Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json

9638 строки
602 KiB
JSON
Исходник Ответственный История

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for PaloAlto-PAN-OS"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Palo Alto overview",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
},
"workbook2-name": {
"type": "string",
"defaultValue": "Palo Alto Network Threat",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
},
"variables": {
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "PaloAlto-PAN-OS",
"_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "PaloAltoNetworks",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "PaloAltoNetworks",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"huntingQueryObject1": {
"huntingQueryVersion1": "1.0.0",
"_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]"
},
"huntingQueryObject2": {
"huntingQueryVersion2": "1.0.2",
"_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d",
"huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]"
},
"workbookVersion1": "1.2.0",
"workbookContentId1": "PaloAltoOverviewWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.1.0",
"workbookContentId2": "PaloAltoNetworkThreatWorkbook",
"workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]",
"workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.0",
"_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.0')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.3.1",
"_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.1')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.2",
"_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.2')))]"
},
"PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"TemplateEmptyArray": "[json('[]')]",
"playbookVersion1": "1.0",
"playbookContentId1": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]",
"_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"PaloAlto_PAN-OS_XML_API_CustomConnector": "PaloAlto_PAN-OS_XML_API_CustomConnector",
"_PaloAlto_PAN-OS_XML_API_CustomConnector": "[variables('PaloAlto_PAN-OS_XML_API_CustomConnector')]",
"playbookVersion2": "1.0",
"playbookContentId2": "PaloAlto_PAN-OS_XML_API_CustomConnector",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId2'))))]",
"_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"PaloAlto-PAN-OS-GetSystemInfo": "PaloAlto-PAN-OS-GetSystemInfo",
"_PaloAlto-PAN-OS-GetSystemInfo": "[variables('PaloAlto-PAN-OS-GetSystemInfo')]",
"playbookVersion3": "1.0",
"playbookContentId3": "PaloAlto-PAN-OS-GetSystemInfo",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
"_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
"blanks": "[replace('b', 'b', '')]",
"PaloAlto-PAN-OS-GetThreatPCAP": "PaloAlto-PAN-OS-GetThreatPCAP",
"_PaloAlto-PAN-OS-GetThreatPCAP": "[variables('PaloAlto-PAN-OS-GetThreatPCAP')]",
"playbookVersion4": "1.0",
"playbookContentId4": "PaloAlto-PAN-OS-GetThreatPCAP",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
"playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
"_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
"PaloAlto-PAN-OS-GetURLCategoryInfo": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"_PaloAlto-PAN-OS-GetURLCategoryInfo": "[variables('PaloAlto-PAN-OS-GetURLCategoryInfo')]",
"playbookVersion5": "1.0",
"playbookContentId5": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
"playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
"_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"PaloAlto-PAN-OS-BlockIP": "PaloAlto-PAN-OS-BlockIP",
"_PaloAlto-PAN-OS-BlockIP": "[variables('PaloAlto-PAN-OS-BlockIP')]",
"TemplateEmptyObject": "[json('{}')]",
"playbookVersion6": "1.0",
"playbookContentId6": "PaloAlto-PAN-OS-BlockIP",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
"playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
"_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
"PaloAlto-PAN-OS-BlockURL": "PaloAlto-PAN-OS-BlockURL",
"_PaloAlto-PAN-OS-BlockURL": "[variables('PaloAlto-PAN-OS-BlockURL')]",
"playbookVersion7": "1.0",
"playbookContentId7": "PaloAlto-PAN-OS-BlockURL",
"_playbookContentId7": "[variables('playbookContentId7')]",
"playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
"playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
"_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
"PaloAlto-PAN-OS-BlockURL-EntityTrigger": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"_PaloAlto-PAN-OS-BlockURL-EntityTrigger": "[variables('PaloAlto-PAN-OS-BlockURL-EntityTrigger')]",
"playbookVersion8": "1.0",
"playbookContentId8": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"_playbookContentId8": "[variables('playbookContentId8')]",
"playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
"playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
"_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
"PaloAlto-PAN-OS-BlockIP-EntityTrigger": "PaloAlto-PAN-OS-BlockIP-EntityTrigger",
"_PaloAlto-PAN-OS-BlockIP-EntityTrigger": "[variables('PaloAlto-PAN-OS-BlockIP-EntityTrigger')]",
"playbookVersion9": "1.0",
"playbookContentId9": "PaloAlto-PAN-OS-BlockIP-EntityTrigger",
"_playbookContentId9": "[variables('playbookContentId9')]",
"playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
"playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
"_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Palo Alto Networks (Firewall)",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Palo Alto Networks",
"baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
},
{
"description": "THREAT activity",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (PaloAlto)",
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
"title": "2. Forward Palo Alto Networks logs to Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
],
"metadata": {
"id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Palo Alto Networks"
},
"support": {
"name": "Palo Alto Networks",
"link": "https://www.paloaltonetworks.com/company/contact-support",
"tier": "developer"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "Palo Alto Networks (Firewall)",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Palo Alto Networks (Firewall)",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Palo Alto Networks",
"baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (PaloAlto)",
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
},
{
"description": "THREAT activity",
"query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
"title": "2. Forward Palo Alto Networks logs to Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "PaloAlto-PAN-OS_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Palo Alto - high-risk ports",
"category": "Hunting Queries",
"query": "\nlet HighRiskPorts = datatable (Port:int, Protocol:string, RiskType:string, RiskDescription:string)[\n13,\"udp\",\"3rd Party Attacks\",\"Daytime protocol used in reflection/amplification attacks\",\n17,\"udp\",\"3rd Party Attacks\",\"QOTD protocol, reflection/amplification attacks\",\n19,\"udp\",\"3rd Party Attacks\",\"Chargen protocol, reflection/amplification attacks\",\n20,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n21,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n22,\"tcp\",\"Management\",\"SSH, brute force attacks common\",\n23,\"tcp\",\"Management\",\"Telnet, allows unauthenticated and/or unencrypted\",\n53,\"udp\",\"3rd Party Attacks\",\"DNS, reflection/amplification attacks\",\n69,\"udp\",\"Management\",\"TFTP, allows unauthenticated and/or unencrypted\",\n111,\"udp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n111,\"tcp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n119,\"tcp\",\"Unsecure\",\"NNTP, unencrypted authentication\",\n123,\"udp\",\"3rd Party Attacks\",\"Network Time Protocol, reflection/amplification attacks\",\n135,\"tcp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n135,\"udp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n137,\"tcp\",\"Hacker Recon\",\"Netbios Name Service\",\n137,\"udp\",\"Hacker Recon\",\"Netbios Name Service\",\n138,\"tcp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n138,\"udp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n139,\"tcp\",\"Hacker Recon\",\"Netbios Session Service\",\n161,\"tcp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n161,\"udp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n162,\"tcp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n162,\"udp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n389,\"tcp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n389,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n443,\"udp\",\"3rd Party Attacks\",\"UDP Reflection / Amplification attacks\",\n445,\"tcp\",\"Unsecure\",\"SMB - well known attack vector\",\n512,\"tcp\",\"Management\",\"Rexec on Linux, remote commands w/o encrypt auth\",\n514,\"tcp\",\"Management\",\"Remote Shell, remote commands w/o auth or encrypt\",\n593,\"tcp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n593,\"udp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n636,\"tcp\",\"Hacker Recon\",\"Lightweight Directory Access Protocol\",\n873,\"tcp\",\"Management\",\"Rsync, unencrypted file transfer\",\n1433,\"tcp\",\"Data Access/Mgmt\",\"MS SQL Management & Data Access\",\n1434,\"udp\",\"Data Access/Mgmt\",\"MS SQL Monitor Port\",\n1900,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"Simple Service Discovery Protocol, unencrypted\",\n2049,\"tcp\",\"Unsecure\",\"Network File System\",\n2049,\"udp\",\"Unsecure\",\"Network File System\",\n2301,\"tcp\",\"Hacker Recon\",\"Compaq Management Service, no recent incidents\",\n2381,\"tcp\",\"Management\",\"Compaq Management Service, no recent incidents\",\n3268,\"tcp\",\"Hacker Recon\",\"Microsoft Global Catalog LDAP\",\n3306,\"tcp\",\"Data Access/Mgmt\",\"MySQL Database Management Port\",\n3389,\"tcp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n3389,\"udp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n4333,\"tcp\",\"Data Access/Mgmt\",\"MSql\",\n5353,\"udp\",\"3rd Party Attacks\",\"mDNS\",\n5432,\"tcp\",\"Data Access/Mgmt\",\"PostgresSQL Database Management\",\n5800,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5900,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5985,\"tcp\",\"Management\",\"Windows Powershell\",\n5986,\"tcp\",\"Management\",\"Windows Powershell\",\n6379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n7000,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7001,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7199,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9042,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9160,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9200,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9300,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9987,\"udp\",\"3rd Party Attack\",\"DSM/SCM Target Interface\",\n11211,\"udp\",\"Unencrypted\",\"Memcached\",\n16379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n26379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n27017,\"tcp\",\"Data Access/Mgmt\",\"MongoDB\",\n];\nHighRiskPorts\n| join kind=inner (\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\" and DeviceAction != \"deny\"\n | where SentBytes > 0 and ReceivedBytes > 0\n //Remove private IP communation from DestinationIP\n | extend result = ipv4_is_private(DestinationIP) \n | where result == 0\n | summarize\n Count = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated)\n by \n DeviceName,\n SourceIP,\n DestinationIP,\n DestinationPort,\n Protocol\n) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol\n| project-away Protocol1, Port\n| order by DeviceName asc, SourceIP asc, DestinationIP asc, DestinationPort asc\n| extend timestamp = StartTime, IPCustomEntity = SourceIP\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections."
},
{
"name": "tactics",
"value": "InitialAccess,Discovery"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Hunting Query 1",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - high-risk ports",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
"version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
"name": "PaloAlto-PAN-OS_Hunting_Query_2",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Palo Alto - potential beaconing detected",
"category": "Hunting Queries",
"query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n",
"version": 2,
"tags": [
{
"name": "description",
"value": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586"
},
{
"name": "tactics",
"value": "CommandAndControl"
},
{
"name": "techniques",
"value": "T1071,T1571"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Hunting Query 2",
"parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"kind": "HuntingQuery",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - potential beaconing detected",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.2')))]",
"version": "1.0.2"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAltoOverview Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/workbooks",
"name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"<div style=\\\"font-size: 200%;\\\">Palo Alto Networks overview</div>\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"a5c18655-3e2d-4d12-8ba4-82e57b296581\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Source_IP\",\"label\":\"Source IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| summarize Count = count()/1000 by SourceIP\\r\\n| where SourceIP != \\\"\\\"\\r\\n| order by Count desc, SourceIP asc\\r\\n| project Value = SourceIP, Label = strcat(SourceIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\\r\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":1800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b937ca33-bc62-4183-bc0f-9ad8306dc36a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Destination_IP\",\"label\":\"Destination IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| summarize Count = count()/1000 by DestinationIP\\r\\n| where DestinationIP != \\\"\\\"\\r\\n| order by Count desc, DestinationIP asc\\r\\n| project Value = DestinationIP, Label = strcat(DestinationIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"7f28bae3-a11f-408a-832f-77a0f3e633d7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventClass\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| distinct DeviceEventClassID\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 35\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass});\\r\\ndata\\r\\n| summarize Count = count() by Activity\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Activity)\\r\\n on Activity\\r\\n| project-away Activity1, TimeGenerated\\r\\n| extend Activitys = Activity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Activity = 'All', Activitys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"Activity\",\"exportParameterName\":\"activities\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Activities, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}},{\"columnMatch\":\"Activitys\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"name\":\"all activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass})\\r\\n| where '{activities}' == \\\"All\\\" or Activity == '{activities}'\\r\\n| summarize LogVolume=count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"aggregation\":3,\"exportToExcelOptions\":\"visible\",\"title\":\"Event trend, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LogVolume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Event trend by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//trend by sevearity\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or DeviceEventClassID in ({EventClass})\\r\\n| where '{activities}' == \\\"All\\\" or Activity == '{activities}'\\r\\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), LogSeverity\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events severity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Events severity over time\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n### Traffic events summary\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ \\\"Traffic\\\";\\r\\ndata\\r\\n| summarize Count = count() by DeviceEventClassID\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\\r\\n on DeviceEventClassID\\r\\n| project-away DeviceEventClassID1, TimeGenerated\\r\\n| extend DeviceEventClassIDs = DeviceEventClassID\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceEventClassID\",\"exportParameterName\":\"EventClass\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Device events Id summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"Traffic event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ \\\"Traffic\\\";\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceAction = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"DeviceAction\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Device action summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Traffic activity summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC'\\r\\n| where '{EventClass}' == \\\"All\\\" or DeviceEventClassID=='{EventClass}'\\r\\n| summarize EventCount= count() by DeviceAction, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Device action, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"Traffic activity by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where '{DeviceAction}' == \\\"All\\\" or DeviceAction=='{DeviceAction}'\\r\\n| where Activity =~ \\\"Traffic\\\"\\r\\n| summarize EventCount= count() by DeviceEventClassID, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Device events Id, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"Traffic class ID by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS' \\r\\n| where DeviceVendor =~ 'Palo Alto Networks' \\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC' \\r\\n| where DeviceEventClassID =~ 'end' \\r\\n| extend Reason = coalesce(\\r\\n column_ifexists(\\\"Reason\\\", \\\"\\\"),\\r\\n extract(';reason=(.*?);',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize ReasonCount= count() by Reason, TimeGenerated \\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Reasons for session ending, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Reasons for session ending\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Data sent outbound vs inbound\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'TRAFFIC'\\r\\n| extend Direction=iff(DeviceCustomString4=~'Trust','Outbound' ,'Inbound' )\\r\\n| summarize DataSentOutBoundMB=sumif(SentBytes, Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(ReceivedBytes, Direction=~'Inbound')/1048576 by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Sent and received data, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Sent and received data by volume\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Web filter\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction contains 'block'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"purple\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('block-url', 'block-continue')\\r\\n| summarize CategoryCount=count() by DeviceCustomString2\\r\\n| project-rename CategoryName= DeviceCustomString2\\r\\n| top 5 by CategoryCount\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URL blocked, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"op 5 URL blocked by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('block-url', 'block-continue')\\r\\n| summarize URLCount=count() by RequestURL\\r\\n| top 5 by URLCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URLs, by application protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 URLs by application protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize URLCount=count() by RequestURL\\r\\n| top 5 by URLCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RequestURL\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"URLCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ActionCount=count() by DeviceAction\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"URL threat event summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"URL threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction contains 'block'\\r\\n| extend PAReferer= extract(';PanOSReferer=(.*?);',1,AdditionalExtensions)\\r\\n| where PAReferer !=''\\r\\n| summarize RefererCount= count() by PAReferer\\r\\n| top 5 by RefererCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 referrers for blocked URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"Top 5 referrers for blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize CategoryCount=count() by DeviceCustomString2\\r\\n| project-rename CategoryName= DeviceCustomString2\\r\\n| top 5 by CategoryCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs, by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction !contains 'block'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Web filter ativity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Web filter ativity by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'url'\\r\\n| where DeviceAction in ('alert', 'continue')\\r\\n| summarize IPCount=count() by SourceIP\\r\\n| top 5 by IPCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed web traffic source IP addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"IPCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed web traffic source IP addresses\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Wildfire\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'wildfire'\\r\\n| summarize ActionCount=count() by DeviceAction, TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Wildfire events, by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceActions = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| project DeviceAction, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"DeviceAction\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"DeviceAction\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceCustomString2\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\\r\\n on DeviceCustomString2\\r\\n| project-away DeviceCustomString21, TimeGenerated\\r\\n| extend DeviceCustomString2s = DeviceCustomString2\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \\r\\n)\\r\\n| project DeviceCustomString2, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"DeviceCustomString2\",\"exportParameterName\":\"DeviceString\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DeviceAction\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"DeviceAction\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceCustomString2\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'wildfire'\\r\\n| where '{DeviceAction}' == \\\"All\\\" or DeviceAction=='{DeviceAction}'\\r\\n| where '{DeviceString}' == \\\"All\\\" or DeviceCustomString2=='{DeviceString}'\\r\\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"Wildfire events\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## General statistics\"},\"name\":\"text - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where DeviceAction contains 'deny'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 denied files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 denied files by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where DeviceAction !contains 'deny'\\r\\n| summarize ProtocolCount=count() by ApplicationProtocol\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed files by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Palo Alto File Category By Action Summary\\r\\nCommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS' \\r\\n| where DeviceVendor =~ 'Palo Alto Networks' \\r\\n| where Activity =~ 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where DeviceEventClassID =~ 'file' \\r\\n| extend PACategory= coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract(';cat=(.*?)($|;)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize CategoryCount=count() by PACategory\\r\\n| sort by CategoryCount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Summary of Palo Alto file categories, by activity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"PACategory\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}}]}},\"customWidth\":\"33\",\"name\":\"Summary of Palo Alto file categories by activity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'file'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by DeviceAction\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceAction)\\r\\n on DeviceAction\\r\\n| project-away DeviceAction1, TimeGenerated\\r\\n| extend DeviceActions = DeviceAction\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceAction = 'All', DeviceActions = '*' \\r\\n)\\r\\n| project DeviceAction, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\\r\\n\",\"size\":4,\"exportFieldName\":\"DeviceAction\",\"exportParameterName\":\"SelectedDA\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Summary of file type activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceAction\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Summary of file type activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~ 'file'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or DestinationIP in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or SourceIP in ({Source_IP})\\r\\n| where '{SelectedDA}' == \\\"All\\\" or DeviceAction == '{SelectedDA}'\\r\\n| summarize ActionCount=count() by DeviceAction, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Compare allowed and denied files, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"Compare allowed and denied files by time\"}],\"fromTemplateId\":\"sentinel-PaloAltoOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
"description": "@{workbookKey=PaloAltoOverviewWorkbook; logoFileName=paloalto_logo.svg; description=Gain insights and comprehensive monitoring into Palo Alto firewalls by analyzing traffic and activities.\nThis workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships.\nYou can learn about trends across user and data traffic, and drill down into Palo Alto Wildfire and filter results.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Palo Alto overview; templateRelativePath=PaloAltoOverview.json; subtitle=; provider=Microsoft}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
"version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"contentId": "CommonSecurityLog",
"kind": "DataType"
},
{
"contentId": "PaloAltoNetworks",
"kind": "DataConnector"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_workbookContentId1')]",
"contentKind": "Workbook",
"displayName": "[parameters('workbook1-name')]",
"contentProductId": "[variables('_workbookcontentProductId1')]",
"id": "[variables('_workbookcontentProductId1')]",
"version": "[variables('workbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('workbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAltoNetworkThreat Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/workbooks",
"name": "[variables('workbookContentId2')]",
"location": "[parameters('workspace-location')]",
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events."
