId_s,
ResourceCloudAccountGroups=resource_cloudAccountGroups_s,
ResourceRegion=resource_region_s,
ResourceRegionId=resource_regionId_s,
ResourceResourceType=resource_resourceType_s,
ResourceResourceApiName=resource_resourceApiName_s,
ResourceUrl=resource_url_s,
ResourceDataArn=resource_data_arn_s,
ResourceDataUser=resource_data_user_s,
ResourceAdditionalInfoAccessKeyAge=resource_additionalInfo_accessKeyAge_s,
ResourceAdditionalInfoInactiveSinceTs=resource_additionalInfo_inactiveSinceTs_s,
ResourceCloudType=resource_cloudType_s,
ResourceResourceTs=resource_resourceTs_d,
AlertId=id_s,
PolicyPolicyId=policy_policyId_g,
PolicyPolicyType=policy_policyType_s,
PolicySystemDefault=policy_systemDefault_b,
PolicyRemediable=policy_remediable_b,
AlertRules=alertRules_s,
RiskDetailRiskScoreScore=riskDetail_riskScore_score_d,
RiskDetailRiskScoreMaxScore=riskDetail_riskScore_maxScore_d,
RiskDetailRating=riskDetail_rating_s,
RiskDetailScore=riskDetail_score_s,
Status=status_s,
FirstSeen=firstSeen_d,
LastSeen=lastSeen_d,
AlertTime=alertTime_d
| project-away
resource_id_s,
resource_id_g
};
union isfuzzy=true Alert_view, Audit_view

Двоичные данные
Solutions/PaloAltoPrismaCloud/Workbooks/Images/Preview/PaloAltoPrismaCloudBlack01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 135 KiB

Двоичные данные
Solutions/PaloAltoPrismaCloud/Workbooks/Images/Preview/PaloAltoPrismaCloudBlack02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 74 KiB

Двоичные данные
Solutions/PaloAltoPrismaCloud/Workbooks/Images/Preview/PaloAltoPrismaCloudWhite01.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 137 KiB

Двоичные данные
Solutions/PaloAltoPrismaCloud/Workbooks/Images/Preview/PaloAltoPrismaCloudWhite02.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 98 KiB

303
Solutions/PaloAltoPrismaCloud/Workbooks/PaloAltoPrismaCloudOverview.json Normal file
Просмотреть файл

@ -0,0 +1,303 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Palo Alto Prisma Cloud Overview\n---\n**NOTE**: This workbook depends on a parser based on a Kusto Function to work as expected [**PaloAltoPrismaCloud**](https://aka.ms/sentinel-PaloAltoPrismaCloud-parser) which is deployed with the Azure Sentinel Solution."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "600df9d4-1fb8-4255-a77e-27f5d12a5097",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 3600000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 604800000
},
{
"durationMs": 2592000000
},
{
"durationMs": 7776000000
}
]
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
"size": 0,
"title": "Events over time",
"color": "grayBlue",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false
}
},
"customWidth": "50",
"name": "query - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where isnotempty(ResourceRegion)\r\n| summarize count() by ResourceRegion",
"size": 3,
"title": "Events by Region",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where isnotempty(ResourceCloudType)\r\n| summarize count() by ResourceCloudType",
"size": 3,
"title": "Events by Cloud type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 1"
}
]
},
"customWidth": "50",
"name": "group - 3"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| summarize Low = countif(AlertSeverity =~ \"low\"), Medium = countif(AlertSeverity == \"medium\"), High = countif(AlertSeverity == \"high\") by bin_at(TimeGenerated, 1h, now())",
"size": 0,
"title": "Alerts over time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "scatterchart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "Low",
"color": "yellow"
},
{
"seriesName": "Medium",
"color": "orange"
},
{
"seriesName": "High",
"color": "redBright"
}
]
}
},
"customWidth": "55",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where Status =~ 'open'\r\n| project AlertId, AlertSeverity, AlertMessage",
"size": 0,
"title": "Open Alerts",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"customWidth": "40",
"name": "query - 2",
"styleSettings": {
"margin": "20px"
}
}
]
},
"name": "group - 4"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where isnotempty(SrcIpAddr)\r\n| summarize count() by SrcIpAddr\r\n| top 10 by count_ desc",
"size": 3,
"title": "Top Sources",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let u1 = PaloAltoPrismaCloud\r\n| where isnotempty(PolicyLastModifiedBy)\r\n| project User = PolicyLastModifiedBy;\r\nlet u2 = PaloAltoPrismaCloud\r\n| where isnotempty(UserName)\r\n| project User = UserName;\r\nlet users = union u1, u2;\r\nusers\r\n| summarize Actions = count() by User\r\n| top 10 by Actions desc\r\n\r\n",
"size": 3,
"title": "Top Users",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Actions",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "30",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where ResourceType =~ 'Login'\r\n| extend TimeFromNow = now() - TimeGenerated\r\n| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n| project User= UserName, ['Source IP'] = SrcIpAddr, ['Login Result'] = strcat(iff(EventResult == 'Success', '✔️', '❌'), ' ', EventResult), ['Login Time'] = TimeAgo",
"size": 0,
"title": "User Logins",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"filter": true
}
},
"customWidth": "35",
"name": "query - 2"
}
]
},
"name": "group - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "PaloAltoPrismaCloud\r\n| where isnotempty(AlertMessage)\r\n| top 10 by TimeGenerated desc\r\n| extend NumSeverity = case(AlertSeverity =~ 'low', 1, AlertSeverity =~ 'medium', 2, 3)\r\n| project ['Alert Time'] = TimeGenerated, ['Alert Message'] = AlertMessage, ['Severity'] = NumSeverity, ResourceRegionId, ResourceId",
"size": 0,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Severity",
"formatter": 8,
"formatOptions": {
"min": 1,
"max": 3,
"palette": "orangeRed"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
}
}
}
]
}
},
"name": "query - 6"
}
],
"fromTemplateId": "sentinel-PaloAltoPrismaCloudWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}