![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\"){kind=logo}
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
index e680cbaff9d..935a0545101 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "PaloAlto-PAN-OS",
- "_solutionVersion": "3.0.7",
+ "_solutionVersion": "3.0.8",
"solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@@ -188,7 +188,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -269,7 +269,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.7",
+ "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -354,7 +354,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoOverview Workbook with template version 3.0.7",
+ "description": "PaloAltoOverview Workbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -410,10 +410,6 @@
"contentId": "CommonSecurityLog",
"kind": "DataType"
},
- {
- "contentId": "PaloAltoNetworks",
- "kind": "DataConnector"
- },
{
"contentId": "CefAma",
"kind": "DataConnector"
@@ -446,7 +442,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAltoNetworkThreat Workbook with template version 3.0.7",
+ "description": "PaloAltoNetworkThreat Workbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -502,10 +498,6 @@
"contentId": "CommonSecurityLog",
"kind": "DataType"
},
- {
- "contentId": "PaloAltoNetworks",
- "kind": "DataConnector"
- },
{
"contentId": "CefAma",
"kind": "DataConnector"
@@ -538,7 +530,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -589,8 +581,8 @@
{
"fieldMappings": [
{
- "columnName": "SourceIP",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SourceIP"
}
],
"entityType": "IP"
@@ -649,7 +641,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -696,16 +688,16 @@
{
"fieldMappings": [
{
- "columnName": "SourceUserName",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "SourceUserName"
},
{
- "columnName": "AccountName",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountName"
},
{
- "columnName": "AccountUPNSuffix",
- "identifier": "UPNSuffix"
+ "identifier": "UPNSuffix",
+ "columnName": "AccountUPNSuffix"
}
],
"entityType": "Account"
@@ -713,16 +705,16 @@
{
"fieldMappings": [
{
- "columnName": "DeviceName",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "DeviceName"
},
{
- "columnName": "HostName",
- "identifier": "HostName"
+ "identifier": "HostName",
+ "columnName": "HostName"
},
{
- "columnName": "HostNameDomain",
- "identifier": "DnsDomain"
+ "identifier": "DnsDomain",
+ "columnName": "HostNameDomain"
}
],
"entityType": "Host"
@@ -730,8 +722,8 @@
{
"fieldMappings": [
{
- "columnName": "SourceIP",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SourceIP"
}
],
"entityType": "IP"
@@ -739,12 +731,12 @@
{
"fieldMappings": [
{
- "columnName": "FileHashValue",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "FileHashValue"
},
{
- "columnName": "FileHashType",
- "identifier": "Algorithm"
+ "identifier": "Algorithm",
+ "columnName": "FileHashType"
}
],
"entityType": "FileHash"
@@ -803,7 +795,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -848,8 +840,8 @@
{
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
@@ -857,8 +849,8 @@
{
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
],
"entityType": "Host"
@@ -866,8 +858,8 @@
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -926,7 +918,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -970,8 +962,8 @@
{
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
@@ -979,8 +971,8 @@
{
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
],
"entityType": "Host"
@@ -988,8 +980,8 @@
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -1048,7 +1040,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.7",
+ "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -3243,7 +3235,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.7",
+ "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -3430,7 +3422,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -3677,7 +3669,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -4213,7 +4205,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -4651,7 +4643,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -5803,7 +5795,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -6955,7 +6947,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -8059,7 +8051,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.7",
+ "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -9160,12 +9152,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.7",
+ "version": "3.0.8",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "PaloAlto-PAN-OS",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connector: 1Workbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nWorkbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index ddaabecabd5..f061d7ff4f4 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.8 | 15-11-2024 | Corrected **Data Connector** count in CreateUiDefinition | | 3.0.7 | 11-11-2024 | Removed Deprecated **Data Connector** | | | | Updated **Analytic Rule** for entity mappings | | 3.0.6 | 12-07-2024 | Deprecated **Data Connector** |