},
"properties": {
"displayName": "[parameters('workbook2-name')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Palo Alto network threat\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":43200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file';\\r\\ndata\\r\\n| summarize Count = count() by DeviceEventClassID\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceEventClassID)\\r\\n on DeviceEventClassID\\r\\n| project-away DeviceEventClassID1, TimeGenerated\\r\\n| extend DeviceEventClassIDs = DeviceEventClassID\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceEventClassID = 'All', DeviceEventClassIDs = '*' \\r\\n)\\r\\n| project DeviceEventClassID, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"DeviceEventClassID\",\"exportParameterName\":\"SelectedSubtype\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by subtypes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats by subtypes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where DeviceEventClassID =~'wildfire';\\r\\ndata\\r\\n| summarize Count = count() by DeviceCustomString2\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DeviceCustomString2)\\r\\n on DeviceCustomString2\\r\\n| project-away DeviceCustomString21, TimeGenerated\\r\\n| extend DeviceCustomString2s = DeviceCustomString2\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend DeviceCustomString2 = 'All', DeviceCustomString2s = '*' \\r\\n)\\r\\n| project DeviceCustomString2, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"DeviceCustomString2\",\"exportParameterName\":\"SelectedWildfire\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"WildFire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DeviceCustomString2\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"WildFire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and LogSeverity != 'url' and LogSeverity != 'file';\\r\\ndata\\r\\n| summarize Count = count() by LogSeverity\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by LogSeverity)\\r\\n on LogSeverity\\r\\n| project-away LogSeverity1, TimeGenerated\\r\\n| extend LogSeveritys = LogSeverity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend LogSeverity = 'All', LogSeveritys = '*' \\r\\n)\\r\\n| project LogSeverity, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"LogSeverity\",\"exportParameterName\":\"SelectedSeverity\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"LogSeverity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| summarize count() by bin(TimeGenerated, 1h), DeviceEventClassID\\r\\n| render timechart\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat subtypes over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat subtypes over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| summarize count() by bin(TimeGenerated, 1h), LogSeverity\\r\\n| render timechart\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat severity over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat severity over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT' and DeviceEventClassID != 'url' and DeviceEventClassID != 'file'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity;\\r\\ndata\\r\\n| summarize Count = count() by ApplicationProtocol\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ApplicationProtocol)\\r\\n on ApplicationProtocol\\r\\n| project-away ApplicationProtocol1, TimeGenerated\\r\\n| extend ApplicationProtocols = ApplicationProtocol\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend ApplicationProtocol = 'All', ApplicationProtocols = '*' \\r\\n)\\r\\n| project ApplicationProtocol, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Threats by application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where Activity =~ 'THREAT'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}'==DeviceEventClassID\\r\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}'==DeviceCustomString2\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}'==LogSeverity\\r\\n| project TimeGenerated, ReceiptTime, LogSeverity, DeviceAction, ['URL Category'] =DeviceCustomString2, DestinationPort, DestinationIP, Message, SourcePort, SourceIP, DestinationUserID, RequestURL\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"All Threat Events\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| where DeviceEventClassID =~ 'vulnerability' \\r\\n| extend ThreatId = coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract('cat=([^;]+)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| summarize Amount=count() by ThreatId, LogSeverity\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top vulnerability events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Top vulnerability events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n| search DeviceEventClassID:'*virus*'\\r\\n| summarize Amount=count() by RequestURL, DeviceEventClassID, DestinationIP, SourceIP, ApplicationProtocol\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Virus and malware events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RequestURL\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"DestinationIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SourceIP\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"SourceUserID\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Virus and malware events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceProduct has 'PAN-OS'\\r\\n| where DeviceVendor =~ 'Palo Alto Networks'\\r\\n//| where DeviceEventClassID =~ 'correlation' \\r\\n| extend ThreatId = coalesce(\\r\\n column_ifexists(\\\"DeviceEventCategory\\\", \\\"\\\"),\\r\\n extract('cat=([^;]+)',1,AdditionalExtensions),\\r\\n \\\"\\\"\\r\\n )\\r\\n| extend ThreatCategory = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)\\r\\n| summarize Amount=count() by ThreatId, ThreatCategory, LogSeverity\\r\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top correlation events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ThreatCategory\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"LogSeverity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"name\":\"Top correlation events\"}],\"fromTemplateId\":\"sentinel-PaloAltoNetworkThreat\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]",
"properties": {
"description": "@{workbookKey=PaloAltoNetworkThreatWorkbook; logoFileName=paloalto_logo.svg; description=Gain insights into Palo Alto network activities by analyzing threat events.\nYou can extract meaningful security information by correlating data between threats, applications, and time.\nThis workbook makes it easy to track malware, vulnerability, and virus log events.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.1.0; title=Palo Alto Network Threat; templateRelativePath=PaloAltoNetworkThreat.json; subtitle=; provider=Palo Alto Networks}.description",
"parentId": "[variables('workbookId2')]",
"contentId": "[variables('_workbookContentId2')]",
"kind": "Workbook",
"version": "[variables('workbookVersion2')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"contentId": "CommonSecurityLog",
"kind": "DataType"
},
{
"contentId": "PaloAltoNetworks",
"kind": "DataConnector"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_workbookContentId2')]",
"contentKind": "Workbook",
"displayName": "[parameters('workbook2-name')]",
"contentProductId": "[variables('_workbookcontentProductId2')]",
"id": "[variables('_workbookcontentProductId2')]",
"version": "[variables('workbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall",
"displayName": "Palo Alto Threat signatures from Unusual IP addresses",
"enabled": false,
"query": "let starttime = 7d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet HistThreshold = 25; \nlet CurrThreshold = 10; \nlet HistoricalThreats = CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\nlet CurrentHourThreats = CommonSecurityLog\n| where isnotempty(SourceIP)\n| where TimeGenerated > ago(timeframe)\n| where DeviceVendor =~ \"Palo Alto Networks\"\n| where Activity =~ \"THREAT\" and SimplifiedDeviceAction =~ \"alert\" \n| where DeviceEventClassID in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\nCurrentHourThreats \n| where TotalEvents < CurrThreshold\n| join kind = leftanti (HistoricalThreats \n| where TotalEvents > HistThreshold) on SourceIP\n",
"queryFrequency": "PT1H",
"queryPeriod": "P7D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
"Discovery",
"Exfiltration",
"CommandAndControl"
],
"subTechniques": [
"T1071.001"
],
"techniques": [
"T1046",
"T1030",
"T1071"
],
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIP"
}
],
"entityType": "IP"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 1",
"parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto Threat signatures from Unusual IP addresses",
"contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/",
"displayName": "Microsoft COVID-19 file hash indicator matches",
"enabled": false,
"query": "let dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
"Impact"
],
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Value",
"columnName": "FileHashValue"
},
{
"identifier": "Algorithm",
"columnName": "FileHashType"
}
],
"entityType": "FileHash"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 2",
"parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "Microsoft COVID-19 file hash indicator matches",
"contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586",
"displayName": "Palo Alto - potential beaconing detected",
"enabled": false,
"query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071",
"T1571"
],
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 3",
"parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto - potential beaconing detected",
"contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which\nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication\nof internal to external port scanning or probing attack.\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK",
"displayName": "Palo Alto - possible internal to external port scanning",
"enabled": false,
"query": "CommonSecurityLog\n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\")\n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\"\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535))\n| where Computer != \"\"\n| where DestinationIP !startswith \"10.\"\n| extend Reason = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(\"reason=(.+?)(;|$)\", 1, AdditionalExtensions),\n \"\"\n )\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\n| where Reason !has \"aged-out\"\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where Reason !has \"tcp-fin\"\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\"\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\"\n// Already performed\n//| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
"Discovery"
],
"techniques": [
"T1046"
],
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
],
"entityType": "IP"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
"description": "PaloAlto-PAN-OS Analytics Rule 4",
"parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "Palo Alto - possible internal to external port scanning",
"contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "String"
},
"PaloAlto Hostname": {
"type": "String",
"metadata": {
"description": "Provide Pan-OS Hostname:Do Not prefix with https:// or http:// etc"
}
}
},
"variables": {
"api_host": "[[replace(replace(parameters('PaloAlto Hostname'),'https://',''),'http://','')]",
"ServiceName": "[[concat('https://', variables('api_host'))]",
"operationId-Listsecurityrules": "Listsecurityrules",
"_operationId-Listsecurityrules": "[[variables('operationId-Listsecurityrules')]",
"operationId-Createsecuritypolicyrule": "Createsecuritypolicyrule",
"_operationId-Createsecuritypolicyrule": "[[variables('operationId-Createsecuritypolicyrule')]",
"operationId-Updatesecuritypolicyrule": "Updatesecuritypolicyrule",
"_operationId-Updatesecuritypolicyrule": "[[variables('operationId-Updatesecuritypolicyrule')]",
"operationId-Listcustomurlcategories": "Listcustomurlcategories",
"_operationId-Listcustomurlcategories": "[[variables('operationId-Listcustomurlcategories')]",
"operationId-Listaddressobjects": "Listaddressobjects",
"_operationId-Listaddressobjects": "[[variables('operationId-Listaddressobjects')]",
"operationId-Createanaddressobject": "Createanaddressobject",
"_operationId-Createanaddressobject": "[[variables('operationId-Createanaddressobject')]",
"operationId-Updateaddressobject": "Updateaddressobject",
"_operationId-Updateaddressobject": "[[variables('operationId-Updateaddressobject')]",
"operationId-Listaddressgroups": "Listaddressgroups",
"_operationId-Listaddressgroups": "[[variables('operationId-Listaddressgroups')]",
"operationId-Createaddressobjectgroup": "Createaddressobjectgroup",
"_operationId-Createaddressobjectgroup": "[[variables('operationId-Createaddressobjectgroup')]",
"operationId-Updateanaddressobjectgroup": "Updateanaddressobjectgroup",
"_operationId-Updateanaddressobjectgroup": "[[variables('operationId-Updateanaddressobjectgroup')]",
"operationId-Listurlfilteringsecurityprofiles": "Listurlfilteringsecurityprofiles",
"_operationId-Listurlfilteringsecurityprofiles": "[[variables('operationId-Listurlfilteringsecurityprofiles')]",
"operationId-Updateanurlfilteringsecurityprofile": "Updateanurlfilteringsecurityprofile",
"_operationId-Updateanurlfilteringsecurityprofile": "[[variables('operationId-Updateanurlfilteringsecurityprofile')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"playbookContentId1": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"playbookId1": "[[resourceId('Microsoft.Web/customApis', parameters('CustomConnectorName'))]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[[parameters('CustomConnectorName')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"connectionParameters": {
"api_key": {
"type": "securestring"
}
},
"capabilities": "[variables('TemplateEmptyArray')]",
"brandColor": "#FFFFFF",
"displayName": "[[parameters('CustomConnectorName')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARgAAAEYCAYAAACHjumMAAARQklEQVR4nOzdv49c1fnH8TOD8Xc7u7G9Nfo2ETPCVCFVEGlSOt2SxqaiROmQyIhYC4roSBWKSGApCu7iMgUFokk61vFGuMgfYG8UCaQkshbhie4yd3O9OzP3x3Ofc57nnPer8ffrxeZm5+5nn/PcDzvTAABKCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBhD3pntXk59DZ7x+QO2OH599uHx3vyT1Nfh1fHe/C/HP3/xeurrwP8wwRhx8oWxnLwZQrhJyPS3+pz9MDydfk7I2PFc6gso3WJ+Zfezn7zwXlhOfxtC2Fn99vXF7NqNEMLjL47+/TDxJZq2mF298dlrL3waQvjp6rd2wnJyazG/eiVMlgdfHP3nX4kvsWiT1BdQspPvtE+nn4cQLm35x+5cvPvgVsTLcmM1tdzc8o98E6ZPX734h78dRLwsNHBESqRjuASOTOt1CJdw8rnlyJQUAZNAj3CpETINHcOlRsgkxA4msgHhUqu+QO6XvpPpGS61nbCcvB4my0/YycTFBBPRYn5ld2C4fP/nZ9feHf+q/FjMrt4YEC61S4vZtbdHviS0YMkb0fHrsw/DcvKW8K8pdul7vDf/cjXJDfUkTJ/+iKVvPEwwkTR6LlJF7mNW/5ule5Qd9jFxsYNRtqHnIlVMT2ZNz0WKnkxEHJEUCRa6fWR7ZBq40O2DnowyjkhKIoVLyPXIFCFcAo+w9REwCiKGSy2rkIkULjVCRhE7mJElCJdaFj2ZyOFSoyejhAlmRNKei/jf77wnI+y5SNGTUcCSd0Qj9Vyk3C59R+i5SNGTGRkTzEhG7LlIudzHjNRzkaInMzJ2MEJKPRcpNz0ZhZ6LFD2ZEXFEEki40O3D7JEp0UK3D3oyQhyRBnISLsHqkclBuAQeYcsRMAM4CpeaqZBxEi41QkaAHUxPDsOlZqIn4yxcavRkBmKC6SF1z0UqdU8mcc9Fip7MACx5ezDSc5FKtvQ10HORoifTExNMR4Z6LlJJ9jFGei5S9GR6YgfTwmjPRSpaT8Zgz0WKnkwPHJG2cLzQ7UPtyOR0odsHPZkWHJE2KCRcgtaRqYBwCTzCbkfArFFQuNRGDZlCwqVGyGzBDuaMAsOlNkpPprBwqdGT2YAJpsF7z0VK2pNx3nORoiezBkvehkx6LlKDl74Z9Fyk6MmcwQSzklHPRWrQPiaTnosUPZkzit/BZNpzkerck8mw5yJFT6ah6CNSwQvdPjYemQpd6PZRfE+m2CMS4dLZ2iMT4dJJ8Y+wiwwYwqW3Z0KGcOml6JApbgdDuAx20pP57LUX3iZceiu2J1PUDmYxv7K7eHH3IeEyzHK5/PtkMvn/1Nfh1fTC5PaF3//1V6mvI6aijkirIhThMtByuvxdNcWkvg6vbh88upf6GmIrJmDouYjd//VX//zN8zvPvUrIDPLG/uFRcU+Tsg+Y6lh00tB9Ov0zPZdBHk0vTH7x/sN/vHL74NGTyScHX1f/d/V71cdSX5wD9/YPH7988e4DMz90PaasdzAsdMXuVxNLFSrrPri8df3yt0++qz6/L8W/NBfeKDVYatlOMISL2NZwqVQf48i0UfHhEnINGMJFrDVcaoTMWoTLSnZHJMJFrHO4NK2OS1+FEHb1Ls0FwqUhqwmm9J/nMoJHQ8IlrCaZ6YXJBzqX5cY9wuVZeQUMPReRKiCGhEtt//Doo5KPSvuHj2+nvgZrsgkYei5i91cBMdjtg0dPCt7HFNlzaeM+YOi5iD3Tc5H+ZQX2ZIruubRxveRloSs2aKHbVQE9GRa6LdxOMISLmGq4hPwfYRMuHbgMGMJFTD1capmGDOHSkbsjEuEiFi1cmjLqyRAuPbiaYOi5iA3uuUhl0pOh59KTr4Ch5yIi7blIee/J0HPpz03A0HMRE/dcpJz3ZOi5DGA+YOi5iI3ac5Fy2JMx23N5Z7Z7OfU1tDG95GWhK5ZkoduFk9fW7EJ39c4ON6y/75LZCcbJDWgZ4SJjPVxuenhLFJMB4+QGtIxwkfEQLjXTIWMuYJzcgJaZDRcnNQOz4bKYXb2x4T2pTkLm5PNrjKmAcXIDWpas59KFg5qB6Z7LYnbt3S0fvrT6/JpiK2Ds34Cmpe65bOOhZmC557I6Gm0/Bi0nb1o7KpkJGA83oHHJey6bNI69lmsGZnsuPd4LfMfaPiZ5wNBzETPVc2k689panUzN9lwWs6s3jvfmX/Z8L/BL1ee7+rxb2Mkk7cGw0BUzu9B18tqaXej2mFq2+SZ1TybZBOPkBrSMcJHJPVyChUfYSQLGyQ1oGeEiU0K41JKGTPSAcXIDWmY2XJzUDMyGy5aei1SynkzUgHFyA1pGz0XGc89FKklPJm7A2L8BTaPnIuO+5yKVoCcTLWA83IDG0XORyaHnIhW9J6MeMPRcxOi5yOTWc5GK2pNR7cGw0BUzu9B18tqaXehGnFq2Ue/JqE0wTm5AywgXGcKlnfojbJWAcXIDWka4yBAu3amGzOgB4+QGtMxsuDipGZgNF8Wei5RaT2bUgHFyA1pGz0Wm5J6LlEpPZtyAsX8DmkbPRab4nouUQk9mtIDxcAMaR89Fhp6L3Og9GXHA0HMRo+ciQ89lXKP2ZEQ9GBa6YmYXuk5eW7MLXUdTyzbinszgCcbJDWgZ4SJDuOgTP8IeFDBObkDLCBcZwiUeUcj0DhgnN6BlZsPFSc3AbLgY7rlIDe7J9AoYJzegZfRcZOi5pDOoJ9MvYOzfgKbRc5Gh55LYgJ5M54DxcAMaR89Fhp5Ler17Mq0BQ89FjJ6LDD0XW3r1ZLb2YFjoipld6Dp5bc0udAuaWrZp7clsnGCc3ICWES4yhIt9rY+w1waMkxvQMsJFhnDxY2vInAsYJzegZWbDxUnNwGy4ZNxzkdrYk3kmYJzcgJbRc5Gh5+LX2p7MswFj/wY0jZ6LDD0X59b0ZE4DxsMNaBw9Fxl6Lv6d68lM6bmI0XORoeeSl9OezDuz3csXfjnbfSUsw1upr8opswvd06llaTZYguWFLlOLyE5YTi6/f/jo6+n/ffrgXvVCp74ih+yHi92pJRAuWbtz8e6DW6HewaxeaEKmO8JFhnDJ12m4hOaSd/WC30t2WX6YDRcnNQOz4ULPReygGS7h7GNqy48JjaDnIkPPJWPr8uNMwJw8JuSotAE9FxnL38DouYjd2T88OncCOvefCrCP2Yieiww9l3zdOXs0qq39jx2rkNk/fPwyO5kT9Fxk6Lnk62D/8PHPNoVL6PK+SMd78+oPfzz6pflgdqHL0yIZphaxjVNLU+tPtCv4yES4yBAu+eoULqHrz+QtMGQIFxnCJV+dwyX0+aHfBfVkzIYLPRcZei5i53oubXq9bYnlx4wjoeciQ88lY0O+/nsGTN49GXouMpa/AdFzEVvbc2nT+61jM97H0HORoeeSr157l6ZBb36fWU+GnosMPZd8tfZc2rT2YNo478mYXejytEiGqUVs8NTSNGiCaXJ8ZCJcZAiXfI0SLmGMgAk+Q4ZwkSFc8jVauISxAib46smYDRd6LjL0XMR691zajBYwwfhjyhV6LjL0XDKm8fU7csDY7snQc5Gx/A2EnovYoJ5Lm1EDJtjex9BzkaHnkq9R9y5NowdMsNeToeciQ88lX+KeSxtxD6ZN4p6M2YUuT4tkmFrE1KaWJpUJpinhkYlwkSFc8hUlXEKMgAlpQoZwkSFc8hUtXEKsgAlxezJmw4Weiww9F7HRey5togVMiPOYk56LDD2XjKWoGUQOGN2eDD0XGXouWVPpubSJGjBBdx9Dz0WGnku+ou5dmqIHTBi/J0PPRYaeS77Uey5t1HswbYQ9GbMLXZ4WyTC1iCWbWpqSTDBNgiMT4SJDuOTLRLgECwEThoUM4SJDuOTLTLgEKwET+vVkzIYLPRcZei5i0XsubcwETOj2mJSeiww9l4xZrBkYC5jtPRl6LjIWb8AaPRexJD2XNqYCJmzfx9BzkaHnki9Te5cmcwETzvdk6LnI0HPJV/KeS5vkPRivnDwtCla/uzG1iJl8Xc8yOcFY5yhcKjdXX8xmEC5iLsIlEDD9OQuXmpmQIVzE3IRLIGD6cdJz2eTmqmeSDD0XMXM9lzYETA8Oei5bpe6ZpP73e2e5ZrAJAdORh55LB9dTHZXouYiZ7Lm0IWA6cNJz6Sr6Poa9i5irvUsTAbOFk57LEFXIfKm9k6HnIma+59KGHswGTp8WDaHy3ZGpRczt1NLEBLNGQeESNI5MhItYFuESCJjzCguX2mghQ7iIZRMugYB5lvOei5S4J0PPRcxdz6UNAdPgveciJe2p0HOR8dhzaUPArGTSc5Ea3JOh5yLmsufShoDJr+ci1Xsfw95FLKu9S1PRAZNxz0WqU0+GnouY+55Lm2J7MIU+LRpi7XdXphaxbKeWpiInGMKll3NHJsJFrIhwCSUGDOEyyGnIEC5ixYRLKO2ItJhf2V28uPuQcBnsDuEicnDx7oOXU19ETEVNMMvl5DLhIlLUF8fYcuy5tCkqYN47PHo48H2w8f07av64+jX1hTiVZc+lTVEBE2Rvtl+y07frrX4lZHorau/SVFzAhPPvu4TNTt+Tqn5HzerX6v+vfr/6eOoLNC77nkubopa86xzvzasX/+PU12HQ/bb3AV/eun752yfffR5CeCnupblQ7NTSVOQE08SRaa3WcAmraYYj01qEy0rxARMImbM6hUuNkDmHcGko/ojUdLw3/2MIIel7ByX26Pmd537QNVyaVselr0IIuzqX5kJxPZc2TDANJfYUmqYXJh8MCZewmmSqPz/+VflR+v2zDgHTsH94dFDwUen+/uHRR5K/YPXnSz0qFdlzacMRaY0Cnyz12rtsU+iTJfYuGzDBrFFQT+Zcz0WqsJ5M8T2XNkwwLTKeZkabWjbJfJphaumACaZFpo+w1cMl5P0Im3DpiIDpILOQiRIutQxDhnDpgSNSDxn0ZAb3XKQy6cnQc+mJCaYH7z0HSc9FKoeejPfXPwUCpgfnPRlxz0XKeU+GnssAHJEGcPhkKereZRunT5bYuwzEBDOAo57M6D0XKWc9GXouQkwwQoanGTNTyybGpxmmlhEwwQgZfYRtPlyC7UfYhMtICJgRGAsZF+FSMxgyhMuIOCKNyEBPJlnPRcpIT4aey8iYYEaUuieRsuciZaEnk/r1yxEBM6LEPZnkPRepxD0Zei4KOCIpSPBkydXeZZtET5bYuyhhglEQsSdjruciFbknQ89FGROMMsVpJpupZRPlaYapJQImGGVKj7CzD5eg+wibcImEgIlg5JApIlxqCiFDuETEESmiEXoybnsuUiP1ZOi5RMYEE5G0Z+G55yI1Rk+Gnkt8BExEwp6M+56LlLAnQ88lAY5ICQx4slTU3mWbgU+W2LskwgSTQI+eTHY9F6mePRl6LokxwSS2ZZphamnRMs0wtRjABJPYhkfYhEsHWx5hEy5GEDAGnAkZwqWHNSFDuADrHO/NP6rG/tTX4VH1eTvem/8p9XUAACLhiARADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0DNfwMAAP//98IA4m2bU34AAAAASUVORK5CYII=",
"backendService": {
"serviceUrl": "[[variables('ServiceName')]"
},
"apiType": "Rest",
"swagger": {
"swagger": "2.0",
"info": {
"title": "PAN-OSRestApiCustomConnector",
"description": "This custom connector connects to PaloAlto service end point to runs any Paloalto supported API get/post calls and gives response back in JSON format.",
"version": "1.0.0"
},
"host": "[[replace(replace(parameters('PaloAlto Hostname'),'https://',''),'http://','')]",
"basePath": "/",
"schemes": [
"https"
],
"consumes": "[variables('TemplateEmptyArray')]",
"produces": "[variables('TemplateEmptyArray')]",
"paths": {
"/restapi/v10.0/Policies/SecurityRules": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "defines the status",
"title": "@status"
},
"@code": {
"type": "string",
"description": "defines the status code",
"title": "@code"
},
"result": {
"type": "object",
"properties": {
"@total-count": {
"type": "string",
"description": "the total count of security policy rules in PAN-OS VM",
"title": "@total-count"
},
"@count": {
"type": "string",
"description": "the count of security policy rules in PAN-OS VM",
"title": "@count"
},
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "the name of the security policy rule",
"title": "@name"
},
"@uuid": {
"type": "string",
"description": "the unique id of the security policy rule",
"title": "@uuid"
},
"@location": {
"type": "string",
"description": "the location where the security policy rule is being located at. default value is \"vsys\"",
"title": "@location"
},
"@vsys": {
"type": "string",
"description": "the vsys name of the location. default value is \"vsys1\"",
"title": "@vsys"
},
"action": {
"type": "string",
"description": "action allowed on security policy rule.",
"title": "action"
},
"application": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "application"
},
"category": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "category"
},
"destination": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "destination"
},
"from": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "from"
},
"hip-profiles": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "hip-profiles"
},
"service": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "service"
},
"source": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "source"
},
"source-user": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "source-user"
},
"to": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "to"
},
"source-hip": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "source-hip"
},
"destination-hip": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "destination-hip"
}
}
},
"description": "entry"
}
},
"description": "result"
}
}
}
}
},
"summary": "List security rules",
"description": "List of all the security rules",
"operationId": "[[variables('_operationId-Listsecurityrules')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": false,
"type": "string",
"description": "filter the security rule by name",
"x-ms-summary": "name"
}
]
},
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "statuscode",
"title": "@code"
},
"msg": {
"type": "string",
"description": "status message",
"title": "msg"
}
}
}
}
},
"summary": "Create a security policy rule",
"description": "Creates a new policy rule",
"operationId": "[[variables('_operationId-Createsecuritypolicyrule')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of security policy rule"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of security policy rule",
"title": "name"
},
"to": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the to member, Array of strings",
"title": "to member",
"default": "any"
}
},
"description": "to",
"required": [
"member"
]
},
"from": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the from member,Array of strings",
"title": "from member",
"default": "any"
}
},
"description": "from",
"required": [
"member"
]
},
"source-user": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source-user member, Array of strings",
"title": "source-user member",
"default": "any"
}
},
"description": "source-user"
},
"application": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the application member, Array of strings",
"title": "application member",
"default": "any"
}
},
"description": "application",
"required": [
"member"
]
},
"service": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the service member, Array of strings",
"title": "service member",
"default": "any"
}
},
"description": "service",
"required": [
"member"
]
},
"hip-profiles": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the hip-profiles member, Array of strings",
"title": "hip-profiles member",
"default": "any"
}
},
"description": "hip-profiles"
},
"action": {
"type": "string",
"description": "enter the action ex: allow",
"enum": [
"deny",
"allow",
"drop",
"reset-client",
"reset-server",
"reset-both"
],
"title": "action",
"default": "allow"
},
"category": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the category member, Array of strings",
"title": "category member",
"default": "any"
}
},
"description": "category"
},
"source": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source member, Array of strings for ex:[\"url.com\",\"panos.com\"]",
"title": "source member",
"default": "any"
}
},
"description": "source",
"required": [
"member"
]
},
"destination": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source member, Array of strings for ex:[\"1.1.1.1\",\"2.2.2.2\"]",
"title": "destination member",
"default": "any"
}
},
"description": "destination",
"required": [
"member"
]
}
},
"description": "entry",
"required": [
"@name",
"action",
"application",
"category",
"destination",
"from",
"hip-profiles",
"service",
"source",
"to"
]
}
},
"required": [
"entry"
]
}
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"msg": {
"type": "string",
"description": "the status msg if success or failure",
"title": "msg"
}
}
}
}
},
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of security policy rule"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of security policy rule",
"title": "name"
},
"to": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the to member, Array of strings",
"title": "to member",
"default": "any"
}
},
"description": "to",
"required": [
"member"
]
},
"from": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the from member,Array of strings",
"title": "from member",
"default": "any"
}
},
"description": "from",
"required": [
"member"
]
},
"source-user": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source-user member, Array of strings",
"title": "source-user member",
"default": "any"
}
},
"description": "source-user"
},
"application": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the application member, Array of strings",
"title": "application member",
"default": "any"
}
},
"description": "application",
"required": [
"member"
]
},
"service": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the service member, Array of strings",
"title": "service member",
"default": "any"
}
},
"description": "service",
"required": [
"member"
]
},
"hip-profiles": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the hip-profiles member, Array of strings",
"title": "hip-profiles member",
"default": "any"
}
},
"description": "hip-profiles"
},
"action": {
"type": "string",
"description": "enter the action ex: allow",
"enum": [
"deny",
"allow",
"drop",
"reset-client",
"reset-server",
"reset-both"
],
"title": "action",
"default": "allow"
},
"category": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the category member, Array of strings",
"title": "category member",
"default": "any"
}
},
"description": "category"
},
"source": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source member, Array of strings for ex:[\"url.com\",\"panos.com\"]",
"title": "source member",
"default": "any"
}
},
"description": "source",
"required": [
"member"
]
},
"destination": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the source member, Array of strings for ex:[\"1.1.1.1\",\"2.2.2.2\"]",
"title": "destination member",
"default": "any"
}
},
"description": "destination",
"required": [
"member"
]
}
},
"description": "entry",
"required": [
"@name",
"action",
"application",
"category",
"destination",
"from",
"hip-profiles",
"service",
"source",
"to"
]
}
},
"required": [
"entry"
]
}
}
],
"summary": "Update security policy rule",
"description": "update address object to existing Security Policy Rule",
"operationId": "[[variables('_operationId-Updatesecuritypolicyrule')]",
"x-ms-visibility": "important"
}
},
"/restapi/v10.0/Objects/CustomURLCategories": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"result": {
"type": "object",
"properties": {
"@total-count": {
"type": "string",
"description": "total count of URL filtering category info present in PAN-OS",
"title": "@total-count"
},
"@count": {
"type": "string",
"description": "count of the list of URL filtering category info",
"title": "@count"
},
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "name of URL filtering category information",
"title": "@name"
},
"@location": {
"type": "string",
"description": "location of the URL filtering category info. default value is vsys",
"title": "@location"
},
"@vsys": {
"type": "string",
"description": "vsys location name of URL filtering category info. default value is vsys1",
"title": "@vsys"
},
"description": {
"type": "string",
"description": "description of URL filtering category information",
"title": "description"
},
"list": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "list"
},
"type": {
"type": "string",
"description": "type of URL filtering category info",
"title": "type"
}
}
},
"description": "entry"
}
},
"description": "result"
}
}
}
}
},
"summary": "List custom url categories",
"description": "List custom url categories",
"operationId": "[[variables('_operationId-Listcustomurlcategories')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": false,
"type": "string",
"description": "filter by custom url category name",
"x-ms-summary": "name"
}
]
}
},
"/restapi/v10.0/Objects/Addresses": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"result": {
"type": "object",
"properties": {
"@total-count": {
"type": "string",
"description": "total count of address objects present in PAN-OS VM",
"title": "@total-count"
},
"@count": {
"type": "string",
"description": "count of address objects present in PAN-OS",
"title": "@count"
},
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of the address object",
"title": "@name"
},
"@location": {
"type": "string",
"description": "location of PAN-OS VM. default value is vsys",
"title": "@location"
},
"@vsys": {
"type": "string",
"description": "vsys location name of address object. default value is vsys1",
"title": "@vsys"
},
"description": {
"type": "string",
"description": "description of address object",
"title": "description"
},
"fqdn": {
"type": "string",
"description": "URL address of address object",
"title": "fqdn"
},
"ip-netmask": {
"type": "string",
"description": "Ip address of address object",
"title": "ip-netmask"
}
}
},
"description": "entry"
}
},
"description": "result"
}
}
}
}
},
"summary": "List address objects",
"description": "List address objects",
"operationId": "[[variables('_operationId-Listaddressobjects')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": false,
"type": "string",
"description": "filter by address object name",
"x-ms-summary": "name"
}
]
},
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"msg": {
"type": "string",
"description": "success or failure msg",
"title": "msg"
}
}
}
}
},
"summary": "Create an address object",
"description": "creates address object",
"x-ms-visibility": "important",
"operationId": "[[variables('_operationId-Createanaddressobject')]",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of address object"
},
{
"name": "address type",
"in": "query",
"required": true,
"type": "string",
"enum": [
"ip-netmask",
"fqdn"
]
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of address object",
"title": "name"
},
"fqdn": {
"type": "string",
"description": "Enter the URL ex:url.com",
"title": "fqdn",
"x-ms-visibility": "advanced"
},
"ip-netmask": {
"type": "string",
"description": "Enter the IP address ex:1.1.1.1",
"title": "ip-netmask",
"x-ms-visibility": "advanced"
},
"description": {
"type": "string",
"description": "Enter the description",
"title": "description"
}
},
"description": "entry"
}
}
}
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"msg": {
"type": "string",
"description": "status message",
"title": "msg"
}
}
}
}
},
"summary": "Update an address object",
"operationId": "[[variables('_operationId-Updateaddressobject')]",
"x-ms-visibility": "important",
"description": "Updates an address objects parameters.",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of address object",
"x-ms-summary": "name"
},
{
"name": "address type",
"in": "query",
"required": true,
"type": "string",
"enum": [
"ip-netmask",
"fqdn"
]
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of address object",
"title": "name"
},
"fqdn": {
"type": "string",
"description": "Enter the URL for ex:url.com",
"title": "fqdn",
"x-ms-visibility": "advanced"
},
"ip-netmask": {
"type": "string",
"description": "Enter the IP address for ex: 1.1.1.1",
"title": "ip-netmask",
"x-ms-visibility": "advanced"
},
"description": {
"type": "string",
"description": "Enter the description",
"title": "description"
}
},
"description": "entry",
"required": [
"@name",
"description"
]
}
},
"required": [
"entry"
]
}
}
]
}
},
"/restapi/v10.0/Objects/AddressGroups": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"result": {
"type": "object",
"properties": {
"@total-count": {
"type": "string",
"description": "total count of address object groups present in PAN-OS VM",
"title": "@total-count"
},
"@count": {
"type": "string",
"description": "count of address object groups present in PAN-OS VM",
"title": "@count"
},
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of address object group",
"title": "@name"
},
"@location": {
"type": "string",
"description": "location of address object group",
"title": "@location"
},
"@vsys": {
"type": "string",
"description": "vys location name of address object group",
"title": "@vsys"
},
"static": {
"type": "object",
"properties": {
"member": {
"type": "array",
"items": {
"type": "string"
},
"description": "member"
}
},
"description": "static"
}
}
},
"description": "entry"
}
},
"description": "result"
}
}
}
}
},
"summary": "List address groups",
"operationId": "[[variables('_operationId-Listaddressgroups')]",
"x-ms-visibility": "important",
"description": "List address groups",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": false,
"type": "string",
"description": "filter by address group name",
"x-ms-summary": "name"
}
]
},
"post": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "statuscode",
"title": "@code"
},
"msg": {
"type": "string",
"description": "status message",
"title": "msg"
}
}
}
}
},
"summary": "Create an address object group",
"description": "Creates an address object group",
"operationId": "[[variables('_operationId-Createaddressobjectgroup')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of security policy rule"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of address object group",
"title": "name"
},
"static": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the whole array of members i.e existing and also new ones",
"title": "member"
}
},
"description": "static",
"required": [
"member"
]
}
},
"description": "entry",
"required": [
"@name",
"static"
]
}
},
"required": [
"entry"
]
}
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "statuscode",
"title": "@code"
},
"msg": {
"type": "string",
"description": "status message",
"title": "msg"
}
}
}
}
},
"summary": "Update an address object group",
"operationId": "[[variables('_operationId-Updateanaddressobjectgroup')]",
"description": "Update the address object group",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of the address object group"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of address object group",
"title": "name"
},
"static": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the whole array of members i.e existing and also new ones",
"title": "member"
}
},
"description": "static",
"required": [
"member"
]
}
}
},
"description": "entry",
"required": [
"@name",
"static"
]
}
},
"required": [
"entry"
]
}
}
]
}
},
"/restapi/v10.0/Objects/URLFilteringSecurityProfiles": {
"get": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"result": {
"type": "object",
"properties": {
"@total-count": {
"type": "string",
"description": "total count of url filtering security profile information",
"title": "@total-count"
},
"@count": {
"type": "string",
"description": "count of url filtering security profile information",
"title": "@count"
},
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of URL filtering category security profile",
"title": "@name"
},
"@location": {
"type": "string",
"description": "location of URL filtering security profile",
"title": "@location"
},
"@vsys": {
"type": "string",
"description": "@vsys"
},
"description": {
"type": "string",
"description": "description of url filtering security info",
"title": "description"
},
"credential-enforcement": {
"type": "object",
"properties": {
"mode": {
"type": "object",
"properties": {
"disabled": {
"type": "object",
"description": "disabled"
}
},
"description": "mode"
},
"log-severity": {
"type": "string",
"description": "log-severity of filtering security category info",
"title": "log-severity"
}
},
"description": "credential-enforcement"
},
"log-http-hdr-user-agent": {
"type": "string",
"description": "log-http-hdr-user-agent",
"title": "log-http-hdr-user-agent"
},
"mlav-engine-urlbased-enabled": {
"type": "object",
"properties": {
"entry": {
"type": "array",
"items": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of URL filtering category security profile"
},
"mlav-policy-action": {
"type": "string",
"description": "mlav-policy-action"
}
}
},
"description": "entry"
}
},
"description": "mlav-engine-urlbased-enabled"
}
}
},
"description": "entry"
}
},
"description": "result"
}
}
}
}
},
"summary": "List url filtering security profiles",
"description": "List url filtering security profiles",
"operationId": "[[variables('_operationId-Listurlfilteringsecurityprofiles')]",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys",
"description": "Enter the location"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1",
"description": "Enter the vsys location name"
},
{
"name": "name",
"in": "query",
"required": false,
"type": "string",
"description": "filter by name of URL filtering security profile",
"x-ms-summary": "name"
}
]
},
"put": {
"responses": {
"default": {
"description": "default",
"schema": {
"type": "object",
"properties": {
"@status": {
"type": "string",
"description": "status if success or failure",
"title": "@status"
},
"@code": {
"type": "string",
"description": "status code",
"title": "@code"
},
"msg": {
"type": "string",
"description": "status msg",
"title": "msg"
}
}
}
}
},
"summary": "Update an url filtering security profile",
"operationId": "[[variables('_operationId-Updateanurlfilteringsecurityprofile')]",
"description": "Update an url filtering security profile",
"x-ms-visibility": "important",
"parameters": [
{
"name": "location",
"in": "query",
"required": true,
"type": "string",
"default": "vsys"
},
{
"name": "vsys",
"in": "query",
"required": true,
"type": "string",
"default": "vsys1"
},
{
"name": "name",
"in": "query",
"required": true,
"type": "string",
"description": "Enter the name of URL filtering category security profile"
},
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the name of URL filtering category security profile",
"title": "name"
},
"description": {
"type": "string",
"description": "Enter the description",
"title": "description"
},
"allow": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "categories to allow, Array of strings",
"title": "allow member"
}
},
"description": "allow"
},
"alert": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to alert on, Array of strings",
"title": "alert member"
}
},
"description": "alert"
},
"block": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to block, Array of strings",
"title": "block member"
}
},
"description": "block"
},
"continue": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to continue, Array of strings",
"title": "continue member"
}
},
"description": "continue"
},
"override": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to admin override, Array of strings",
"title": "override member"
}
},
"description": "override"
},
"credential-enforcement": {
"type": "object",
"properties": {
"mode": {
"type": "object",
"properties": {
"disabled": {
"type": "object",
"description": "disabled (object) or ip-user (object) or domain-credentials (object) or group-mapping (object)"
}
},
"description": "mode"
},
"log-severity": {
"type": "string",
"description": "Log severity when credential matched",
"title": "credential-enforcement log severity",
"default": "any"
},
"allow": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to allow and bypass credential enforcement",
"title": "credential-enforcement allow member"
}
},
"description": "allow"
},
"alert": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to alert on credential match",
"title": "credential-enforcement alert member"
}
},
"description": "alert"
},
"block": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to block on credential matchmember",
"title": "credential-enforcement allow member"
}
},
"description": "block"
},
"continue": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Categories to block/continue on credential match",
"title": "credential-enforcement continue member"
}
},
"description": "continue"
}
},
"description": "credential-enforcement",
"required": [
"mode",
"log-severity"
]
},
"enable-container-page": {
"type": "string",
"description": "Enter the enable-container-page",
"title": "enable-container-page",
"enum": [
true,
false
],
"default": true
},
"log-container-page-only": {
"type": "string",
"description": "Log container page only",
"title": "log-container-page-only",
"enum": [
true,
false
],
"default": true
},
"safe-search-enforcement": {
"type": "string",
"description": "Safe-Search will be enforced if it is set",
"title": "safe-search-enforcement",
"enum": [
true,
false
],
"default": false
},
"log-http-hdr-xff": {
"type": "string",
"description": "Log HTTP Header X-Forwarded-For field",
"title": "log-http-hdr-xff",
"enum": [
true,
false
]
},
"log-http-hdr-user-agent": {
"type": "string",
"description": "Log HTTP Header User-Agent field",
"title": "log-http-hdr-user-agent",
"enum": [
true,
false
],
"default": false
},
"log-http-hdr-referer": {
"type": "string",
"description": "Log HTTP Header Referer field",
"title": "log-http-hdr-referer",
"enum": [
true,
false
]
},
"http-header-insertion": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the http-header-insertion entry name",
"title": "http-header-insertion entry name"
},
"type": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the http-header-insertion type entry name",
"title": "http-header-insertion type entry name"
},
"headers": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the http-header-insertion entry type entry headers entry name",
"title": "http-header-insertion entry type entry headers entry name"
},
"header": {
"type": "string",
"description": "Enter the http-header-insertion entry type entry headers entry header",
"title": "http-header-insertion entry type entry headers entry header"
},
"value": {
"type": "string",
"description": "Enter the http-header-insertion entry type entry headers entry value",
"title": "http-header-insertion entry type entry headers entry value"
},
"log": {
"type": "string",
"description": "Enter the http-header-insertion entry type entry headers entry log",
"title": "http-header-insertion entry type entry headers entry log",
"default": false,
"enum": [
true,
false
]
}
},
"description": "entry",
"required": [
"name",
"header",
"value",
"log"
]
}
},
"description": "headers",
"required": [
"entry"
]
},
"domains": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the http-header-insertion entry type entry domains member",
"title": "http-header-insertion entry type entry domains member"
}
},
"description": "domains",
"required": [
"member"
]
}
},
"description": "entry"
}
},
"description": "type",
"required": [
"entry"
]
}
},
"description": "entry",
"required": [
"@name",
"type",
"domains"
]
}
},
"description": "http-header-insertion",
"required": [
"entry"
]
},
"mlav-category-exception": {
"type": "object",
"properties": {
"member": {
"type": "string",
"description": "Enter the mlav-category-exception member",
"title": "mlav-category-exception member"
}
},
"description": "mlav-category-exception",
"required": [
"member"
]
},
"mlav-engine-urlbased-enabled": {
"type": "object",
"properties": {
"entry": {
"type": "object",
"properties": {
"@name": {
"type": "string",
"description": "Enter the mlav-engine-urlbased-enabled entry name",
"title": "mlav-engine-urlbased-enabled entry name"
},
"mlav-policy-action": {
"type": "string",
"description": "Enter the mlav-engine-urlbased-enabled mlav-policy-action",
"title": "mlav-engine-urlbased-enabled mlav-policy-action",
"enum": [
"block",
"alert",
"allow"
]
}
},
"description": "entry",
"required": [
"@name",
"mlav-policy-action"
]
}
},
"description": "mlav-engine-urlbased-enabled",
"required": [
"entry"
]
}
},
"description": "entry",
"required": [
"@name",
"allow",
"alert",
"continue",
"block",
"credential-enforcement",
"description",
"enable-container-page",
"http-header-insertion",
"log-container-page-only",
"log-http-hdr-user-agent",
"mlav-category-exception",
"mlav-engine-urlbased-enabled",
"override",
"safe-search-enforcement",
"log-http-hdr-xff",
"log-http-hdr-referer"
]
}
},
"required": [
"entry"
]
}
}
]
}
}
},
"securityDefinitions": {
"API Key": {
"type": "apiKey",
"in": "header",
"name": "X-PAN-KEY"
}
},
"security": [
{
"API Key": "[variables('TemplateEmptyArray')]"
}
],
"tags": "[variables('TemplateEmptyArray')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
"parentId": "[[variables('playbookId1')]",
"contentId": "[variables('_playbookContentId1')]",
"kind": "LogicAppsCustomConnector",
"version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId1')]",
"contentKind": "LogicAppsCustomConnector",
"displayName": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"contentProductId": "[variables('_playbookcontentProductId1')]",
"id": "[variables('_playbookcontentProductId1')]",
"version": "[variables('playbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
"parameters": {
"CustomConnectorName": {
"defaultValue": "PAN-OSXmlApiCustomConnector",
"type": "String"
},
"PaloAlto Hostname": {
"type": "String",
"metadata": {
"description": "Provide Pan-OS Hostname:Do Not prefix with https:// or http:// etc"
}
}
},
"variables": {
"api_host": "[[replace(replace(parameters('PaloAlto Hostname'),'https://',''),'http://','')]",
"ServiceName": "[[concat('https://', variables('api_host'))]",
"operationId-Queryxmlapi": "Queryxmlapi",
"_operationId-Queryxmlapi": "[[variables('operationId-Queryxmlapi')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"playbookContentId2": "PaloAlto_PAN-OS_XML_API_CustomConnector",
"playbookId2": "[[resourceId('Microsoft.Web/customApis', parameters('CustomConnectorName'))]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[[parameters('CustomConnectorName')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
"connectionParameters": {
"api_key": {
"type": "securestring"
}
},
"capabilities": "[variables('TemplateEmptyArray')]",
"brandColor": "#FFFFFF",
"description": "[[concat(parameters('CustomConnectorName'), 'connects to Paloalto XML service end point to runs any Paloalto supported API get/post calls and gives response back in XML format. \n\nNote: For better understanding , check https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api')]",
"displayName": "[[parameters('CustomConnectorName')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARgAAAEYCAYAAACHjumMAAARQklEQVR4nOzdv49c1fnH8TOD8Xc7u7G9Nfo2ETPCVCFVEGlSOt2SxqaiROmQyIhYC4roSBWKSGApCu7iMgUFokk61vFGuMgfYG8UCaQkshbhie4yd3O9OzP3x3Ofc57nnPer8ffrxeZm5+5nn/PcDzvTAABKCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBgAaggYAGoIGABqCBhD3pntXk59DZ7x+QO2OH599uHx3vyT1Nfh1fHe/C/HP3/xeurrwP8wwRhx8oWxnLwZQrhJyPS3+pz9MDydfk7I2PFc6gso3WJ+Zfezn7zwXlhOfxtC2Fn99vXF7NqNEMLjL47+/TDxJZq2mF298dlrL3waQvjp6rd2wnJyazG/eiVMlgdfHP3nX4kvsWiT1BdQspPvtE+nn4cQLm35x+5cvPvgVsTLcmM1tdzc8o98E6ZPX734h78dRLwsNHBESqRjuASOTOt1CJdw8rnlyJQUAZNAj3CpETINHcOlRsgkxA4msgHhUqu+QO6XvpPpGS61nbCcvB4my0/YycTFBBPRYn5ld2C4fP/nZ9feHf+q/FjMrt4YEC61S4vZtbdHviS0YMkb0fHrsw/DcvKW8K8pdul7vDf/cjXJDfUkTJ/+iKVvPEwwkTR6LlJF7mNW/5ule5Qd9jFxsYNRtqHnIlVMT2ZNz0WKnkxEHJEUCRa6fWR7ZBq40O2DnowyjkhKIoVLyPXIFCFcAo+w9REwCiKGSy2rkIkULjVCRhE7mJElCJdaFj2ZyOFSoyejhAlmRNKei/jf77wnI+y5SNGTUcCSd0Qj9Vyk3C59R+i5SNGTGRkTzEhG7LlIudzHjNRzkaInMzJ2MEJKPRcpNz0ZhZ6LFD2ZEXFEEki40O3D7JEp0UK3D3oyQhyRBnISLsHqkclBuAQeYcsRMAM4CpeaqZBxEi41QkaAHUxPDsOlZqIn4yxcavRkBmKC6SF1z0UqdU8mcc9Fip7MACx5ezDSc5FKtvQ10HORoifTExNMR4Z6LlJJ9jFGei5S9GR6YgfTwmjPRSpaT8Zgz0WKnkwPHJG2cLzQ7UPtyOR0odsHPZkWHJE2KCRcgtaRqYBwCTzCbkfArFFQuNRGDZlCwqVGyGzBDuaMAsOlNkpPprBwqdGT2YAJpsF7z0VK2pNx3nORoiezBkvehkx6LlKDl74Z9Fyk6MmcwQSzklHPRWrQPiaTnosUPZkzit/BZNpzkerck8mw5yJFT6ah6CNSwQvdPjYemQpd6PZRfE+m2CMS4dLZ2iMT4dJJ8Y+wiwwYwqW3Z0KGcOml6JApbgdDuAx20pP57LUX3iZceiu2J1PUDmYxv7K7eHH3IeEyzHK5/PtkMvn/1Nfh1fTC5PaF3//1V6mvI6aijkirIhThMtByuvxdNcWkvg6vbh88upf6GmIrJmDouYjd//VX//zN8zvPvUrIDPLG/uFRcU+Tsg+Y6lh00tB9Ov0zPZdBHk0vTH7x/sN/vHL74NGTyScHX1f/d/V71cdSX5wD9/YPH7988e4DMz90PaasdzAsdMXuVxNLFSrrPri8df3yt0++qz6/L8W/NBfeKDVYatlOMISL2NZwqVQf48i0UfHhEnINGMJFrDVcaoTMWoTLSnZHJMJFrHO4NK2OS1+FEHb1Ls0FwqUhqwmm9J/nMoJHQ8IlrCaZ6YXJBzqX5cY9wuVZeQUMPReRKiCGhEtt//Doo5KPSvuHj2+nvgZrsgkYei5i91cBMdjtg0dPCt7HFNlzaeM+YOi5iD3Tc5H+ZQX2ZIruubRxveRloSs2aKHbVQE9GRa6LdxOMISLmGq4hPwfYRMuHbgMGMJFTD1capmGDOHSkbsjEuEiFi1cmjLqyRAuPbiaYOi5iA3uuUhl0pOh59KTr4Ch5yIi7blIee/J0HPpz03A0HMRE/dcpJz3ZOi5DGA+YOi5iI3ac5Fy2JMx23N5Z7Z7OfU1tDG95GWhK5ZkoduFk9fW7EJ39c4ON6y/75LZCcbJDWgZ4SJjPVxuenhLFJMB4+QGtIxwkfEQLjXTIWMuYJzcgJaZDRcnNQOz4bKYXb2x4T2pTkLm5PNrjKmAcXIDWpas59KFg5qB6Z7LYnbt3S0fvrT6/JpiK2Ds34Cmpe65bOOhZmC557I6Gm0/Bi0nb1o7KpkJGA83oHHJey6bNI69lmsGZnsuPd4LfMfaPiZ5wNBzETPVc2k689panUzN9lwWs6s3jvfmX/Z8L/BL1ee7+rxb2Mkk7cGw0BUzu9B18tqaXej2mFq2+SZ1TybZBOPkBrSMcJHJPVyChUfYSQLGyQ1oGeEiU0K41JKGTPSAcXIDWmY2XJzUDMyGy5aei1SynkzUgHFyA1pGz0XGc89FKklPJm7A2L8BTaPnIuO+5yKVoCcTLWA83IDG0XORyaHnIhW9J6MeMPRcxOi5yOTWc5GK2pNR7cGw0BUzu9B18tqaXehGnFq2Ue/JqE0wTm5AywgXGcKlnfojbJWAcXIDWka4yBAu3amGzOgB4+QGtMxsuDipGZgNF8Wei5RaT2bUgHFyA1pGz0Wm5J6LlEpPZtyAsX8DmkbPRab4nouUQk9mtIDxcAMaR89Fhp6L3Og9GXHA0HMRo+ciQ89lXKP2ZEQ9GBa6YmYXuk5eW7MLXUdTyzbinszgCcbJDWgZ4SJDuOgTP8IeFDBObkDLCBcZwiUeUcj0DhgnN6BlZsPFSc3AbLgY7rlIDe7J9AoYJzegZfRcZOi5pDOoJ9MvYOzfgKbRc5Gh55LYgJ5M54DxcAMaR89Fhp5Ler17Mq0BQ89FjJ6LDD0XW3r1ZLb2YFjoipld6Dp5bc0udAuaWrZp7clsnGCc3ICWES4yhIt9rY+w1waMkxvQMsJFhnDxY2vInAsYJzegZWbDxUnNwGy4ZNxzkdrYk3kmYJzcgJbRc5Gh5+LX2p7MswFj/wY0jZ6LDD0X59b0ZE4DxsMNaBw9Fxl6Lv6d68lM6bmI0XORoeeSl9OezDuz3csXfjnbfSUsw1upr8opswvd06llaTZYguWFLlOLyE5YTi6/f/jo6+n/ffrgXvVCp74ih+yHi92pJRAuWbtz8e6DW6HewaxeaEKmO8JFhnDJ12m4hOaSd/WC30t2WX6YDRcnNQOz4ULPReygGS7h7GNqy48JjaDnIkPPJWPr8uNMwJw8JuSotAE9FxnL38DouYjd2T88OncCOvefCrCP2Yieiww9l3zdOXs0qq39jx2rkNk/fPwyO5kT9Fxk6Lnk62D/8PHPNoVL6PK+SMd78+oPfzz6pflgdqHL0yIZphaxjVNLU+tPtCv4yES4yBAu+eoULqHrz+QtMGQIFxnCJV+dwyX0+aHfBfVkzIYLPRcZei5i53oubXq9bYnlx4wjoeciQ88lY0O+/nsGTN49GXouMpa/AdFzEVvbc2nT+61jM97H0HORoeeSr157l6ZBb36fWU+GnosMPZd8tfZc2rT2YNo478mYXejytEiGqUVs8NTSNGiCaXJ8ZCJcZAiXfI0SLmGMgAk+Q4ZwkSFc8jVauISxAib46smYDRd6LjL0XMR691zajBYwwfhjyhV6LjL0XDKm8fU7csDY7snQc5Gx/A2EnovYoJ5Lm1EDJtjex9BzkaHnkq9R9y5NowdMsNeToeciQ88lX+KeSxtxD6ZN4p6M2YUuT4tkmFrE1KaWJpUJpinhkYlwkSFc8hUlXEKMgAlpQoZwkSFc8hUtXEKsgAlxezJmw4Weiww9F7HRey5togVMiPOYk56LDD2XjKWoGUQOGN2eDD0XGXouWVPpubSJGjBBdx9Dz0WGnku+ou5dmqIHTBi/J0PPRYaeS77Uey5t1HswbYQ9GbMLXZ4WyTC1iCWbWpqSTDBNgiMT4SJDuOTLRLgECwEThoUM4SJDuOTLTLgEKwET+vVkzIYLPRcZei5i0XsubcwETOj2mJSeiww9l4xZrBkYC5jtPRl6LjIWb8AaPRexJD2XNqYCJmzfx9BzkaHnki9Te5cmcwETzvdk6LnI0HPJV/KeS5vkPRivnDwtCla/uzG1iJl8Xc8yOcFY5yhcKjdXX8xmEC5iLsIlEDD9OQuXmpmQIVzE3IRLIGD6cdJz2eTmqmeSDD0XMXM9lzYETA8Oei5bpe6ZpP73e2e5ZrAJAdORh55LB9dTHZXouYiZ7Lm0IWA6cNJz6Sr6Poa9i5irvUsTAbOFk57LEFXIfKm9k6HnIma+59KGHswGTp8WDaHy3ZGpRczt1NLEBLNGQeESNI5MhItYFuESCJjzCguX2mghQ7iIZRMugYB5lvOei5S4J0PPRcxdz6UNAdPgveciJe2p0HOR8dhzaUPArGTSc5Ea3JOh5yLmsufShoDJr+ci1Xsfw95FLKu9S1PRAZNxz0WqU0+GnouY+55Lm2J7MIU+LRpi7XdXphaxbKeWpiInGMKll3NHJsJFrIhwCSUGDOEyyGnIEC5ixYRLKO2ItJhf2V28uPuQcBnsDuEicnDx7oOXU19ETEVNMMvl5DLhIlLUF8fYcuy5tCkqYN47PHo48H2w8f07av64+jX1hTiVZc+lTVEBE2Rvtl+y07frrX4lZHorau/SVFzAhPPvu4TNTt+Tqn5HzerX6v+vfr/6eOoLNC77nkubopa86xzvzasX/+PU12HQ/bb3AV/eun752yfffR5CeCnupblQ7NTSVOQE08SRaa3WcAmraYYj01qEy0rxARMImbM6hUuNkDmHcGko/ojUdLw3/2MIIel7ByX26Pmd537QNVyaVselr0IIuzqX5kJxPZc2TDANJfYUmqYXJh8MCZewmmSqPz/+VflR+v2zDgHTsH94dFDwUen+/uHRR5K/YPXnSz0qFdlzacMRaY0Cnyz12rtsU+iTJfYuGzDBrFFQT+Zcz0WqsJ5M8T2XNkwwLTKeZkabWjbJfJphaumACaZFpo+w1cMl5P0Im3DpiIDpILOQiRIutQxDhnDpgSNSDxn0ZAb3XKQy6cnQc+mJCaYH7z0HSc9FKoeejPfXPwUCpgfnPRlxz0XKeU+GnssAHJEGcPhkKereZRunT5bYuwzEBDOAo57M6D0XKWc9GXouQkwwQoanGTNTyybGpxmmlhEwwQgZfYRtPlyC7UfYhMtICJgRGAsZF+FSMxgyhMuIOCKNyEBPJlnPRcpIT4aey8iYYEaUuieRsuciZaEnk/r1yxEBM6LEPZnkPRepxD0Zei4KOCIpSPBkydXeZZtET5bYuyhhglEQsSdjruciFbknQ89FGROMMsVpJpupZRPlaYapJQImGGVKj7CzD5eg+wibcImEgIlg5JApIlxqCiFDuETEESmiEXoybnsuUiP1ZOi5RMYEE5G0Z+G55yI1Rk+Gnkt8BExEwp6M+56LlLAnQ88lAY5ICQx4slTU3mWbgU+W2LskwgSTQI+eTHY9F6mePRl6LokxwSS2ZZphamnRMs0wtRjABJPYhkfYhEsHWx5hEy5GEDAGnAkZwqWHNSFDuADrHO/NP6rG/tTX4VH1eTvem/8p9XUAACLhiARADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0ANAQNADQEDQA0BA0DNfwMAAP//98IA4m2bU34AAAAASUVORK5CYII=",
"backendService": {
"serviceUrl": "[[variables('ServiceName')]"
},
"apiType": "Rest",
"swagger": {
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "PAN-OSXmlApiCustomConnector",
"description": "This Custom Connector connects to Paloalto XML service end point to runs any Paloalto supported API get/post calls and gives response back in XML format. \n\nNote: For better understanding , check https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api')]"
},
"host": "[[replace(replace(parameters('PaloAlto Hostname'),'https://',''),'http://','')]",
"basePath": "/",
"schemes": [
"https"
],
"consumes": "[variables('TemplateEmptyArray')]",
"produces": [
"application/json"
],
"paths": {
"/api/": {
"get": {
"summary": "Query Palo Alto XML API",
"description": "Query XML API for PCAPs and Device Info",
"operationId": "[[variables('_operationId-Queryxmlapi')]",
"parameters": [
{
"name": "type",
"default": "op",
"in": "query",
"type": "string",
"required": true
},
{
"name": "cmd",
"default": "<show><system><info></info></system></show>",
"in": "query",
"type": "string",
"required": false
},
{
"name": "category",
"in": "query",
"type": "string",
"required": false
},
{
"name": "pcap-id",
"in": "query",
"type": "string",
"required": false
},
{
"name": "search-time",
"in": "query",
"type": "string",
"required": false
},
{
"name": "sessionid",
"in": "query",
"type": "string",
"required": false
},
{
"name": "device_name",
"in": "query",
"type": "string",
"required": false
}
],
"responses": {
"default": {
"description": "default"
}
},
"x-ms-visibility": "important"
}
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"in": "header",
"name": "X-PAN-KEY"
}
},
"security": "[variables('TemplateEmptyArray')]",
"tags": "[variables('TemplateEmptyArray')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
"parentId": "[[variables('playbookId2')]",
"contentId": "[variables('_playbookContentId2')]",
"kind": "LogicAppsCustomConnector",
"version": "[variables('playbookVersion2')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId2')]",
"contentKind": "LogicAppsCustomConnector",
"displayName": "PaloAlto_PAN-OS_XML_API_CustomConnector",
"contentProductId": "[variables('_playbookcontentProductId2')]",
"id": "[variables('_playbookcontentProductId2')]",
"version": "[variables('playbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-GetSystemInfo",
"type": "string"
},
"CustomConnectorName": {
"defaultValue": "PAN-OSXmlApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Query_Palo_Alto_XML_API": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p><span style=\"font-size: 16px\"><strong>System Info :</strong></span><br>\n<br>\n@{body('Query_Palo_Alto_XML_API')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Query_Palo_Alto_XML_API": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['paloaltoconnector']['connectionId']"
}
},
"method": "get",
"path": "/api/",
"queries": {
"cmd": "<show><system><info></info></system></show>",
"type": "op"
}
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"paloaltoconnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-GetSystemInfo",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId3')]",
"contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
"version": "[variables('playbookVersion3')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_XML_API_CustomConnector')]",
"version": "[variables('playbookVersion2')]"
}
]
}
}
}
],
"metadata": {
"title": "Get System Info - Palo Alto PAN-OS XML API",
"description": "This playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. This playbook only works for Palo Alto incidents."
],
"lastUpdateTime": "2022-07-25T00:00:00Z",
"entities": [
"Ip"
],
"tags": [
"Remediation",
"Response from teams"
],
"postDeployment": [
"** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-GetSystemInfo",
"contentProductId": "[variables('_playbookcontentProductId3')]",
"id": "[variables('_playbookcontentProductId3')]",
"version": "[variables('playbookVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-GetThreatPcap",
"type": "string"
},
"LogAnalyticsResourceGroup": {
"type": "string",
"metadata": {
"description": "Enter value for LogAnalyticsResourceGroup"
}
},
"LogAnalyticsResourceName": {
"type": "string",
"metadata": {
"description": "Enter value for LogAnalyticsResourceName"
}
},
"Storage Name": {
"type": "string",
"metadata": {
"description": "Enter value for Storage Name"
}
},
"Container Name": {
"type": "string",
"metadata": {
"description": "Enter value for Container Name"
}
},
"CustomConnectorName": {
"defaultValue": "PAN-OSXmlApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"AzureblobConnectionName": "[[concat('Azureblob-', parameters('PlaybookName'))]",
"AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-4": "[[variables('connection-4')]",
"connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-5": "[[variables('connection-5')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"Container Name": {
"type": "string",
"defaultValue": "[[parameters('Container Name')]"
},
"LogAnalyticsResourceGroup": {
"type": "string",
"defaultValue": "[[parameters('LogAnalyticsResourceGroup')]"
},
"LogAnalyticsResourceName": {
"type": "string",
"defaultValue": "[[parameters('LogAnalyticsResourceName')]"
},
"Storage Name": {
"type": "string",
"defaultValue": "[[parameters('Storage Name')]"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"For_each": {
"foreach": "@body('Parse_JSON_-_Result_of_Run_query')",
"actions": {
"If_PCAP_ID_Exists": {
"actions": {
"Condition": {
"actions": {
"Add_comment_to_incident_(V3)": {
"runAfter": {
"Create_blob_(V2)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Create_blob_(V2)')?['Path']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Create_blob_(V2)": {
"type": "ApiConnection",
"inputs": {
"body": "\"@{body('Query_Palo_Alto_XML_API')}\"",
"headers": {
"ReadFileMetadataFromServer": true
},
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "post",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent(parameters('Storage Name')))}/files",
"queries": {
"folderPath": "/@{parameters('Container Name')}",
"name": "@{concat('paloalto',string(items('For_each')['pcap_id']),string(items('For_each')['time_1']), '.pcap')}",
"queryParametersSingleEncoded": true
}
},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
}
}
},
"runAfter": {
"Query_Palo_Alto_XML_API": [
"Succeeded"
]
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_3": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Playbook execution failed with error :<br>\nFor more details : please check Playbook run history .</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"not": {
"contains": [
"@string(body('Query_Palo_Alto_XML_API'))",
"'status'"
]
}
},
{
"not": {
"contains": [
"@string(body('Query_Palo_Alto_XML_API'))",
"error"
]
}
},
{
"not": {
"contains": [
"@string(body('Query_Palo_Alto_XML_API'))",
"invalid"
]
}
}
]
},
"type": "If"
},
"Query_Palo_Alto_XML_API": {
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['paloaltoconnector']['connectionId']"
}
},
"method": "get",
"path": "/api/",
"queries": {
"category": "threat-pcap",
"device_name": "@items('For_each')['Computer']",
"pcap-id": "@items('For_each')['pcap_id']",
"search-time": "@items('For_each')['event_time']",
"sessionid": "@items('For_each')['sessionid']",
"type": "export"
}
}
}
},
"else": {
"actions": {
"Add_comment_to_incident_(V3)_2": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>Kindly provided the properly mapped fields in query result :<br>\n<br>\nReference :<br>\n\"TimeGenerated\": \"2023-05-29T11:28:42.6809438Z\",<br>\n\"Computer\": \"trustedwindows\",<br>\n\"pcap_id\": \"2343hjh234\",<br>\n\"sessionid\": \"87yujh67\",<br>\n\"event_time\": \"2023/28/29 11:28:42\"<br>\n</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@items('For_each')['pcap_id']",
"@null"
]
}
},
{
"not": {
"equals": [
"@items('For_each')['pcap_id']",
0
]
}
}
]
},
"type": "If"
}
},
"runAfter": {
"Parse_JSON_-_Result_of_Run_query": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_JSON_-_Result_of_Run_query": {
"runAfter": {
"Run_query_and_list_results": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Run_query_and_list_results')?['value']",
"schema": {
"items": {
"properties": {
"Computer": {
"type": "string"
},
"TimeGenerated": {
"type": "string"
},
"event_time": {
"type": "string"
},
"pcap_id": {
"type": "string"
},
"sessionid": {
"type": "string"
}
},
"required": [
"TimeGenerated",
"Computer",
"pcap_id",
"sessionid",
"event_time"
],
"type": "object"
},
"type": "array"
}
}
},
"Run_query_and_list_results": {
"type": "ApiConnection",
"inputs": {
"body": "@{triggerBody()?['object']?['properties']?['alerts']?[0]?['properties']?['additionalData']?['Query']}\n| limit 10",
"host": {
"connection": {
"name": "@parameters('$connections')['azuremonitorlogs']['connectionId']"
}
},
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "@parameters('LogAnalyticsResourceGroup')",
"resourcename": "@parameters('LogAnalyticsResourceName')",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "f70efef4-6505-4727-acd8-9d0b3bc0b80e",
"timerange": "Set in query"
}
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"connectionName": "[[variables('AzureblobConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureblob')]"
},
"azuremonitorlogs": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]",
"connectionName": "[[variables('AzuremonitorlogsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"paloaltoconnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-GetThreatPcap",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('AzureblobConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzureblobConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('AzureblobConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('AzuremonitorlogsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('AzuremonitorlogsConnectionName')]",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-5')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId4')]",
"contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
"version": "[variables('playbookVersion4')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_XML_API_CustomConnector')]",
"version": "[variables('playbookVersion2')]"
}
]
}
}
}
],
"metadata": {
"title": "Get Threat PCAP - Palo Alto PAN-OS XML API",
"description": "This playbook allows us to get a threat PCAP for a given PCAP ID.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. This playbook only works for Palo Alto incidents with a threat PCAP where the PCAP ID is not null or zero."
],
"lastUpdateTime": "2022-07-25T00:00:00Z",
"entities": [
"host"
],
"tags": [
"Enrichment",
"Response from teams"
],
"postDeployment": [
"** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connections such as Blob Store connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-GetThreatPcap",
"contentProductId": "[variables('_playbookcontentProductId4')]",
"id": "[variables('_playbookcontentProductId4')]",
"version": "[variables('playbookVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"type": "string"
},
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"PAN-OsrestapicustomconnectorConnectionName": "[[concat('PAN-Osrestapicustomconnector-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Add_comment_to_incident_(V3)_2": {
"runAfter": {
"Create_HTML_table_of_matched_custom_URL_category": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>@{body('Create_HTML_table_of_matched_custom_URL_category')}<br>\n<br>\n@{body('Create_HTML_table_of_matched_address_objects')}<br>\n<br>\n<br>\n<br>\n</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Create_HTML_table_of_matched_address_objects": {
"runAfter": {
"For_each_-_collecting_urls_from_custom_URL_category": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('result')"
}
},
"Create_HTML_table_of_matched_custom_URL_category": {
"runAfter": {
"Create_HTML_table_of_matched_address_objects": [
"Succeeded"
]
},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('result1')"
}
},
"Entities_-_Get_URLs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"For_each_-_collecting_URL_from_address_objects": {
"foreach": "@body('List_address_objects')?['result']?['entry']",
"actions": {
"Condition_-_to_filter_fqdn_only": {
"actions": {
"For_each": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Condition": {
"actions": {
"Append_to_array_variable": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "result",
"value": "@items('For_each_-_collecting_URL_from_address_objects')"
}
}
},
"expression": {
"and": [
{
"equals": [
"@items('For_each_-_collecting_URL_from_address_objects')?['fqdn']",
"@items('For_each')?['Url']"
]
}
]
},
"type": "If"
}
},
"type": "Foreach"
}
},
"expression": {
"and": [
{
"contains": [
"@items('For_each_-_collecting_URL_from_address_objects')",
"fqdn"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"List_custom_url_categories": [
"Succeeded"
]
},
"type": "Foreach"
},
"For_each_-_collecting_urls_from_custom_URL_category": {
"foreach": "@body('List_custom_url_categories')?['result']?['entry']",
"actions": {
"For_each_2": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Condition_2": {
"actions": {
"Append_to_array_variable_2": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "result1",
"value": "@items('For_each_-_collecting_urls_from_custom_URL_category')"
}
}
},
"expression": {
"and": [
{
"contains": [
"@items('For_each_-_collecting_urls_from_custom_URL_category')?['list']?['member']",
"@items('For_each_2')?['Url']"
]
}
]
},
"type": "If"
}
},
"type": "Foreach"
}
},
"runAfter": {
"For_each_-_collecting_URL_from_address_objects": [
"Succeeded"
]
},
"type": "Foreach"
},
"List_address_objects": {
"runAfter": {
"Variable_for_storing_results_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PAN-OSRestApiCustomConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This Lists all the address objects present in the PAN-OS"
},
"List_custom_url_categories": {
"runAfter": {
"List_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PAN-OSRestApiCustomConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/CustomURLCategories",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
}
},
"Variable_for_storing_results": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "result",
"type": "array"
}
]
}
},
"Variable_for_storing_results_2": {
"runAfter": {
"Variable_for_storing_results": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "result1",
"type": "array"
}
]
}
}
}
},
"parameters": {
"$connections": {
"value": {
"PAN-OSRestApiCustomConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PAN-OsrestapicustomconnectorConnectionName'))]",
"connectionName": "[[variables('PAN-OsrestapicustomconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('PAN-OsrestapicustomconnectorConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PAN-OsrestapicustomconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PAN-OsrestapicustomconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId5')]",
"contentId": "[variables('_playbookContentId5')]",
"kind": "Playbook",
"version": "[variables('playbookVersion5')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"comments": "This playbook uses the PaloAlto connector to automatically enrich incidents generated by Sentinel for address object details and URL filtering category information from PAN-OS",
"title": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"description": " When a new sentinal incident is created, this playbook gets triggered and performs below actions:",
"prerequisites": [
"1. PAN-OS Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key)"
],
"lastUpdateTime": "2023-05-30T00:00:00Z",
"entities": [
"url"
],
"tags": [
"Enrichment",
"PaloAlto",
"Pan-os"
],
"postDeployment": [
"** a. Authorize connections ** Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for PAN-OS API Connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n ** b. Configurations in Sentinel ** 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky user account \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId5')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-GetURLCategoryInfo",
"contentProductId": "[variables('_playbookcontentProductId5')]",
"id": "[variables('_playbookcontentProductId5')]",
"version": "[variables('playbookVersion5')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-BlockIP",
"type": "string"
},
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all PaloAlto automation playbooks as well"
}
},
"Address Group": {
"type": "string",
"metadata": {
"description": "Enter value for Address Group"
}
},
"Teams Group Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams Group Id"
}
},
"Teams channel Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams channel Id"
}
}
},
"variables": {
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"Address Group": {
"type": "string",
"defaultValue": "[[parameters('Address Group')]"
},
"Teams Group Id": {
"type": "string",
"defaultValue": "[[parameters('Teams Group Id')]"
},
"Teams channel Id": {
"type": "string",
"defaultValue": "[[parameters('Teams channel Id')]"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Compose_product_name": {
"runAfter": {
"Select_alert_product_names": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('Select_alert_product_names')?[0]?['text']",
"description": "compose to select the incident alert product name"
},
"Condition_based_on_the_incident_configuration_from_adaptive_card": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>PAN-OS Playbook ran and performed the following actions:<br>\n@{variables('IPAddressAction')}<br>\n<br>\n<br>\n<br>\nActions taken on Sentinel : Add comment to incident and closure with classification reason &nbsp;@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentStatus']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']",
"Change incident configuration"
]
}
]
},
"type": "If",
"description": "This decides the action taken on the summarized adaptive card"
},
"Entities_-_Get_IPs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"For_each_malicious_IP": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Condition_based_on_user_inputs_from_the_adaptive_card": {
"actions": {
"Condition__to_check_if_user_chosen_Block_IP": {
"actions": {
"Create_an_address_object": {
"type": "ApiConnection",
"inputs": {
"body": {
"entry": {
"@@name": "@items('For_each_malicious_IP')?['Address']",
"description": "@items('For_each_malicious_IP')?['Address']",
"ip-netmask": "@items('For_each_malicious_IP')?['Address']"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "post",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"address type": "ip-netmask",
"location": "vsys",
"name": "@items('For_each_malicious_IP')?['Address']",
"vsys": "vsys1"
}
},
"description": "This creates a new address object for the malicious IP"
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block IP ( add to @{outputs('Configured_address_group')} address group )"
]
},
{
"equals": [
"@length(body('Filter_array_of_Ip_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This check if user chooses Block IP"
},
"Condition_to_check_the_edit_an_address_object_group_status": {
"actions": {
"Condition_to_check_the_action_of_adaptive_card_to_set_the_action_summary": {
"actions": {
"Append_success_status_Blocked_IP_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{items('For_each_malicious_IP')?['Address']} , Action Taken : Blocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
},
"else": {
"actions": {
"Append_success_status_UnBlocked_IP_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{items('For_each_malicious_IP')?['Address']} , Action Taken : UnBlocked by \n removing from @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block IP ( add to @{outputs('Configured_address_group')} address group )"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Update_an_address_object_group": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_failure_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{items('For_each_malicious_IP')?['Address']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Failure"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Update_an_address_object_group')?['@status']",
"success"
]
}
]
},
"type": "If"
},
"Update_an_address_object_group": {
"runAfter": {
"Condition__to_check_if_user_chosen_Block_IP": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"entry": [
{
"@@name": "@parameters('Address Group')",
"static": {
"member": "@{variables('AddressGroupMembers')}"
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "put",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_array_variable_Ip_address_action_chosen": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{items('For_each_malicious_IP')?['Address']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Success "
},
"description": "This appends the action taken on IP to the list of existing actions"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Ignore"
]
}
}
]
},
"type": "If",
"description": "condition to check the submit action is block / unblock or Ignore"
},
"Condition_to_check_if_Ip_address_already_present_in_list_of_address_objects": {
"actions": {
"Condition_to_check_if_Ip_already_present_in_predefined_address_group": {
"actions": {
"Append_address_group_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{items('For_each_malicious_IP')?['Address']} is already a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Filter_array_IP_address_from_the_list_of_address_objects_to_unreference": {
"runAfter": {
"Set_dynamic_action_name": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('AddressGroupMembers')",
"where": "@not(equals(item(), items('For_each_malicious_IP')?['Address']))"
},
"description": "This filters the IP address from predefined address group to unreference/unblock IP"
},
"Set_dynamic_action_name": {
"runAfter": {
"Append_address_group_text": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "UnBlock IP"
},
"description": "variable to set action name dynamically"
},
"unreference_IP_address_from_the_existing_group_members": {
"runAfter": {
"Filter_array_IP_address_from_the_list_of_address_objects_to_unreference": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('Filter_array_IP_address_from_the_list_of_address_objects_to_unreference')"
},
"description": "unreference IP address from the group members and update"
}
},
"else": {
"actions": {
"Append_IP_address_to_the_address_group_members": {
"runAfter": {
"Append_address_group_text_to_adaptive_card_body": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@items('For_each_malicious_IP')?['Address']"
},
"description": "append IP address to the address group members"
},
"Append_address_group_text_to_adaptive_card_body": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{items('For_each_malicious_IP')?['Address']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Set_dynamic_action_name_to_variable_Action_name": {
"runAfter": {
"Append_IP_address_to_the_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block IP"
},
"description": "set action name dynamically"
}
}
},
"expression": {
"and": [
{
"contains": [
"@variables('AddressGroupMembers')",
"@items('For_each_malicious_IP')?['Address']"
]
}
]
},
"type": "If",
"description": "condition to check the malicious IP address is present in the predefined address group and the IP is part of static member"
}
},
"runAfter": {
"Condition_to_check_if_the_IP_is_a_part_of_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_IP_to_array_of_address_group_members": {
"runAfter": {
"Append_to_array_variable_text_if_IP_is_not_a_member_of_blocked_address_group": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@items('For_each_malicious_IP')?['Address']"
},
"description": "append the Malicious IP address to the existing group members to block / unblock from the predefined address group"
},
"Append_to_array_variable_text_if_IP_is_not_a_member_of_blocked_address_group": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{items('For_each_malicious_IP')?['Address']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "This appends the text to display If Ip is not a member of security policy rules"
},
"Set_variable_to_Block_Ip": {
"runAfter": {
"Append_IP_to_array_of_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block IP"
},
"description": "This sets the variable block IP"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_array_of_Ip_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This checks if Ip is a member of any of the list of address objects"
},
"Condition_to_check_if_the_IP_is_a_part_of_security_policy_rules": {
"actions": {
"Append_policy_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is also member of the following security policy rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies": {
"runAfter": {
"Append_policy_text": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"columns": [
{
"items": "@body('Select_security_policy_rules')",
"type": "Column"
}
],
"type": "ColumnSet"
}
},
"description": "append security policies which the IP address is exist"
}
},
"runAfter": {
"Select_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_policy_text_to_adaptive_card_body_variable": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is not a member of any other Policy Rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies_to_adaptive_card_body_variable": {
"runAfter": {
"Append_policy_text_to_adaptive_card_body_variable": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the IP address is exist"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Select_security_policy_rules'))",
0
]
}
]
},
"type": "If",
"description": "condition to check if the IP address is present in the existing security policy rules to conditionally apply the policy text and security policy rules"
},
"Configured_address_group": {
"runAfter": {
"Set_variable_address_group_members": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('List_address_groups')?['result']?['entry']?[0]?['@name']",
"description": "compose predefined address group"
},
"Filter_array_Ip_from_list_of_security_rules": {
"runAfter": {
"Configured_address_group": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_security_rules')?['result']?['entry']",
"where": "@contains(item()?['source']?['member'], items('For_each_malicious_IP')?['Address'])"
},
"description": "This filters all the security rules in which this Ip is a member"
},
"Filter_array_of_Ip_address_from_list_of_address_objects": {
"runAfter": {
"Set_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_address_objects')?['result']?['entry']",
"where": "@equals(item()?['ip-netmask'], items('For_each_malicious_IP')?['Address'])"
},
"description": "This filters the list of address objects in which this Ip is a member "
},
"List_address_groups": {
"runAfter": {
"Filter_array_of_Ip_address_from_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object groups present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": {
"runAfter": {
"Condition_to_check_if_Ip_address_already_present_in_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":@{variables('AdaptiveCardBody')} ,\n \"actions\": [\n {\n \"title\": \"@{variables('ActionName')} ( add to @{outputs('Configured_address_group')} address group )\",\n \"type\": \"Action.Submit\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_security_policy_rules": {
"runAfter": {
"Filter_array_Ip_from_list_of_security_rules": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Filter_array_Ip_from_list_of_security_rules')",
"select": {
"text": " @{item()?['@name']}, action : @{item()?['action']}",
"type": "TextBlock",
"weight": "bolder"
}
},
"description": "prepare columns list to show the security policy rules in the adaptive card if IP address is present"
},
"Set_variable_adaptive_card_body": {
"type": "SetVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": [
{
"size": "Large",
"text": "Suspicious IP - Microsoft Sentinel",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Possible Comprised IP @{items('For_each_malicious_IP')?['Address']} detected by the provider : @{outputs('Compose_product_name')}",
"type": "TextBlock",
"wrap": true
},
{
"text": " @{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']} ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident description",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "@{triggerBody()?['object']?['properties']?['description']}",
"type": "TextBlock",
"wrap": true
},
{
"text": "[[[[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})",
"type": "TextBlock",
"wrap": true
},
{
"size": "Medium",
"text": "Response in PAN-OS",
"type": "TextBlock",
"weight": "Bolder"
},
{
"size": "Small",
"style": "Person",
"type": "Image",
"url": "https://avatars2.githubusercontent.com/u/4855743?s=280&v=4"
}
]
},
"description": "variable to hold adaptive card body"
},
"Set_variable_address_group_members": {
"runAfter": {
"List_address_groups": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('List_address_groups')?['result']?['entry']?[0]?['static']?['member']"
},
"description": "assign list of address group members"
}
},
"runAfter": {
"List_security_rules": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Initialize_variable_IP_address_action": {
"runAfter": {
"Initialize_variable_address_group_members": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IPAddressAction",
"type": "array"
}
]
},
"description": "This holds the action taken on each IP "
},
"Initialize_variable_action_name": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ActionName",
"type": "string"
}
]
},
"description": "variable to store action name to be displayed on adaptive card"
},
"Initialize_variable_adaptive_card_body": {
"runAfter": {
"Initialize_variable_action_name": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AdaptiveCardBody",
"type": "array"
}
]
},
"description": "variable to store adaptive card body json"
},
"Initialize_variable_address_group_members": {
"runAfter": {
"Initialize_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AddressGroupMembers",
"type": "array"
}
]
},
"description": "variable to store the list of address group members"
},
"List_address_objects": {
"runAfter": {
"Compose_product_name": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object present in the PAN-OS"
},
"List_security_rules": {
"runAfter": {
"List_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Policies/SecurityRules",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of security policy rules present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_alert_product_names": {
"runAfter": {
"Initialize_variable_IP_address_action": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames']",
"select": {
"text": "@item()"
}
},
"description": "data operator to select the alert product name"
},
"Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card": {
"runAfter": {
"For_each_malicious_IP": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@variables('IPAddressAction')",
"select": {
"text": "@item()",
"type": "TextBlock"
}
},
"description": "This is used to compose the list of actions taken by SOC on respective IP addresses"
}
}
},
"parameters": {
"$connections": {
"value": {
"PaloAltoConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-BlockIP",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('TeamsConnectionName')]",
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId6')]",
"contentId": "[variables('_playbookContentId6')]",
"kind": "Playbook",
"version": "[variables('playbookVersion6')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"comments": "This playbook uses the PaloAlto connector to take necessary actions on IP address like Block IP/Unblock IP from predefined address group and also gives an option to close the incident.",
"title": "PaloAlto-PAN-OS-BlockIP",
"description": "This playbook allows blocking/unblocking IPs in PaloAlto, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."
],
"lastUpdateTime": "2023-05-30T00:00:00Z",
"entities": [
"Ip"
],
"tags": [
"Remediation",
"Response from teams",
"Paloalto",
"Pan-os"
],
"postDeployment": [
"**a. Authorize connections** \n\n Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n **b. Configurations in Sentinel** \n\n 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId6')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-BlockIP",
"contentProductId": "[variables('_playbookcontentProductId6')]",
"id": "[variables('_playbookcontentProductId6')]",
"version": "[variables('playbookVersion6')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-BlockURL",
"type": "string"
},
"Address Group": {
"type": "string",
"metadata": {
"description": "Enter value for Address Group"
}
},
"Teams Group Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams Group Id"
}
},
"Teams channel Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams channel Id"
}
},
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"Address Group": {
"type": "string",
"defaultValue": "[[parameters('Address Group')]"
},
"Teams Group Id": {
"type": "string",
"defaultValue": "[[parameters('Teams Group Id')]"
},
"Teams channel Id": {
"type": "string",
"defaultValue": "[[parameters('Teams channel Id')]"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered_(Private_Preview_only)": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Compose_product_name": {
"runAfter": {
"Select_alert_product_names": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('Select_alert_product_names')?[0]?['text']",
"description": "compose to select the incident alert product name"
},
"Condition_based_on_the_incident_configuration_from_adaptive_card": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>PAN-OS Playbook ran and performed the following actions:<br>\n@{variables('URLAddressAction')}<br>\n<br>\n<br>\n<br>\nActions taken on Sentinel : Add comment to incident and closure with classification reason &nbsp;@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['object']?['id']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']",
"Change incident configuration"
]
}
]
},
"type": "If",
"description": "This decides the action taken on the summarized adaptive card"
},
"Entities_-_Get_URLs": {
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/url"
}
},
"For_each_malicious_URL": {
"foreach": "@body('Entities_-_Get_URLs')?['URLs']",
"actions": {
"Condition_based_on_user_inputs_from_the_adaptive_card": {
"actions": {
"Condition__to_check_if_user_chosen_Block": {
"actions": {
"Create_an_address_object": {
"type": "ApiConnection",
"inputs": {
"body": {
"entry": [
{
"@@name": "@items('For_each_malicious_URL')?['Url']",
"description": "@items('For_each_malicious_URL')?['Url']",
"fqdn": "@items('For_each_malicious_URL')?['Url']"
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "post",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"address type": "fqdn",
"location": "vsys",
"name": "@items('For_each_malicious_URL')?['Url']",
"vsys": "vsys1"
}
},
"description": "This creates a new address object for the malicious URL"
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block URL ( add to @{outputs('Configured_address_group')} address group )"
]
},
{
"equals": [
"@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This check if user chooses Block URL"
},
"Condition_to_check_the_edit_an_address_object_group_status": {
"actions": {
"Condition_to_check_the_action_of_adaptive_card_to_set_the_action_summary": {
"actions": {
"Append_success_status_Blocked_URL_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : Blocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
},
"else": {
"actions": {
"Append_success_status_UnBlocked_URL_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : UnBlocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block URL ( add to @{outputs('Configured_address_group')} address group )"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Update_an_address_object_group": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_failure_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{items('For_each_malicious_URL')?['Url']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Failure"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Update_an_address_object_group')?['@status']",
"success"
]
}
]
},
"type": "If"
},
"Update_an_address_object_group": {
"runAfter": {
"Condition__to_check_if_user_chosen_Block": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"entry": [
{
"@@name": "@parameters('Address Group')",
"static": {
"member": "@{variables('AddressGroupMembers')}"
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "put",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_array_variable_URL_address_action_chosen": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{items('For_each_malicious_URL')?['Url']}, Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Success "
},
"description": "This appends the action taken on URL to the list of existing actions"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Ignore"
]
}
}
]
},
"type": "If",
"description": "condition to check the submit action is block / unblock or Ignore"
},
"Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": {
"actions": {
"Condition_to_check_if_URL_already_present_in_predefined_address_group": {
"actions": {
"Append_address_group_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{items('For_each_malicious_URL')?['Url']} is already a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": {
"runAfter": {
"Set_dynamic_action_name": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('AddressGroupMembers')",
"where": "@not(equals(item(), items('For_each_malicious_URL')?['Url']))"
},
"description": "This filters the URL address from predefined address group to unreference/unblock URL"
},
"Set_dynamic_action_name": {
"runAfter": {
"Append_address_group_text": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "UnBlock URL"
},
"description": "variable to set action name dynamically"
},
"unreference_URL_address_from_the_existing_group_members": {
"runAfter": {
"Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('Filter_array_URL_address_from_the_list_of_address_objects_to_unreference')"
},
"description": "unreference URL address from the group members and update"
}
},
"else": {
"actions": {
"Append_URL_address_to_the_address_group_members": {
"runAfter": {
"Append_address_group_text_to_adaptive_card_body": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@items('For_each_malicious_URL')?['Url']"
},
"description": "append URL address to the address group members"
},
"Append_address_group_text_to_adaptive_card_body": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{items('For_each_malicious_URL')?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Set_dynamic_action_name_to_variable_Action_name": {
"runAfter": {
"Append_URL_address_to_the_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block URL"
},
"description": "set action name dynamically"
}
}
},
"expression": {
"and": [
{
"contains": [
"@variables('AddressGroupMembers')",
"@items('For_each_malicious_URL')?['Url']"
]
}
]
},
"type": "If",
"description": "condition to check the malicious URL address is present in the predefined address group and the URL is part of static member"
}
},
"runAfter": {
"Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_URL_to_array_of_address_group_members": {
"runAfter": {
"Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@items('For_each_malicious_URL')?['Url']"
},
"description": "append the Malicious URL address to the existing group members to block / unblock from the predefined address group"
},
"Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{items('For_each_malicious_URL')?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "This appends the text to display If URL is not a member of security policy rules"
},
"Set_variable_to_Block_URL": {
"runAfter": {
"Append_URL_to_array_of_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block URL"
},
"description": "This sets the variable block URL"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This checks if URL is a member of any of the list of address objects"
},
"Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": {
"actions": {
"Append_policy_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is also member of the following security policy rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies": {
"runAfter": {
"Append_policy_text": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"columns": [
{
"items": "@body('Select_security_policy_rules')",
"type": "Column"
}
],
"type": "ColumnSet"
}
},
"description": "append security policies which the URL address is exist"
}
},
"runAfter": {
"Select_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_policy_text_to_adaptive_card_body_variable": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is not a member of any other Policy Rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies_to_adaptive_card_body_variable": {
"runAfter": {
"Append_policy_text_to_adaptive_card_body_variable": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the URL address is exist"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Select_security_policy_rules'))",
0
]
}
]
},
"type": "If",
"description": "condition to check if the URL address is present in the existing security policy rules to conditionally apply the policy text and security policy rules"
},
"Configured_address_group": {
"runAfter": {
"Set_variable_address_group_members": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('List_address_groups')?['result']?['entry']?[0]?['@name']",
"description": "compose predefined address group"
},
"Filter_array_URL_from_list_of_security_rules": {
"runAfter": {
"Configured_address_group": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_security_rules')?['result']?['entry']",
"where": "@contains(item()?['destination']?['member'], items('For_each_malicious_URL')?['Url'])"
},
"description": "This filters all the security rules in which this URL is a member"
},
"Filter_array_of_URL_address_from_list_of_address_objects": {
"runAfter": {
"Set_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_address_objects')?['result']?['entry']",
"where": "@equals(item()?['fqdn'], items('For_each_malicious_URL')?['Url'])"
},
"description": "This filters the list of address objects in which this URL is a member "
},
"List_address_groups": {
"runAfter": {
"Filter_array_of_URL_address_from_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object groups present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": {
"runAfter": {
"Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":@{variables('AdaptiveCardBody')} ,\n \"actions\": [\n {\n \"title\": \"@{variables('ActionName')} ( add to @{outputs('Configured_address_group')} address group )\",\n \"type\": \"Action.Submit\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_security_policy_rules": {
"runAfter": {
"Filter_array_URL_from_list_of_security_rules": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Filter_array_URL_from_list_of_security_rules')",
"select": {
"text": " @{item()?['@name']}, action : @{item()?['action']}",
"type": "TextBlock",
"weight": "bolder"
}
},
"description": "prepare columns list to show the security policy rules in the adaptive card if URL address is present"
},
"Set_variable_adaptive_card_body": {
"type": "SetVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": [
{
"size": "Large",
"text": "Suspicious URL - Microsoft Sentinel",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Possible Comprised URL @{items('For_each_malicious_URL')?['Url']} detected by the provider : @{outputs('Compose_product_name')}",
"type": "TextBlock",
"wrap": true
},
{
"text": "@{triggerBody()?['object']?['properties']?['severity']} Incident @{triggerBody()?['object']?['properties']?['title']}",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": " Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident description",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "@{triggerBody()?['object']?['properties']?['description']}",
"type": "TextBlock",
"wrap": true
},
{
"text": "[[[[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})",
"type": "TextBlock",
"wrap": true
},
{
"size": "Medium",
"text": "Response in PAN-OS",
"type": "TextBlock",
"weight": "Bolder"
},
{
"size": "Small",
"style": "Person",
"type": "Image",
"url": "https://avatars2.githubusercontent.com/u/4855743?s=280&v=4"
}
]
},
"description": "variable to hold adaptive card body"
},
"Set_variable_address_group_members": {
"runAfter": {
"List_address_groups": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('List_address_groups')?['result']?['entry']?[0]?['static']?['member']"
},
"description": "assign list of address group members"
}
},
"runAfter": {
"List_security_rules": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Initialize_variable_URL_address_action": {
"runAfter": {
"Initialize_variable_address_group_members": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "URLAddressAction",
"type": "array"
}
]
},
"description": "This holds the action taken on each URL "
},
"Initialize_variable_action_name": {
"runAfter": {
"Entities_-_Get_URLs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ActionName",
"type": "string"
}
]
},
"description": "variable to store action name to be displayed on adaptive card"
},
"Initialize_variable_adaptive_card_body": {
"runAfter": {
"Initialize_variable_action_name": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AdaptiveCardBody",
"type": "array"
}
]
},
"description": "variable to store adaptive card body json"
},
"Initialize_variable_address_group_members": {
"runAfter": {
"Initialize_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AddressGroupMembers",
"type": "array"
}
]
},
"description": "variable to store the list of address group members"
},
"List_address_objects": {
"runAfter": {
"Compose_product_name": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object present in the PAN-OS"
},
"List_security_rules": {
"runAfter": {
"List_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Policies/SecurityRules",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of security policy rules present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on URL's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : @{triggerBody()?['object']?['properties']?['incidentNumber']} \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"@{triggerBody()?['object']?['properties']?['severity']}\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_alert_product_names": {
"runAfter": {
"Initialize_variable_URL_address_action": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@triggerBody()?['object']?['properties']?['additionalData']?['alertProductNames']",
"select": {
"text": "@item()"
}
},
"description": "data operator to select the alert product name"
},
"Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": {
"runAfter": {
"For_each_malicious_URL": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@variables('URLAddressAction')",
"select": {
"text": "@item()",
"type": "TextBlock"
}
},
"description": "This is used to compose the list of actions taken by SOC on respective URL addresses"
}
}
},
"parameters": {
"$connections": {
"value": {
"PaloAltoConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-BlockURL",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('TeamsConnectionName')]",
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId7')]",
"contentId": "[variables('_playbookContentId7')]",
"kind": "Playbook",
"version": "[variables('playbookVersion7')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.",
"title": "PaloAlto-PAN-OS-BlockURL",
"description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."
],
"lastUpdateTime": "2023-05-30T00:00:00Z",
"entities": [
"Url"
],
"tags": [
"Remediation",
"Response from teams"
],
"postDeployment": [
"**a. Authorize connections** \n\n Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n **b. Configurations in Sentinel** \n\n 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky URL \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId7')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-BlockURL",
"contentProductId": "[variables('_playbookcontentProductId7')]",
"id": "[variables('_playbookcontentProductId7')]",
"version": "[variables('playbookVersion7')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"type": "string"
},
"Address Group": {
"type": "string",
"metadata": {
"description": "Enter value for Address Group"
}
},
"Teams Group Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams Group Id"
}
},
"Teams channel Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams channel Id"
}
},
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"Address Group": {
"type": "string",
"defaultValue": "[[parameters('Address Group')]"
},
"Teams Group Id": {
"type": "string",
"defaultValue": "[[parameters('Teams Group Id')]"
},
"Teams channel Id": {
"type": "string",
"defaultValue": "[[parameters('Teams channel Id')]"
}
},
"triggers": {
"Microsoft_Sentinel_entity": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/entity/@{encodeURIComponent('UrlEntity')}"
}
}
},
"actions": {
"Condition_based_on_the_incident_configuration_from_adaptive_card": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['IncidentArmID']",
"message": "<p>PAN-OS Playbook ran and performed the following actions:<br>\n@{variables('URLAddressAction')}<br>\n<br>\n<br>\n<br>\nActions taken on Sentinel : Add comment to incident and closure with classification reason &nbsp;@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['IncidentArmID']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']?['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']",
"Change incident configuration"
]
},
{
"not": {
"equals": [
"@triggerBody()?['IncidentArmID']",
"@null"
]
}
}
]
},
"type": "If",
"description": "This decides the action taken on the summarized adaptive card"
},
"Condition_based_on_user_inputs_from_the_adaptive_card": {
"actions": {
"Condition__to_check_if_user_chosen_Block": {
"actions": {
"Create_an_address_object": {
"type": "ApiConnection",
"inputs": {
"body": {
"entry": {
"@@name": "@triggerBody()?['Entity']?['properties']?['Url']",
"description": "@triggerBody()?['Entity']?['properties']?['Url']",
"fqdn": "@triggerBody()?['Entity']?['properties']?['Url']"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "post",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"address type": "fqdn",
"location": "vsys",
"name": "@triggerBody()?['Entity']?['properties']?['Url']",
"vsys": "vsys1"
}
},
"description": "This creates a new address object for the malicious URL"
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block URL ( add to @{outputs('Configured_address_group')} address group )"
]
},
{
"equals": [
"@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This check if user chooses Block URL"
},
"Condition_to_check_the_edit_an_address_object_group_status": {
"actions": {
"Condition_to_check_the_action_of_adaptive_card_to_set_the_action_summary": {
"actions": {
"Append_success_status_Blocked_URL_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{triggerBody()?['Entity']?['properties']?['Url']} , Action Taken : Blocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
},
"else": {
"actions": {
"Append_success_status_UnBlocked_URL_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{triggerBody()?['Entity']?['properties']?['Url']} , Action Taken : UnBlocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block URL ( add to @{outputs('Configured_address_group')} address group )"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Update_an_address_object_group": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_failure_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{triggerBody()?['Entity']?['properties']?['Url']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Failure"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Update_an_address_object_group')?['@status']",
"success"
]
}
]
},
"type": "If"
},
"Update_an_address_object_group": {
"runAfter": {
"Condition__to_check_if_user_chosen_Block": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"entry": [
{
"@@name": "@parameters('Address Group')",
"static": {
"member": "@{variables('AddressGroupMembers')}"
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "put",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_array_variable_URL_address_action_chosen": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "URLAddressAction",
"value": "URL Address : @{triggerBody()?['Entity']?['properties']?['Url']}, Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Success "
},
"description": "This appends the action taken on URL to the list of existing actions"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Ignore"
]
}
}
]
},
"type": "If",
"description": "condition to check the submit action is block / unblock or Ignore"
},
"Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": {
"actions": {
"Condition_to_check_if_URL_already_present_in_predefined_address_group": {
"actions": {
"Append_address_group_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{triggerBody()?['Entity']?['properties']?['Url']} is already a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": {
"runAfter": {
"Set_dynamic_action_name": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('AddressGroupMembers')",
"where": "@not(equals(item(), triggerBody()?['Entity']?['properties']?['Url']))"
},
"description": "This filters the URL address from predefined address group to unreference/unblock URL"
},
"Set_dynamic_action_name": {
"runAfter": {
"Append_address_group_text": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "UnBlock URL"
},
"description": "variable to set action name dynamically"
},
"unreference_URL_address_from_the_existing_group_members": {
"runAfter": {
"Filter_array_URL_address_from_the_list_of_address_objects_to_unreference": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('Filter_array_URL_address_from_the_list_of_address_objects_to_unreference')"
},
"description": "unreference URL address from the group members and update"
}
},
"else": {
"actions": {
"Append_URL_address_to_the_address_group_members": {
"runAfter": {
"Append_address_group_text_to_adaptive_card_body": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@triggerBody()?['Entity']?['properties']?['Url']"
},
"description": "append URL address to the address group members"
},
"Append_address_group_text_to_adaptive_card_body": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{triggerBody()?['Entity']?['properties']?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Set_dynamic_action_name_to_variable_Action_name": {
"runAfter": {
"Append_URL_address_to_the_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block URL"
},
"description": "set action name dynamically"
}
}
},
"expression": {
"and": [
{
"contains": [
"@variables('AddressGroupMembers')",
"@triggerBody()?['Entity']?['properties']?['Url']"
]
}
]
},
"type": "If",
"description": "condition to check the malicious URL address is present in the predefined address group and the URL is part of static member"
}
},
"runAfter": {
"Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_URL_to_array_of_address_group_members": {
"runAfter": {
"Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@triggerBody()?['Entity']?['properties']?['Url']"
},
"description": "append the Malicious URL address to the existing group members to block / unblock from the predefined address group"
},
"Append_to_array_variable_text_if_URL_is_not_a_member_of_blocked_address_group": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The URL @{triggerBody()?['Entity']?['properties']?['Url']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "This appends the text to display If URL is not a member of security policy rules"
},
"Set_variable_to_Block_URL": {
"runAfter": {
"Append_URL_to_array_of_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block URL"
},
"description": "This sets the variable block URL"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_array_of_URL_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This checks if URL is a member of any of the list of address objects"
},
"Condition_to_check_if_the_URL_is_a_part_of_security_policy_rules": {
"actions": {
"Append_policy_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is also member of the following security policy rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies": {
"runAfter": {
"Append_policy_text": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"columns": [
{
"items": "@body('Select_security_policy_rules')",
"type": "Column"
}
],
"type": "ColumnSet"
}
},
"description": "append security policies which the URL address is exist"
}
},
"runAfter": {
"Select_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_policy_text_to_adaptive_card_body_variable": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is not a member of any other Policy Rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies_to_adaptive_card_body_variable": {
"runAfter": {
"Append_policy_text_to_adaptive_card_body_variable": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the URL address is exist"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Select_security_policy_rules'))",
0
]
}
]
},
"type": "If",
"description": "condition to check if the URL address is present in the existing security policy rules to conditionally apply the policy text and security policy rules"
},
"Configured_address_group": {
"runAfter": {
"Set_variable_address_group_members": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('List_address_groups')?['result']?['entry']?[0]?['@name']",
"description": "compose predefined address group"
},
"Filter_array_URL_from_list_of_security_rules": {
"runAfter": {
"Configured_address_group": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_security_rules')?['result']?['entry']",
"where": "@contains(item()?['destination']?['member'], triggerBody()?['Entity']?['properties']?['Url'])"
},
"description": "This filters all the security rules in which this URL is a member"
},
"Filter_array_of_URL_address_from_list_of_address_objects": {
"runAfter": {
"Set_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_address_objects')?['result']?['entry']",
"where": "@equals(item()?['fqdn'], triggerBody()?['Entity']?['properties']?['Url'])"
},
"description": "This filters the list of address objects in which this URL is a member "
},
"Initialize_variable_URL_address_action": {
"runAfter": {
"Initialize_variable_address_group_members": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "URLAddressAction",
"type": "array"
}
]
},
"description": "This holds the action taken on each URL "
},
"Initialize_variable_action_name": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ActionName",
"type": "string"
}
]
},
"description": "variable to store action name to be displayed on adaptive card"
},
"Initialize_variable_adaptive_card_body": {
"runAfter": {
"Initialize_variable_action_name": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AdaptiveCardBody",
"type": "array"
}
]
},
"description": "variable to store adaptive card body json"
},
"Initialize_variable_address_group_members": {
"runAfter": {
"Initialize_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AddressGroupMembers",
"type": "array"
}
]
},
"description": "variable to store the list of address group members"
},
"List_address_groups": {
"runAfter": {
"Filter_array_of_URL_address_from_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "urladdress",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object groups present in the PAN-OS"
},
"List_address_objects": {
"runAfter": {
"Initialize_variable_URL_address_action": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object present in the PAN-OS"
},
"List_security_rules": {
"runAfter": {
"List_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Policies/SecurityRules",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of security policy rules present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on URL's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": {
"runAfter": {
"Condition_to_check_if_URL_address_already_present_in_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":@{variables('AdaptiveCardBody')} ,\n \"actions\": [\n {\n \"title\": \"@{variables('ActionName')} ( add to @{outputs('Configured_address_group')} address group )\",\n \"type\": \"Action.Submit\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_security_policy_rules": {
"runAfter": {
"Filter_array_URL_from_list_of_security_rules": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Filter_array_URL_from_list_of_security_rules')",
"select": {
"text": " @{item()?['@name']}, action : @{item()?['action']}",
"type": "TextBlock",
"weight": "bolder"
}
},
"description": "prepare columns list to show the security policy rules in the adaptive card if URL address is present"
},
"Set_variable_actions_on_URL_to_be_displayed_on_adaptive_card": {
"runAfter": {
"Condition_based_on_user_inputs_from_the_adaptive_card": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@variables('URLAddressAction')",
"select": {
"text": "@item()",
"type": "TextBlock"
}
},
"description": "This is used to compose the list of actions taken by SOC on respective URL addresses"
},
"Set_variable_adaptive_card_body": {
"runAfter": {
"List_security_rules": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": [
{
"size": "Large",
"text": "Suspicious URL - Microsoft Sentinel",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Possible Comprised URL @{triggerBody()?['Entity']?['properties']?['Url']} detected by the provider : ",
"type": "TextBlock",
"wrap": true
},
{
"text": " Incident ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": " Incident No : ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident description",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "[variables('blanks')]",
"type": "TextBlock",
"wrap": true
},
{
"text": "[[[[Click here to view the Incident]()",
"type": "TextBlock",
"wrap": true
},
{
"size": "Medium",
"text": "Response in PAN-OS",
"type": "TextBlock",
"weight": "Bolder"
},
{
"size": "Small",
"style": "Person",
"type": "Image",
"url": "https://avatars2.githubusercontent.com/u/4855743?s=280&v=4"
}
]
},
"description": "variable to hold adaptive card body"
},
"Set_variable_address_group_members": {
"runAfter": {
"List_address_groups": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('List_address_groups')?['result']?['entry']?[0]?['static']?['member']"
},
"description": "assign list of address group members"
}
}
},
"parameters": {
"$connections": {
"value": {
"PaloAltoConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('TeamsConnectionName')]",
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId8')]",
"contentId": "[variables('_playbookContentId8')]",
"kind": "Playbook",
"version": "[variables('playbookVersion8')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"comments": "This playbook uses the PaloAlto connector to take necessary actions on URL address like Block URL/Unblock URL from predefined address group and also gives an option to close the incident.",
"title": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"description": "This playbook allows blocking/unblocking URLs in PaloAlto, using **predefined address group**. This allows to make changes on predefined address group, which is attached to security policy rule.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key.[Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."
],
"lastUpdateTime": "2023-05-30T00:00:00Z",
"entities": [
"Url"
],
"tags": [
"Remediation",
"Response from teams"
],
"postDeployment": [
"**a. Authorize connections** \n\n Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n **b. Configurations in Sentinel** \n\n 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky URL \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId8')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-BlockURL-EntityTrigger",
"contentProductId": "[variables('_playbookcontentProductId8')]",
"id": "[variables('_playbookcontentProductId8')]",
"version": "[variables('playbookVersion8')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
"parameters": {
"PlaybookName": {
"defaultValue": "PaloAlto-PAN-OS-BlockIP-EntityTrigger",
"type": "string"
},
"Address Group": {
"type": "string",
"metadata": {
"description": "Enter value for Address Group"
}
},
"Teams Group Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams Group Id"
}
},
"Teams channel Id": {
"type": "string",
"metadata": {
"description": "Enter value for Teams channel Id"
}
},
"CustomConnectorName": {
"defaultValue": "PAN-OSRestApiCustomConnector",
"type": "string",
"metadata": {
"description": "Name of the custom connector, if you want to change the default name, make sure to use the same in all Paloalto automation playbooks as well"
}
}
},
"variables": {
"PaloaltoconnectorConnectionName": "[[concat('Paloaltoconnector-', parameters('PlaybookName'))]",
"MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]",
"connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]",
"_connection-2": "[[variables('connection-2')]",
"connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"_connection-3": "[[variables('connection-3')]",
"connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]",
"_connection-4": "[[variables('connection-4')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
},
"Address Group": {
"type": "string",
"defaultValue": "[[parameters('Address Group')]"
},
"Teams Group Id": {
"type": "string",
"defaultValue": "[[parameters('Teams Group Id')]"
},
"Teams channel Id": {
"type": "string",
"defaultValue": "[[parameters('Teams channel Id')]"
}
},
"triggers": {
"Microsoft_Sentinel_entity": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/entity/@{encodeURIComponent('IP')}"
}
}
},
"actions": {
"Condition_based_on_the_incident_configuration_from_adaptive_card": {
"actions": {
"Add_comment_to_incident_(V3)": {
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['IncidentArmID']",
"message": "<p>PAN-OS Playbook ran and performed the following actions:<br>\n@{variables('IPAddressAction')}<br>\n<br>\n<br>\n<br>\nActions taken on Sentinel : Add comment to incident and closure with classification reason &nbsp;@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentStatus']}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Update_incident": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"classification": {
"ClassificationAndReason": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentStatus']}"
},
"incidentArmId": "@triggerBody()?['IncidentArmID']",
"severity": "@{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['data']['incidentSeverity']}",
"status": "Closed"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "put",
"path": "/Incidents"
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [
"Succeeded"
]
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')['submitActionId']",
"Change incident configuration"
]
},
{
"not": {
"equals": [
"@triggerBody()?['IncidentArmID']",
"@null"
]
}
}
]
},
"type": "If",
"description": "This decides the action taken on the summarized adaptive card"
},
"Condition_based_on_user_inputs_from_the_adaptive_card": {
"actions": {
"Condition__to_check_if_user_chosen_Block_IP": {
"actions": {
"Create_an_address_object": {
"type": "ApiConnection",
"inputs": {
"body": {
"entry": {
"@@name": "@triggerBody()?['Entity']?['properties']?['Address']",
"description": "@triggerBody()?['Entity']?['properties']?['Address']",
"ip-netmask": "@triggerBody()?['Entity']?['properties']?['Address']"
}
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "post",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"address type": "ip-netmask",
"location": "vsys",
"name": "@triggerBody()?['Entity']?['properties']?['Address']",
"vsys": "vsys1"
}
},
"description": "This creates a new address object for the malicious IP"
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block IP ( add to @{outputs('Configured_address_group')} address group )"
]
},
{
"equals": [
"@length(body('Filter_array_of_Ip_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This check if user chooses Block IP"
},
"Condition_to_check_the_edit_an_address_object_group_status": {
"actions": {
"Condition_to_check_the_action_of_adaptive_card_to_set_the_action_summary": {
"actions": {
"Append_success_status_Blocked_IP_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{triggerBody()?['Entity']?['properties']?['Address']} , Action Taken : Blocked by \n adding to @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
},
"else": {
"actions": {
"Append_success_status_UnBlocked_IP_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{triggerBody()?['Entity']?['properties']?['Address']} , Action Taken : UnBlocked by \n removing from @{outputs('Configured_address_group')} , Status : Success"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Block IP ( add to @{outputs('Configured_address_group')} address group )"
]
}
]
},
"type": "If"
}
},
"runAfter": {
"Update_an_address_object_group": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_failure_status_to_summary_card": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{triggerBody()?['Entity']?['properties']?['Address']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Failure"
},
"description": "append action taken to summarize on the adaptive card"
}
}
},
"expression": {
"and": [
{
"equals": [
"@body('Update_an_address_object_group')?['@status']",
"success"
]
}
]
},
"type": "If"
},
"Update_an_address_object_group": {
"runAfter": {
"Condition__to_check_if_user_chosen_Block_IP": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"entry": [
{
"@@name": "@parameters('Address Group')",
"static": {
"member": "@{variables('AddressGroupMembers')}"
}
}
]
},
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "put",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "@parameters('Address Group')",
"vsys": "vsys1"
}
}
}
},
"runAfter": {
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_to_array_variable_Ip_address_action_chosen": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "IPAddressAction",
"value": "IP Address : @{triggerBody()?['Entity']?['properties']?['Address']} , Action Taken : @{body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']} , Status : Success "
},
"description": "This appends the action taken on IP to the list of existing actions"
}
}
},
"expression": {
"and": [
{
"not": {
"equals": [
"@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3')['submitActionId']",
"Ignore"
]
}
}
]
},
"type": "If",
"description": "condition to check the submit action is block / unblock or Ignore"
},
"Condition_to_check_if_Ip_address_already_present_in_list_of_address_objects": {
"actions": {
"Condition_to_check_if_Ip_already_present_in_predefined_address_group": {
"actions": {
"Append_address_group_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{triggerBody()?['Entity']?['properties']?['Address']} is already a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Filter_array_IP_address_from_the_list_of_address_objects_to_unreference": {
"runAfter": {
"Set_dynamic_action_name": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@variables('AddressGroupMembers')",
"where": "@not(equals(item(), triggerBody()?['Entity']?['properties']?['Address']))"
},
"description": "This filters the IP address from predefined address group to unreference/unblock IP"
},
"Set_dynamic_action_name": {
"runAfter": {
"Append_address_group_text": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "UnBlock IP"
},
"description": "variable to set action name dynamically"
},
"unreference_IP_address_from_the_existing_group_members": {
"runAfter": {
"Filter_array_IP_address_from_the_list_of_address_objects_to_unreference": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('Filter_array_IP_address_from_the_list_of_address_objects_to_unreference')"
},
"description": "unreference IP address from the group members and update"
}
},
"else": {
"actions": {
"Append_IP_address_to_the_address_group_members": {
"runAfter": {
"Append_address_group_text_to_adaptive_card_body": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@triggerBody()?['Entity']?['properties']?['Address']"
},
"description": "append IP address to the address group members"
},
"Append_address_group_text_to_adaptive_card_body": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{triggerBody()?['Entity']?['properties']?['Address']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "append address group text to adaptive card dynamically"
},
"Set_dynamic_action_name_to_variable_Action_name": {
"runAfter": {
"Append_IP_address_to_the_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block IP"
},
"description": "set action name dynamically"
}
}
},
"expression": {
"and": [
{
"contains": [
"@variables('AddressGroupMembers')",
"@triggerBody()?['Entity']?['properties']?['Address']"
]
}
]
},
"type": "If",
"description": "condition to check the malicious IP address is present in the predefined address group and the IP is part of static member"
}
},
"runAfter": {
"Condition_to_check_if_the_IP_is_a_part_of_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_IP_to_array_of_address_group_members": {
"runAfter": {
"Append_to_array_variable_text_if_IP_is_not_a_member_of_blocked_address_group": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@triggerBody()?['Entity']?['properties']?['Address']"
},
"description": "append the Malicious IP address to the existing group members to block / unblock from the predefined address group"
},
"Append_to_array_variable_text_if_IP_is_not_a_member_of_blocked_address_group": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "The IP @{triggerBody()?['Entity']?['properties']?['Address']} is not a member of the blocked address group @{outputs('Configured_address_group')}",
"type": "TextBlock",
"wrap": true
}
},
"description": "This appends the text to display If Ip is not a member of security policy rules"
},
"Set_variable_to_Block_Ip": {
"runAfter": {
"Append_IP_to_array_of_address_group_members": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "ActionName",
"value": "Block IP"
},
"description": "This sets the variable block IP"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Filter_array_of_Ip_address_from_list_of_address_objects'))",
0
]
}
]
},
"type": "If",
"description": "This checks if Ip is a member of any of the list of address objects"
},
"Condition_to_check_if_the_IP_is_a_part_of_security_policy_rules": {
"actions": {
"Append_policy_text": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is also member of the following security policy rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies": {
"runAfter": {
"Append_policy_text": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"columns": [
{
"items": "@body('Select_security_policy_rules')",
"type": "Column"
}
],
"type": "ColumnSet"
}
},
"description": "append security policies which the IP address is exist"
}
},
"runAfter": {
"Select_security_policy_rules": [
"Succeeded"
]
},
"else": {
"actions": {
"Append_policy_text_to_adaptive_card_body_variable": {
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": {
"text": "It is not a member of any other Policy Rules",
"type": "TextBlock"
}
},
"description": "dynamic policy text based on security policies"
},
"Append_security_policies_to_adaptive_card_body_variable": {
"runAfter": {
"Append_policy_text_to_adaptive_card_body_variable": [
"Succeeded"
]
},
"type": "AppendToArrayVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": "[variables('TemplateEmptyObject')]"
},
"description": "append security policies which the IP address is exist"
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(body('Select_security_policy_rules'))",
0
]
}
]
},
"type": "If",
"description": "condition to check if the IP address is present in the existing security policy rules to conditionally apply the policy text and security policy rules"
},
"Configured_address_group": {
"runAfter": {
"Set_variable_address_group_members": [
"Succeeded"
]
},
"type": "Compose",
"inputs": "@body('List_address_groups')?['result']?['entry']?[0]?['@name']",
"description": "compose predefined address group"
},
"Filter_array_Ip_from_list_of_security_rules": {
"runAfter": {
"Configured_address_group": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_security_rules')?['result']?['entry']",
"where": "@contains(item()?['source']?['member'], triggerBody()?['Entity']?['properties']?['Address'])"
},
"description": "This filters all the security rules in which this Ip is a member"
},
"Filter_array_of_Ip_address_from_list_of_address_objects": {
"runAfter": {
"Set_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('List_address_objects')?['result']?['entry']",
"where": "@equals(item()?['ip-netmask'], triggerBody()?['Entity']?['properties']?['Address'])"
},
"description": "This filters the list of address objects in which this Ip is a member "
},
"Initialize_variable_IP_address_action": {
"runAfter": {
"Initialize_variable_address_group_members": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IPAddressAction",
"type": "array"
}
]
},
"description": "This holds the action taken on each IP "
},
"Initialize_variable_action_name": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "ActionName",
"type": "string"
}
]
},
"description": "variable to store action name to be displayed on adaptive card"
},
"Initialize_variable_adaptive_card_body": {
"runAfter": {
"Initialize_variable_action_name": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AdaptiveCardBody",
"type": "array"
}
]
},
"description": "variable to store adaptive card body json"
},
"Initialize_variable_address_group_members": {
"runAfter": {
"Initialize_variable_adaptive_card_body": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "AddressGroupMembers",
"type": "array"
}
]
},
"description": "variable to store the list of address group members"
},
"List_address_groups": {
"runAfter": {
"Filter_array_of_Ip_address_from_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/AddressGroups",
"queries": {
"location": "vsys",
"name": "testaddressgroup",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object groups present in the PAN-OS"
},
"List_address_objects": {
"runAfter": {
"Initialize_variable_IP_address_action": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Objects/Addresses",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of address object present in the PAN-OS"
},
"List_security_rules": {
"runAfter": {
"List_address_objects": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['PaloAltoConnector']['connectionId']"
}
},
"method": "get",
"path": "/restapi/v10.0/Policies/SecurityRules",
"queries": {
"location": "vsys",
"vsys": "vsys1"
}
},
"description": "This gets complete list of security policy rules present in the PAN-OS"
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": {
"runAfter": {
"Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \n \"weight\": \"Bolder\",\n \"text\": \"Below is the summary of actions taken on IP's by SOC\",\n \"wrap\": true\n },\n {\n \"columns\": [\n {\n \"items\":@{body('Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card')} ,\n \"type\": \"Column\",\n \"wrap\": true\n }\n ],\n \"separator\": \"true\",\n \"type\": \"ColumnSet\",\n \"width\": \"stretch\"\n},\n {\n \"text\": \" Incident No : \",\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident]()\",\n \"wrap\": true\n },\n\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration :\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Close Microsoft Sentinel incident?\"\n },\n {\n \"choices\": [\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Inaccurate Data\",\n \"value\": \"False Positive - Inaccurate Data\"\n },\n {\n \"isSelected\": true,\n \"title\": \"False Positive - Incorrect Alert Logic\",\n \"value\": \"False Positive - Incorrect Alert Logic\"\n },\n {\n \"title\": \"True Positive - Suspicious Activity\",\n \"value\": \"True Positive - Suspicious Activity\"\n },\n {\n \"title\": \"Benign Positive - Suspicious But Expected\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"title\": \"Undetermined\",\n \"value\": \"Undetermined\"\n }\n ],\n \"id\": \"incidentStatus\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"Benign Positive - Suspicious But Expected\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Change Microsoft Sentinel Incident Severity?\"\n },\n {\n \"choices\": [\n {\n \n \"title\": \"High\",\n \"value\": \"High\"\n },\n {\n \"title\": \"Medium\",\n \"value\": \"Medium\"\n },\n {\n \"title\": \"Low\",\n \"value\": \"Low\"\n },\n {\n \"title\": \"Don't change\",\n \"value\": \"same\"\n }\n ],\n \"id\": \"incidentSeverity\",\n \"style\": \"compact\",\n \"type\": \"Input.ChoiceSet\",\n \"value\": \"\"\n }\n \n \n \n ],\n\"width\":\"auto\",\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Change incident configuration\"\n },\n{\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response_3": {
"runAfter": {
"Condition_to_check_if_Ip_address_already_present_in_list_of_address_objects": [
"Succeeded"
]
},
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"body": {
"messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\":@{variables('AdaptiveCardBody')} ,\n \"actions\": [\n {\n \"title\": \"@{variables('ActionName')} ( add to @{outputs('Configured_address_group')} address group )\",\n \"type\": \"Action.Submit\"\n },\n {\n \"title\": \"Ignore\",\n \"type\": \"Action.Submit\"\n }\n],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}",
"recipient": {
"channelId": "@parameters('Teams channel Id')"
},
"shouldUpdateCard": true
},
"notificationUrl": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['teams']['connectionId']"
}
},
"path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions",
"queries": {
"groupId": "@parameters('Teams Group Id')"
}
}
},
"Select_security_policy_rules": {
"runAfter": {
"Filter_array_Ip_from_list_of_security_rules": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@body('Filter_array_Ip_from_list_of_security_rules')",
"select": {
"text": " @{item()?['@name']}, action : @{item()?['action']}",
"type": "TextBlock",
"weight": "bolder"
}
},
"description": "prepare columns list to show the security policy rules in the adaptive card if IP address is present"
},
"Set_variable_actions_on_IP_to_be_displayed_on_adaptive_card": {
"runAfter": {
"Condition_based_on_user_inputs_from_the_adaptive_card": [
"Succeeded"
]
},
"type": "Select",
"inputs": {
"from": "@variables('IPAddressAction')",
"select": {
"text": "@item()",
"type": "TextBlock"
}
},
"description": "This is used to compose the list of actions taken by SOC on respective IP addresses"
},
"Set_variable_adaptive_card_body": {
"runAfter": {
"List_security_rules": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AdaptiveCardBody",
"value": [
{
"size": "Large",
"text": "Suspicious IP - Microsoft Sentinel",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Possible Comprised IP @{triggerBody()?['Entity']?['properties']?['Address']} detected by the provider : ",
"type": "TextBlock",
"wrap": true
},
{
"text": " Incident ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": " Incident No : ",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "Incident description",
"type": "TextBlock",
"weight": "Bolder",
"wrap": true
},
{
"text": "[variables('blanks')]",
"type": "TextBlock",
"wrap": true
},
{
"text": "[[[[Click here to view the Incident]()",
"type": "TextBlock",
"wrap": true
},
{
"size": "Medium",
"text": "Response in PAN-OS",
"type": "TextBlock",
"weight": "Bolder"
},
{
"size": "Small",
"style": "Person",
"type": "Image",
"url": "https://avatars2.githubusercontent.com/u/4855743?s=280&v=4"
}
]
},
"description": "variable to hold adaptive card body"
},
"Set_variable_address_group_members": {
"runAfter": {
"List_address_groups": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "AddressGroupMembers",
"value": "@body('List_address_groups')?['result']?['entry']?[0]?['static']?['member']"
},
"description": "assign list of address group members"
}
}
},
"parameters": {
"$connections": {
"value": {
"PaloAltoConnector": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"connectionName": "[[variables('PaloaltoconnectorConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]"
},
"azuresentinel": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"teams": {
"connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]",
"connectionName": "[[variables('TeamsConnectionName')]",
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]"
}
}
}
}
},
"name": "[[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"hidden-SentinelTemplateName": "PaloAlto-PAN-OS-BlockIP-EntityTrigger",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('PaloaltoconnectorConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('PaloaltoconnectorConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('PaloaltoconnectorConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('MicrosoftSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('MicrosoftSentinelConnectionName')]",
"parameterValueType": "Alternative",
"api": {
"id": "[[variables('_connection-3')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[[variables('TeamsConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"kind": "V1",
"properties": {
"displayName": "[[variables('TeamsConnectionName')]",
"api": {
"id": "[[variables('_connection-4')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]",
"properties": {
"parentId": "[variables('playbookId9')]",
"contentId": "[variables('_playbookContentId9')]",
"kind": "Playbook",
"version": "[variables('playbookVersion9')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"criteria": [
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
}
]
}
}
}
],
"metadata": {
"title": "Block IP - Palo Alto PAN-OS - Entity trigger",
"description": "This playbook interacts with relevant stakeholders, such incident response team, to approve blocking/allowing IPs in Palo Alto PAN-OS, using **Address Object Groups**. This allows to make changes on predefined address group, which is attached to predefined security policy rule.",
"prerequisites": [
"1. PaloAlto connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page. \n\n 2. Generate an API key. [Refer this link on how to generate the API Key](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key) \n\n 3. Address group should be created for PAN-OS and this should be used while creating playbooks."
],
"lastUpdateTime": "2022-12-06T00:00:00Z",
"entities": [
"Ip"
],
"tags": [
"Remediation",
"Response from teams",
"Paloalto",
"Pan-os"
],
"postDeployment": [
"**a. Authorize connections** \n\n Once deployment is complete, you will need to authorize each connection. \n\n 1. Click the Microsoft Sentinel connection resource \n\n 2. Click edit API connection \n\n 3. Click Authorize \n\n 4. Sign in \n\n 5. Click Save \n\n 6. Repeat steps for other connection such as Teams connection and PAN-OS API connection (For authorizing the PAN-OS API connection, API Key needs to be provided) \n\n **b. Configurations in Sentinel** \n\n 1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky IP \n\n 2. Configure the automation rules to trigger this playbook"
],
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
"notes": [
"Initial version"
]
}
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_playbookContentId9')]",
"contentKind": "Playbook",
"displayName": "PaloAlto-PAN-OS-BlockIP-EntityTrigger",
"contentProductId": "[variables('_playbookcontentProductId9')]",
"id": "[variables('_playbookcontentProductId9')]",
"version": "[variables('playbookVersion9')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "PaloAlto-PAN-OS",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.paloaltonetworks.com/network-security/next-generation-firewall\">Palo Alto Networks (Firewall)</a> Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/sentinel/connect-common-event-format\">Agent-based log collection (CEF over Syslog)</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 2, <strong>Analytic Rules:</strong> 4, <strong>Hunting Queries:</strong> 2, <strong>Custom Azure Logic Apps Connectors:</strong> 2, <strong>Playbooks:</strong> 7</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "PaloAlto-PAN-OS",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
},
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId2')]",
"version": "[variables('workbookVersion2')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
"version": "[variables('playbookVersion1')]"
},
{
"kind": "LogicAppsCustomConnector",
"contentId": "[variables('_PaloAlto_PAN-OS_XML_API_CustomConnector')]",
"version": "[variables('playbookVersion2')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-GetSystemInfo')]",
"version": "[variables('playbookVersion3')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-GetThreatPCAP')]",
"version": "[variables('playbookVersion4')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-GetURLCategoryInfo')]",
"version": "[variables('playbookVersion5')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-BlockIP')]",
"version": "[variables('playbookVersion6')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-BlockURL')]",
"version": "[variables('playbookVersion7')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-BlockURL-EntityTrigger')]",
"version": "[variables('playbookVersion8')]"
},
{
"kind": "Playbook",
"contentId": "[variables('_PaloAlto-PAN-OS-BlockIP-EntityTrigger')]",
"version": "[variables('playbookVersion9')]"
}
]
},
"firstPublishDate": "2021-08-09",
"lastPublishDate": "2021-09-20",
"providers": [
"Palo Alto Networks"
],
"categories": {
"domains": [
"Security - Automation (SOAR)",
"Security - Network"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку