From d3568f1c8e1450459d59339a9ee51fa1b5c7a47a Mon Sep 17 00:00:00 2001 From: abudilovskiy-panw Date: Wed, 4 Dec 2024 17:33:11 -0800 Subject: [PATCH 1/5] update workbook --- .../Workbooks/CloudNGFW-NetworkThreat.json | 74 +++---------------- 1 file changed, 9 insertions(+), 65 deletions(-) diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json index fa338bdeb3c..471793c3268 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json @@ -86,7 +86,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s =~ 'THREAT';\r\ndata\r\n| summarize Count = count() by threat_content_type\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_type)\r\n on threat_content_type\r\n| project-away threat_content_type1, TimeGenerated\r\n| extend threat_content_types = threat_content_type\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend threat_content_type = 'All', threat_content_types = '*' \r\n)\r\n| project threat_content_type, Count, Trend\r\n| order by Count desc\r\n| take 10", + "query": "let UrlThreats = fluentbit_CL\r\n | extend message = parse_json(Message)\r\n | where isnotempty(message.url_category_list)\r\n | where ident_s =~ 'THREAT'\r\n | project FirewallName_s, ident_s, message.url_category_list\r\n | summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_url_category_list);\r\n\r\nlet Threats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project FirewallName_s, ident_s, message.sub_type, message.threat_category\r\n| summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_threat_category);\r\n\r\nUrlThreats \r\n| union Threats\r\n| extend Threat = strcat(message_url_category_list, \" \", message_threat_category)\r\n| project FirewallName, Threat, Count", "size": 3, "exportFieldName": "threat_content_type", "exportParameterName": "SelectedSubtype", @@ -141,63 +141,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| where threat_content_type == 'wildfire';\r\ndata\r\n| summarize Count = count() by threat_content_name\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_name)\r\n on threat_content_name\r\n| project-away threat_content_name1, TimeGenerated\r\n| extend threat_content_names = threat_content_name\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend threat_content_name = 'All', threat_content_names = '*' \r\n)\r\n| project threat_content_name, Count, Trend\r\n| order by Count desc\r\n| take 10", - "size": 3, - "exportFieldName": "threat_content_name", - "exportParameterName": "SelectedWildfire", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "WildFire verdicts", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "threat_content_name", - "formatter": 1, - "formatOptions": { - "showIcon": true - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, - "formatOptions": { - "palette": "auto", - "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } - } - }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, - "showBorder": false - } - }, - "customWidth": "33", - "name": "WildFire verdicts" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file';\r\ndata\r\n| summarize Count = count() by severity\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by severity)\r\n on severity\r\n| project-away severity1, TimeGenerated\r\n| extend severitys = severity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend severity = 'All', severitys = '*' \r\n)\r\n| project severity, Count, Trend\r\n| order by Count desc\r\n| take 10", + "query": "let ThreatSeverity = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated, FirewallName_s, ident_s, message.severity\r\n| summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_severity);\r\nThreatSeverity", "size": 3, "exportFieldName": "severity", "exportParameterName": "SelectedSeverity", @@ -279,7 +223,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}' == threat_content_type\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}' == threat_content_name\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}' == severity\n| summarize count() by bin(TimeGenerated, 1h), threat_content_type\n| render timechart\n", + "query": "let UrlThreats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.url_category_list)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated, FirewallName_s, ident_s, message.url_category_list\r\n| summarize Count = count() by bin(TimeGenerated, 1h), FirewallName_s, tostring(message_url_category_list);\r\n\r\nlet Threats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated,FirewallName_s, ident_s, message.sub_type, message.threat_category\r\n| summarize Count = count() by bin(TimeGenerated, 1h), FirewallName_s, tostring(message_threat_category);\r\n\r\nUrlThreats \r\n| union Threats\r\n| extend Threat = strcat(message_url_category_list, \" \", message_threat_category)\r\n| project TimeGenerated, Threat, FirewallName_s, Count\r\n| render timechart ", "size": 0, "exportToExcelOptions": "visible", "title": "Threat subtypes over time", @@ -297,7 +241,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}' == threat_content_type\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}' == threat_content_type\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}' == severity\n| summarize count() by bin(TimeGenerated, 1h), severity\n| render timechart\n", + "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.severity)\r\n| render timechart\r\n", "size": 0, "exportToExcelOptions": "visible", "title": "Threat severity over time", @@ -315,7 +259,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\r\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}' == threat_content_type\r\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}' == severity\r\n| summarize Count = count() by app = parse_json(Message).app\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by app)\r\n on app\r\n| project-away app1, TimeGenerated\r\n| extend ApplicationProtocols = app\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend app = 'All', ApplicationProtocols = '*' \r\n)\r\n| project ApplicationProtocol = app, Count, Trend\r\n| order by Count desc\r\n| take 10", + "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated,FirewallName_s, ident_s, message.sub_type, message.threat_category, message.app\r\n| summarize Count = count() by bin(TimeGenerated, 1h), tostring(message_app)\r\n| render timechart ", "size": 0, "exportToExcelOptions": "visible", "title": "Threats, by application", @@ -394,7 +338,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where '{SelectedSubtype}' == \"All\" or '{SelectedSubtype}' == threat_content_type\n| where '{SelectedWildfire}' == \"All\" or '{SelectedWildfire}' == threat_content_type\n| where '{SelectedSeverity}' == \"All\" or '{SelectedSeverity}' == severity\n| project TimeGenerated, LogSeverity=severity, DeviceAction=action, ['URL Category'] = category, DestinationPort=dport, DestinationIP=dst, Message, SourcePort=sport, SourceIP=src_ip, DestinationUserID", + "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| project TimeGenerated, FirewallName=FirewallName_s, LogSeverity=message.severity, DeviceAction=message.action, ['Threat Category'] = message.threat_category, App=message.app, SourceIP=message.src_ip, SourcePort=message.sport, DestinationIP=message.dst, DestinationPort=message.dport", "size": 0, "exportToExcelOptions": "visible", "title": "Threat events", @@ -422,7 +366,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'vulnerability' or Message.threat_content_type =~ 'wildfire'\n| extend ThreatId = coalesce(\n column_ifexists(\"Message.threat_content_name\", \"\"),\n extract('cat=([^;]+)',1,Message),\n \"\"\n )\n| summarize Amount=count() by ThreatId, Message.severity\n| top 20 by Amount", + "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| extend message = parse_json(Message)\r\n| where message.sub_type =~ 'vulnerability' or message.sub_content_type =~ 'wildfire'\r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"threat_content_name\", \"\"),\r\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, tostring(message.severity)\r\n| top 20 by Amount", "size": 0, "exportToExcelOptions": "visible", "title": "Top vulnerability events", @@ -476,7 +420,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| search threat_content_type in ('virus', 'wildfire', 'wildfire-virus')\n| summarize Amount=count() by Message, threat_content_type, Message.dst, Message.src_ip, Message.app\n| top 20 by Amount", + "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| search threat_content_type in ('virus', 'wildfire', 'wildfire-virus')\r\n| summarize Amount=count() by Message, threat_content_type, Message.dst, Message.src_ip, Message.app\r\n| top 20 by Amount", "size": 0, "exportToExcelOptions": "visible", "title": "Virus and malware events", @@ -543,7 +487,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend ThreatId = coalesce(\n tostring(Message.threat_content_type),\n \"\"\n )\n| extend ThreatCategory = tostring(Message.threat_category)\n| summarize Amount=count() by ThreatId, ThreatCategory, Message.severity\n| top 20 by Amount", + "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| extend message = parse_json(Message)\r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"threat_content_name\", \"\"),\r\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\r\n \"\"\r\n )\r\n| extend ThreatCategory = tostring(message.threat_category)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, tostring(message.severity)\r\n| top 20 by Amount", "size": 0, "exportToExcelOptions": "visible", "title": "Top correlation events", From dead09b46b01b5eec9b9124c95e45b9302919a76 Mon Sep 17 00:00:00 2001 From: abudilovskiy-panw Date: Thu, 2 Jan 2025 16:04:48 -0800 Subject: [PATCH 2/5] Updated workbooks, rules and queries --- .../CloudNGFW-PortScanning.yaml | 24 +- .../CloudNGFW-UnusualThreatSignatures.yaml | 18 +- .../CloudNGFW-HighRiskPorts.yaml | 5 +- .../Workbooks/CloudNGFW-NetworkThreat.json | 290 +-- .../Workbooks/CloudNGFW-Overview.json | 2098 +++++++---------- 5 files changed, 939 insertions(+), 1496 deletions(-) diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml index a6e976bf04f..c4cc7a59078 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml @@ -21,20 +21,26 @@ relevantTechniques: query: | fluentbit_CL | where ident_s == "TRAFFIC" - | extend DestinationPort = tostring(parse_json(Message).dport) - | where isnotempty(DestinationPort) and parse_json(Message).action !in ("reset-both", "deny") + | where isnotempty(FirewallName_s) + | extend message = parse_json(Message) + | extend DestinationPort = tostring(message.dport) + | extend SourceIP = tostring(message.src_ip) + | extend DestinationIP = tostring(message.dst_ip) + | extend Application = tostring(message.app) + | extend Protocol = tostring(message.proto) + | extend Action = tostring(message.action) + | where isnotempty(DestinationPort) and message.action !in ("reset-both", "deny") | where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080") - | where parse_json(Message).app == "incomplete" + | where message.app == "incomplete" | where toint(DestinationPort) !between (49512 .. 65535) - | where isnotempty(FirewallName_s) - | where parse_json(Message).dst_ip !startswith "10." - | extend Reason = coalesce(column_ifexists("Reason", ""), tostring(parse_json(Message).session_end_reason), "") + | where message.dst_ip !startswith "10." + | extend Reason = coalesce(column_ifexists("Reason", ""), tostring(message.session_end_reason), "") | where Reason !has "aged-out" | where Reason !has "tcp-fin" - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action), tostring(parse_json(Message).dst_ip),Message + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action, DestinationIP | where count_ >= 10 - | summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(parse_json(Message).dst_ip), totalcount = sum(count_) by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action),Message - | extend IPAddress = tostring(parse_json(Message).src_ip) + | summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(DestinationIP), totalcount = sum(count_) by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action + | extend IPAddress = SourceIP | extend HostName = tostring(split(FirewallName_s, ".")[0]), DomainIndex = toint(indexof(FirewallName_s, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(FirewallName_s, DomainIndex + 1), FirewallName_s) entityMappings: diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml index a51a975ed4e..ec4bb81b61b 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml @@ -32,18 +32,20 @@ query: | let CurrThreshold = 10; let HistoricalThreats = fluentbit_CL | where ident_s == "THREAT" - | where isnotempty(parse_json(Message).src_ip) + | extend message = parse_json(Message) + | where isnotempty(message.src_ip) | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime))) - | where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') - | extend src_ip = tostring(parse_json(Message).src_ip) - | summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s; + | where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') + | extend src_ip = tostring(message.src_ip) + | summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s; let CurrentHourThreats = fluentbit_CL | where ident_s == "THREAT" - | where isnotempty(parse_json(Message).src_ip) + | extend message = parse_json(Message) + | where isnotempty(message.src_ip) | where TimeGenerated > ago(timeframe) - | where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') - | extend src_ip = tostring(parse_json(Message).src_ip) - | summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s; + | where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus') + | extend src_ip = tostring(message.src_ip) + | summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s; CurrentHourThreats | where TotalEvents < CurrThreshold | join kind = leftanti (HistoricalThreats diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-HighRiskPorts.yaml b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-HighRiskPorts.yaml index 428b2357ad7..052cf3cb321 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-HighRiskPorts.yaml +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Hunting Queries/CloudNGFW-HighRiskPorts.yaml @@ -81,8 +81,9 @@ query: | HighRiskPorts | join kind=inner ( fluentbit_CL - | where FirewallName_s == "palocloudfw" and ident_s == "TRAFFIC" and Message.action != "deny" - | extend DestinationIP = tostring(parse_json(Message).dst_ip), DestinationPort = toint(parse_json(Message).dport), Protocol = tostring(parse_json(Message).proto), SourceIP = tostring(parse_json(Message).src_ip) + | extend message = parse_json(Message) + | where ident_s == "TRAFFIC" and message.action != "deny" + | extend DestinationIP = tostring(message.dst_ip), DestinationPort = toint(message.dport), Protocol = tostring(message.proto), SourceIP = tostring(message.src_ip) | where isnotempty(DestinationIP) and isnotempty(SourceIP) //Remove private IP communication from DestinationIP | extend result = ipv4_is_private(DestinationIP) diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json index 471793c3268..47bc68c93c7 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json @@ -12,8 +12,6 @@ "type": 9, "content": { "version": "KqlParameterItem/1.0", - "query": "", - "crossComponentResources": [], "parameters": [ { "id": "d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf", @@ -22,7 +20,7 @@ "type": 4, "isRequired": true, "value": { - "durationMs": 43200000 + "durationMs": 7776000000 }, "typeSettings": { "selectableValues": [ @@ -74,6 +72,52 @@ ], "allowCustom": true } + }, + { + "id": "a2094f99-1479-450e-8a18-e9677a18fdaf", + "version": "KqlParameterItem/1.0", + "name": "SubType", + "label": "Sub Type", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ \"THREAT\"\n| extend message = parse_json(Message)\n| where isnotempty(message.sub_type)\n| distinct tostring(message.sub_type)", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All", + "showDefault": false + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "51f92c36-ed03-408d-b392-11a1ae74aff3", + "version": "KqlParameterItem/1.0", + "name": "Severity", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ \"THREAT\"\n| extend message = parse_json(Message)\n| where isnotempty(message.sub_type)\n| distinct tostring(message.severity)", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] } ], "style": "pills", @@ -88,32 +132,24 @@ "version": "KqlItem/1.0", "query": "let UrlThreats = fluentbit_CL\r\n | extend message = parse_json(Message)\r\n | where isnotempty(message.url_category_list)\r\n | where ident_s =~ 'THREAT'\r\n | project FirewallName_s, ident_s, message.url_category_list\r\n | summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_url_category_list);\r\n\r\nlet Threats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project FirewallName_s, ident_s, message.sub_type, message.threat_category\r\n| summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_threat_category);\r\n\r\nUrlThreats \r\n| union Threats\r\n| extend Threat = strcat(message_url_category_list, \" \", message_threat_category)\r\n| project FirewallName, Threat, Count", "size": 3, + "title": "Threats, by subtypes", + "timeContextFromParameter": "TimeRange", "exportFieldName": "threat_content_type", "exportParameterName": "SelectedSubtype", "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Threats, by subtypes", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "tileSettings": { "titleContent": { - "columnMatch": "threat_content_type", - "formatter": 1, - "formatOptions": { - "showIcon": true - } + "columnMatch": "Threat", + "formatter": 1 }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { - "palette": "auto", - "showIcon": true + "palette": "auto" }, "numberFormat": { "unit": 17, @@ -123,54 +159,28 @@ } } }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, "showBorder": false } }, - "customWidth": "33", + "customWidth": "50", "name": "Threats by subtypes" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ThreatSeverity = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated, FirewallName_s, ident_s, message.severity\r\n| summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_severity);\r\nThreatSeverity", + "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| extend message = parse_json(Message)\r\n| where ident_s == 'THREAT' and isnotempty(message.sub_type);\r\ndata\r\n| summarize Count = count() by tostring(message.severity)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.severity))\r\n on message_severity\r\n| project-away message_severity1, TimeGenerated\r\n| extend message_severities = message_severity\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend message_severity = 'All', messsage_severities = '*' \r\n)\r\n| project message_severity, Count, Trend\r\n| order by Count desc\r\n| take 10", "size": 3, + "title": "Threats severity", + "timeContextFromParameter": "TimeRange", "exportFieldName": "severity", "exportParameterName": "SelectedSeverity", "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Threats severity", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", "gridSettings": { "formatters": [ - { - "columnMatch": "severity", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Count", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "Trend", "formatter": 9, @@ -179,23 +189,18 @@ "showIcon": true } } - ], - "labelSettings": [] + ] }, "tileSettings": { "titleContent": { - "columnMatch": "severity", - "formatter": 1, - "formatOptions": { - "showIcon": true - } + "columnMatch": "message_severity", + "formatter": 1 }, "leftContent": { "columnMatch": "Count", "formatter": 12, "formatOptions": { - "palette": "auto", - "showIcon": true + "palette": "auto" }, "numberFormat": { "unit": 17, @@ -205,31 +210,19 @@ } } }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, "showBorder": false } }, - "customWidth": "33", + "customWidth": "50", "name": "Threats severity" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let UrlThreats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.url_category_list)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated, FirewallName_s, ident_s, message.url_category_list\r\n| summarize Count = count() by bin(TimeGenerated, 1h), FirewallName_s, tostring(message_url_category_list);\r\n\r\nlet Threats = fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated,FirewallName_s, ident_s, message.sub_type, message.threat_category\r\n| summarize Count = count() by bin(TimeGenerated, 1h), FirewallName_s, tostring(message_threat_category);\r\n\r\nUrlThreats \r\n| union Threats\r\n| extend Threat = strcat(message_url_category_list, \" \", message_threat_category)\r\n| project TimeGenerated, Threat, FirewallName_s, Count\r\n| render timechart ", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| extend message = parse_json(Message)\n| where ident_s == 'THREAT' and isnotempty(message.sub_type)\n| where \"{SubType:label}\" == \"All\" or message.sub_type in ({SubType})\n| where \"{Severity:label}\" == \"All\" or message.severity in ({Severity})\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.sub_type)\n| render timechart\n", "size": 0, - "exportToExcelOptions": "visible", "title": "Threat subtypes over time", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" @@ -241,13 +234,9 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.severity)\r\n| render timechart\r\n", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where '{SubType:label}' == \"All\" or message.sub_type in ({SubType})\n| where '{Severity:label}' == \"All\" or message.severity in ({Severity})\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.severity)\n| render timechart\n", "size": 0, - "exportToExcelOptions": "visible", "title": "Threat severity over time", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" @@ -261,24 +250,13 @@ "version": "KqlItem/1.0", "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(message.sub_type)\r\n| where ident_s =~ 'THREAT'\r\n| project TimeGenerated,FirewallName_s, ident_s, message.sub_type, message.threat_category, message.app\r\n| summarize Count = count() by bin(TimeGenerated, 1h), tostring(message_app)\r\n| render timechart ", "size": 0, - "exportToExcelOptions": "visible", "title": "Threats, by application", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", + "visualization": "linechart", "gridSettings": { "formatters": [ - { - "columnMatch": "ApplicationProtocol", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "Count", "formatter": 4, @@ -294,8 +272,7 @@ "showIcon": true } } - ], - "labelSettings": [] + ] }, "tileSettings": { "titleContent": { @@ -338,19 +315,14 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| extend message = parse_json(Message)\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| project TimeGenerated, FirewallName=FirewallName_s, LogSeverity=message.severity, DeviceAction=message.action, ['Threat Category'] = message.threat_category, App=message.app, SourceIP=message.src_ip, SourcePort=message.sport, DestinationIP=message.dst, DestinationPort=message.dport", + "query": "fluentbit_CL\n| extend message = parse_json(Message)\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| project TimeGenerated, FirewallName=FirewallName_s, LogSeverity=message.severity, DeviceAction=message.action, ['Threat Category'] = message.threat_category, App=message.app, SourceIP=message.src_ip, SourcePort=message.sport, DestinationIP=message.dst, DestinationPort=message.dport", "size": 0, - "exportToExcelOptions": "visible", "title": "Threat events", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { - "filter": true, - "labelSettings": [] + "filter": true } }, "name": "All Threat Events" @@ -366,32 +338,14 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| extend message = parse_json(Message)\r\n| where message.sub_type =~ 'vulnerability' or message.sub_content_type =~ 'wildfire'\r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"threat_content_name\", \"\"),\r\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\r\n \"\"\r\n )\r\n| summarize Amount=count() by ThreatId, tostring(message.severity)\r\n| top 20 by Amount", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where message.sub_type =~ 'vulnerability' or message.sub_content_type =~ 'wildfire'\n| extend ThreatId = coalesce(\n column_ifexists(\"threat_content_name\", \"\"),\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\n \"\"\n )\n| summarize Amount=count() by ThreatId, tostring(message.severity)\n| top 20 by Amount", "size": 0, - "exportToExcelOptions": "visible", "title": "Top vulnerability events", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "gridSettings": { "formatters": [ - { - "columnMatch": "ThreatId", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Message.severity", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "Amount", "formatter": 4, @@ -409,118 +363,25 @@ } } ], - "filter": true, - "labelSettings": [] + "filter": true } }, - "customWidth": "50", + "customWidth": "100", "name": "Top vulnerability events" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| search threat_content_type in ('virus', 'wildfire', 'wildfire-virus')\r\n| summarize Amount=count() by Message, threat_content_type, Message.dst, Message.src_ip, Message.app\r\n| top 20 by Amount", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Virus and malware events", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "threat_content_type", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Message.dst", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Message.src_ip", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Message.app", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Amount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } - } - ], - "filter": true, - "labelSettings": [] - } - }, - "customWidth": "50", - "name": "Virus and malware events" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| extend message = parse_json(Message)\r\n| extend ThreatId = coalesce(\r\n column_ifexists(\"threat_content_name\", \"\"),\r\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\r\n \"\"\r\n )\r\n| extend ThreatCategory = tostring(message.threat_category)\r\n| summarize Amount=count() by ThreatId, ThreatCategory, tostring(message.severity)\r\n| top 20 by Amount", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| extend ThreatId = coalesce(\n column_ifexists(\"threat_content_name\", \"\"),\n extract(\"\\\\((.*?)\\\\)\",1,tostring(message.threat_content_name)),\n \"\"\n )\n| extend ThreatCategory = tostring(message.threat_category)\n| summarize Amount=count() by ThreatId, ThreatCategory, tostring(message.severity)\n| top 20 by Amount", "size": 0, - "exportToExcelOptions": "visible", "title": "Top correlation events", - "timeContext": { - "durationMs": 0 - }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "table", "gridSettings": { "formatters": [ - { - "columnMatch": "ThreatId", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ThreatCategory", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "severity", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, { "columnMatch": "Amount", "formatter": 4, @@ -529,14 +390,15 @@ "showIcon": true } } - ], - "labelSettings": [] + ] } }, "name": "Top correlation events" } ], - "styleSettings": {}, + "fallbackResourceIds": [ + "/subscriptions/cdf6b2c9-484f-46b7-8952-68edea8f1dcb/resourcegroups/sentinel-test/providers/microsoft.operationalinsights/workspaces/cngfw-law" + ], "fromTemplateId": "sentinel-PaloAltoNetworkThreat", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} +} \ No newline at end of file diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json index 9e618d4bf26..9bebaccb7b1 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json @@ -1,1370 +1,942 @@ { - "version": "Notebook/1.0", - "items": [ - { - "type": 1, - "content": { - "json": "
Azure CloudNGFW By Palo Alto Networks - Overview
" - }, - "name": "text - 0" + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "
Azure CloudNGFW By Palo Alto Networks - Overview
" }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "query": "", - "crossComponentResources": [], - "parameters": [ - { - "id": "a5c18655-3e2d-4d12-8ba4-82e57b296581", - "version": "KqlParameterItem/1.0", - "name": "TimeRange", - "type": 4, - "isRequired": true, - "value": { - "durationMs": 2592000000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ], - "allowCustom": true - } + "name": "text - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "a5c18655-3e2d-4d12-8ba4-82e57b296581", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 7776000000 }, - { - "id": "32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55", - "version": "KqlParameterItem/1.0", - "name": "Source_IP", - "label": "Source IP", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\n| extend SourceIP = tostring(parse_json(Message).src_ip)\n| summarize Count = count()/1000 by SourceIP\n| where SourceIP != \"\"\n| order by Count desc, SourceIP asc\n| project Value = SourceIP, Label = strcat(SourceIP, \" - \", Count, \"k\"), Selected = false\n", - "value": [ - "value::all" - ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 }, - "timeContext": { + { "durationMs": 1800000 }, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - { - "id": "b937ca33-bc62-4183-bc0f-9ad8306dc36a", - "version": "KqlParameterItem/1.0", - "name": "Destination_IP", - "label": "Destination IP", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\n| extend DestinationIP = case(ident_s == 'DECRYPTION', tostring(parse_json(Message).dst), tostring(parse_json(Message).dst_ip))\n| summarize Count = count()/1000 by DestinationIP\n| where DestinationIP != \"\"\n| order by Count desc, DestinationIP asc\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" - \", Count, \"k\"), Selected = false", - "value": [ - "value::all" - ], - "typeSettings": { - "limitSelectTo": 10, - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" + { + "durationMs": 3600000 }, - "timeContext": { - "durationMs": 0 + { + "durationMs": 14400000 }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 5" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "query": "", - "crossComponentResources": [], - "parameters": [ - { - "id": "7f28bae3-a11f-408a-832f-77a0f3e633d7", - "version": "KqlParameterItem/1.0", - "name": "EventClass", - "type": 2, - "isRequired": true, - "multiSelect": true, - "quote": "'", - "delimiter": ",", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| distinct threat_content_type", - "value": [ - "value::all" + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } ], - "typeSettings": { - "additionalResourceOptions": [ - "value::all" - ], - "selectAllValue": "All" - }, - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "allowCustom": true } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 35" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP})\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where \"{EventClass:lable}\" == \"All\" or \"{EventClass:lable}\" == \"All\" or ident_s in ({EventClass});\ndata\n| summarize Count = count() by ident_s\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ident_s)\non ident_s\n| project-away ident_s1, TimeGenerated\n| extend Activities = ident_s\n| union (\ndata \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend ident_s = 'All', Activities = '*' \n)\n| order by Count desc\n| take 10", - "size": 4, - "exportFieldName": "Activities", - "exportParameterName": "activities", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Activities, by volume", + }, + { + "id": "32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55", + "version": "KqlParameterItem/1.0", + "name": "Source_IP", + "label": "Source IP", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\n| extend SourceIP = tostring(parse_json(Message).src_ip)\n| summarize Count = count()/1000 by SourceIP\n| where SourceIP != \"\"\n| order by Count desc, SourceIP asc\n| project Value = SourceIP, Label = strcat(SourceIP, \" - \", Count, \"k\"), Selected = false\n", + "value": [ + "value::all" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" + }, "timeContext": { - "durationMs": 0 + "durationMs": 1800000 }, - "timeContextFromParameter": "TimeRange", "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Activities", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Count", - "formatter": 8, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, - { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "lightBlue", - "showIcon": true - } - }, - { - "columnMatch": "Activities", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "jkey", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "TimeGenerated", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "jkey1", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - } - ], - "labelSettings": [] + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b937ca33-bc62-4183-bc0f-9ad8306dc36a", + "version": "KqlParameterItem/1.0", + "name": "Destination_IP", + "label": "Destination IP", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\n| extend DestinationIP = case(ident_s == 'DECRYPTION', tostring(parse_json(Message).dst), tostring(parse_json(Message).dst_ip))\n| summarize Count = count()/1000 by DestinationIP\n| where DestinationIP != \"\"\n| order by Count desc, DestinationIP asc\n| project Value = DestinationIP, Label = strcat(DestinationIP, \" - \", Count, \"k\"), Selected = false", + "value": [ + "value::all" + ], + "typeSettings": { + "limitSelectTo": 10, + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All" }, - "tileSettings": { - "titleContent": { - "columnMatch": "Activities", - "formatter": 1, - "formatOptions": { - "showIcon": true - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, - "formatOptions": { - "palette": "auto", - "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "showIcon": true - } - }, - "showBorder": false - } - }, - "name": "all activities" + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP})\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where \"{EventClass:lable}\" == \"All\" or ident_s == '{EventClass}'\n| where '{activities}' == \"All\" or ident_s == '{activities}'\n| summarize LogVolume=count() by threat_content_type, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", - "size": 0, - "aggregation": 3, - "exportToExcelOptions": "visible", - "title": "Event trend, by time", + "name": "parameters - 5" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7f28bae3-a11f-408a-832f-77a0f3e633d7", + "version": "KqlParameterItem/1.0", + "name": "EventClass", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where isnotempty(message.sub_type)\n| distinct tostring(message.sub_type)", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All", + "showDefault": false + }, "timeContext": { - "durationMs": 0 + "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart", - "tileSettings": { - "showBorder": false, - "titleContent": { - "columnMatch": "threat_content_type", - "formatter": 1 - }, - "leftContent": { - "columnMatch": "LogVolume", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - } + "value": [ + "spyware", + "vulnerability" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 35" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\" == \"All\" or message.dst in ({Destination_IP})\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where \"{EventClass:label}\" == \"All\" or \"{EventClass:label}\" == \"All\" or message.sub_type in ({EventClass});\ndata\n| summarize Count = count() by tostring(message.sub_type)\n| join kind = inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.sub_type))\non message_sub_type\n| project-away message_sub_type1, TimeGenerated\n| extend Activities = message_sub_type\n| union (\ndata \n | summarize Count = count() \n | extend jkey = 1\n | join kind=inner (data\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\n | extend jkey = 1) on jkey\n | extend message_sub_type = 'All', Activities = 'Total' \n)\n| order by Count desc\n| take 10", + "size": 4, + "title": "Activities, by volume", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Activities", + "exportParameterName": "activities", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 8, + "formatOptions": { + "palette": "blueDark", + "showIcon": true + } + }, + { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "lightBlue", + "showIcon": true + } + }, + { + "columnMatch": "Activities", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "TimeGenerated", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + }, + { + "columnMatch": "jkey1", + "formatter": 5, + "formatOptions": { + "showIcon": true + } } - }, - "customWidth": "50", - "name": "Event trend by time" + ] + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Activities", + "formatter": 1, + "formatOptions": { + "showIcon": true + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "//trend by severity\r\nfluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or ident_s == 'THREAT' and Message.threat_content_type in ({EventClass})\r\n| where '{activities}' == \"All\" or ident_s == '{activities}'\r\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), Message.severity\r\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Events severity, by time", - "timeContext": { - "durationMs": 0 + "name": "all activities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP})\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where \"{EventClass}\" == \"All\" or message.sub_type in ({EventClass})\n| summarize LogVolume=count() by tostring(message.sub_type), bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", + "size": 0, + "aggregation": 3, + "title": "Event trend, by time", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "threat_content_type", + "formatter": 1 }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart", - "tileSettings": { - "showBorder": false, - "titleContent": { - "columnMatch": "Message.severity", - "formatter": 1 + "leftContent": { + "columnMatch": "LogVolume", + "formatter": 12, + "formatOptions": { + "palette": "auto" }, - "leftContent": { - "columnMatch": "count_", - "formatter": 12, - "formatOptions": { - "palette": "auto" - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 } } + } + } + }, + "customWidth": "50", + "name": "Event trend by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//trend by severity\r\nfluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s =~ 'THREAT'\r\n| extend message = parse_json(Message)\r\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\r\n| where \"{EventClass:lable}\" == \"All\" or ident_s == 'THREAT' and message.sub_type in ({EventClass})\r\n| where \"{EventClass}\" == \"All\" or message.sub_type in ({EventClass})\r\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), tostring(message.severity)\r\n", + "size": 0, + "title": "Events severity, by time", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "Message.severity", + "formatter": 1 }, - "graphSettings": { - "type": 0, - "topContent": { - "columnMatch": "Message.severity", - "formatter": 1 + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" }, - "centerContent": { - "columnMatch": "count_", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 } } } }, - "customWidth": "50", - "name": "Events severity over time" + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Message.severity", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } }, - { - "type": 1, - "content": { - "json": "---\r\n### Traffic events summary" - }, - "name": "text - 11" + "customWidth": "50", + "name": "Events severity over time" + }, + { + "type": 1, + "content": { + "json": "---\r\n### Traffic events summary" }, - - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where ident_s =~ \"THREAT\";\r\ndata\r\n| summarize Count = count() by threat_content_type\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_type)\r\n on threat_content_type\r\n| project-away threat_content_type1, TimeGenerated\r\n| extend threat_content_types = threat_content_type\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend threat_content_type = 'All', threat_content_types = '*' \r\n)\r\n| order by Count desc\r\n| take 10", - "size": 4, - "exportFieldName": "threat_content_type", - "exportParameterName": "EventClass", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Threat event type summary - click to filter the graph below", - "timeContext": { - "durationMs": 0 + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s =~ 'THREAT'\r\n| extend message = parse_json(Message)\r\n| where \"{Destination_IP:label}\" == \"All\" or message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP});\r\ndata\r\n| summarize Count = count() by tostring(message.sub_type)\r\n| join kind = inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.sub_type))\r\n on message_sub_type\r\n| project-away message_sub_type1, TimeGenerated\r\n| extend message_sub_types = message_sub_type\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend message_sub_type = 'All', message_sub_types = 'Total' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "title": "Threat event type summary", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "message_sub_type", + "exportParameterName": "EventClass", + "exportDefaultValue": "All", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "message_sub_type", + "formatter": 1, + "formatOptions": { + "showIcon": true + } }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "threat_content_type", - "formatter": 1, - "formatOptions": { - "showIcon": true - } + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto", + "showIcon": true }, - "leftContent": { + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "showIcon": true + } + }, + "showBorder": false + } + }, + "customWidth": "100", + "name": "Threat event summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| extend message = parse_json(Message)\r\n| where \"{Destination_IP:label}\" == \"All\" or message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP});\r\ndata\r\n| summarize Count = count() by tostring(message.action)\r\n| join kind = inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.action))\r\n on message_action\r\n| project-away message_action1, TimeGenerated\r\n| extend message_actions = message_action\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend message_action = 'All', message_actions = '*' \r\n)\r\n| order by Count desc\r\n| take 10", + "size": 4, + "title": "Traffic action summary", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "formatters": [ + { "columnMatch": "Count", - "formatter": 12, + "formatter": 3, "formatOptions": { - "palette": "auto", + "palette": "blueDark", "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } } }, - "secondaryContent": { + { "columnMatch": "Trend", "formatter": 9, "formatOptions": { + "palette": "blueDark", "showIcon": true } }, - "showBorder": false - } - }, - "customWidth": "50", - "name": "Threat event summary" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where ident_s =~ \"TRAFFIC\";\r\ndata\r\n| summarize Count = count() by Message.action\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.action)\r\n on Message.action\r\n| project-away Message.action1, TimeGenerated\r\n| extend Message.action = Message.action\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Message.action = 'All', Message.actions = '*' \r\n)\r\n| order by Count desc\r\n| take 10", - "size": 4, - "exportFieldName": "Message.action", - "exportParameterName": "Message.action", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Traffic action summary - click to filter the graph below", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.action", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, - { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "blueDark", - "showIcon": true - } - }, - { - "columnMatch": "jkey", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "TimeGenerated", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "jkey1", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Message.actions", - "formatter": 5, - "formatOptions": { - "showIcon": true - } - } - ], - "labelSettings": [] - }, - "tileSettings": { - "titleContent": { - "columnMatch": "Message.action", - "formatter": 1, + { + "columnMatch": "jkey", + "formatter": 5, "formatOptions": { "showIcon": true } }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, + { + "columnMatch": "TimeGenerated", + "formatter": 5, "formatOptions": { - "palette": "auto", "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } } }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, + { + "columnMatch": "jkey1", + "formatter": 5, "formatOptions": { "showIcon": true } }, - "showBorder": false - } + { + "columnMatch": "message_actions", + "formatter": 5, + "formatOptions": { + "showIcon": true + } + } + ] }, - "customWidth": "33", - "name": "Traffic activity summary" - }, - - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where '{DeviceAction}' == \"All\" or Message.action=='{DeviceAction}'\n| where ident_s =~ \"TRAFFIC\"\n| summarize EventCount= count() by Message.threat_content_type, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Traffic class ID by time", - "timeContext": { - "durationMs": 0 + "tileSettings": { + "titleContent": { + "columnMatch": "message_action", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart" - }, - "customWidth": "50", - "name": "Traffic class ID by time" + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9 + }, + "showBorder": false, + "size": "auto" + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'TRAFFIC' \n| extend Reason = coalesce(\r\n column_ifexists(\"session_end_reason\", \"\"),\r\n extract(';reason=(.*?);',1,Message),\r\n \"\"\r\n )\n| summarize ReasonCount= count() by Reason, TimeGenerated \n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Reasons for session ending, by time", + "customWidth": "100", + "name": "Traffic activity summary" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "e25d603d-5f93-4330-a519-1781a9d36eb0", + "version": "KqlParameterItem/1.0", + "name": "DeviceAction", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| extend message = parse_json(Message)\n| where isnotempty(message.sub_type)\n| distinct tostring(message.action)", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All", + "showDefault": false + }, "timeContext": { - "durationMs": 0 + "durationMs": 0 }, "timeContextFromParameter": "TimeRange", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "timechart" - }, - "customWidth": "50", - "name": "Reasons for session ending" + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "// Data sent outbound vs inbound\r\nfluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where ident_s =~ 'TRAFFIC'\r\n| extend Direction=iff(Message.rule=~'Trust','Outbound' ,'Inbound' )\r\n| summarize DataSentOutBoundMB=sumif(todouble(Message.bytes_sent), Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(todouble(Message.bytes_recv), Direction=~'Inbound')/1048576 by TimeGenerated\r\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Sent and received data, by volume", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "timechart" - }, - "customWidth": "50", - "name": "Sent and received data by volume" + "name": "parameters - 35 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ \"THREAT\"\n| extend message = parse_json(Message)\n| where isempty(message.url_idx)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where \"{DeviceAction:label}\" == \"All\" or message.action in ({DeviceAction})\n| summarize EventCount= count() by tostring(message.threat_category), bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})", + "size": 0, + "title": "Threat category by time", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" }, - { - "type": 1, - "content": { - "json": "---\r\n## Web filter" - }, - "name": "text - 12" + "customWidth": "100", + "name": "Threat category by time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s =~ 'TRAFFIC'\r\n| extend message = parse_json(Message)\r\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\r\n| summarize DataSentMB=sum(todouble(message.bytes_sent)/1048576), DataRecievedMB=sum(todouble(message.bytes_recv)/1048576) by TimeGenerated\r\n", + "size": 0, + "title": "Sent and received data, by volume", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "graphSettings": { + "type": 0 + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where ident_s == 'THREAT'\r\n| where Message.threat_content_type =~ 'url'\r\n| where Message.action contains 'block'\r\n| summarize ProtocolCount=count() by Message.proto\r\n| top 5 by ProtocolCount desc\r\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 blocked URLs, by application protocol", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "min": 0, - "palette": "purple", - "showIcon": true - } + "customWidth": "100", + "name": "Sent and received data by volume" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s =~ \"TRAFFIC\"\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\" == \"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| extend Reason = coalesce(tostring(message.session_end_reason), \"Unknown\")\n| summarize ReasonCount = count() by Reason, bin(TimeGenerated, 1h)\n", + "size": 0, + "title": "Reasons for session ending, by time", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "customWidth": "100", + "name": "Reasons for session ending" + }, + { + "type": 1, + "content": { + "json": "---\r\n## Web filter" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| extend message = parse_json(Message)\r\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\r\n| where isnotempty(message.url_category_list)\r\n| where message.action contains 'block'\r\n| summarize Count=count() by tostring(message.url_filename), tostring(message.proto) \r\n| top 5 by Count desc\r\n", + "size": 0, + "title": "Top 5 blocked URLs, by application protocol", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "purple", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "25", - "name": "Top 5 blocked URLs by application protocol" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'url'\n| where Message.action in ('block-url', 'block-continue')\n| summarize CategoryCount=count() by Message.category\n| project-rename CategoryName= Message.category\n| top 5 by CategoryCount\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 URL blocked, by category", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "CategoryName", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "CategoryCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "customWidth": "33", + "name": "Top 5 blocked URLs by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action in ('block-url', 'block-continue')\n| summarize Count=count() by tostring(message.url_filename), tostring(message.url_category_list)\n| project-rename CategoryName= message_url_category_list\n| top 5 by Count\n", + "size": 0, + "title": "Top 5 URL blocked, by category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CategoryCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "25", - "name": "Top 5 URL blocked by category" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type == 'url'\n| where Message.action in ('block-url', 'block-continue')\n| summarize URLCount=count() by tostring(Message.RequestURL)\n| top 5 by URLCount desc\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 blocked URLs", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "25", - "name": "Top 5 blocked URLs" + "customWidth": "33", + "name": "Top 5 URL blocked by category" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action in ('block-url', 'block-continue')\n| summarize Count=count() by tostring(message.url_filename)\n| top 5 by Count desc\n", + "size": 0, + "title": "Top 5 blocked URLs", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'url'\n| summarize ProtocolCount=count() by tostring(Message.proto)\n| top 5 by ProtocolCount desc", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 URLs, by application protocols", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "customWidth": "33", + "name": "Top 5 blocked URLs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| summarize Count=count() by tostring(message.url_filename), tostring(message.proto)\n| top 5 by Count desc", + "size": 0, + "title": "Top 5 URLs, by application protocols", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ProtocolCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "25", - "name": "Top 5 URLs by application protocols" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\" == \"All\" or Message.dst_ip in ({Destination_IP})\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type == 'url'\n| where Message.action in ('alert', 'continue')\n| summarize URLCount=count() by tostring(Message.RequestURL)\n| top 5 by URLCount desc\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed URLs", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "RequestURL", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "URLCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } - } - ], - "labelSettings": [] } - }, - "customWidth": "25", - "name": "Top 5 allowed URLs" + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type == 'url'\n| summarize ActionCount=count() by Message.action\r\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "URL threat event summary", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.action", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ActionCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "customWidth": "50", + "name": "Top 5 URLs by application protocols" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\" == \"All\" or message.dst in ({Destination_IP})\n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action in ('alert', 'continue')\n| summarize Count=count() by tostring(message.url_filename)\n| top 5 by Count desc\n", + "size": 0, + "title": "Top 5 allowed URLs", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "URLCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "25", - "name": "URL threat event summary" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'url'\n| where Message.action in ('alert', 'continue')\n| summarize CategoryCount=count() by Message.category\n| project-rename CategoryName= Message.category\n| top 5 by CategoryCount desc\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed URLs, by category", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "CategoryName", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "CategoryCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "customWidth": "50", + "name": "Top 5 allowed URLs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action in ('alert', 'continue')\n| summarize Count=count() by tostring(message.url_filename), tostring(message.url_category_list)\n| project-rename CategoryName= message_url_category_list\n| top 5 by Count desc\n", + "size": 0, + "title": "Top 5 allowed URLs, by category", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CategoryCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "25", - "name": "Top 5 allowed URLs, by category" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'url'\n| where Message.action !contains 'block'\n| summarize ProtocolCount=count() by Message.proto\n| top 5 by ProtocolCount desc", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed URLs, by application protocol", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } - } - ], - "labelSettings": [] - } - }, - "customWidth": "33", - "name": "Top 5 allowed URLs by application protocol" + "customWidth": "33", + "name": "Top 5 allowed URLs, by category" }, { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type =~ 'url'\n| where Message.action !contains 'block'\n| summarize ProtocolCount=count() by Message.proto\n| top 5 by ProtocolCount desc", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed URLs, by application protocol", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| summarize ActionCount=count() by tostring(message.action)\n", + "size": 0, + "title": "URL threat event summary", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ActionCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } + } + ] }, - "customWidth": "33", - "name": "Top 5 allowed URLs by application protocol" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst_ip in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where ident_s == 'THREAT'\n| where Message.threat_content_type == 'url'\n| summarize ActionCount=count() by Message.action, TimeGenerated\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Web filter activity, by time", - "timeContext": { - "durationMs": 0 + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "message_action", + "formatter": 1 }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.action", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ActionCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "leftContent": { + "columnMatch": "ActionCount", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 } - ], - "labelSettings": [] + } } }, - "customWidth": "33", - "name": "Web filter activity by time" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where threat_content_type =~ 'url'\n| where Message.action in ('alert', 'continue')\n| summarize IPCount=count() by Message.src_ip\n| top 5 by IPCount desc\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed web traffic source IP addresses", - "timeContext": { - "durationMs": 0 + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "message_action", + "formatter": 1 }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.src_ip", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "IPCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "centerContent": { + "columnMatch": "ActionCount", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 } - ], - "labelSettings": [] - } - }, - "customWidth": "33", - "name": "Top 5 allowed web traffic source IP addresses" - }, - { - "type": 1, - "content": { - "json": "---\r\n## Wildfire" - }, - "name": "text - 24" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where Message.threat_content_type == 'wildfire'\n| summarize ActionCount=count() by Message.action, TimeGenerated\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Wildfire events, by time", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "timechart" - }, - "customWidth": "50", - "name": "Wildfire events, by time" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| where Message.threat_content_type =~ 'wildfire'\r\n| where \"{Destination_IP:lable}\" == \"All\" or Message.dst in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP});\r\ndata\r\n| summarize Count = count() by Message.action\r\n| join kind = inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.action)\r\non Message.action\r\n| project-away Message.action1, TimeGenerated\r\n| extend DeviceActions = Message.action\r\n| union (\r\ndata\r\n| summarize Count = count()\r\n| extend jkey = 1\r\n| join kind=inner (data\r\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n| extend jkey = 1) on jkey\r\n| extend Message.action = 'All', DeviceActions = '*'\r\n)\r\n| project Message.action, Count, Trend\r\n| order by Count desc\r\n| take 10", - "size": 4, - "exportFieldName": "Message.action", - "exportParameterName": "Message.action", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Top 5 Wildfire activities", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.action", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "grayBlue", - "showIcon": true - } - }, - { - "columnMatch": "DeviceActions", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - } - ], - "sortBy": [ - { - "itemKey": "Message.action", - "sortOrder": 1 - } - ], - "labelSettings": [] - }, - "tileSettings": { - "titleContent": { - "columnMatch": "Message.action", - "formatter": 1, - "formatOptions": { - "showIcon": true - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, - "formatOptions": { - "palette": "auto", - "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } - } - }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "showIcon": true - } - }, - "showBorder": false } + } }, - "customWidth": "25", - "name": "Top 5 Wildfire activities" + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "ActionCount", + "sizeAggregation": "Sum", + "legendMetric": "ActionCount", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "ActionCount", + "heatmapPalette": "greenRed" + } + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let data = fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| where threat_content_type =~ 'wildfire'\r\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst in ({Destination_IP}) \r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP});\r\ndata\r\n| summarize Count = count() by Message.rule\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.rule)\r\n on Message.rule\r\n| project-away Message.rule1, TimeGenerated\r\n| extend Message.rules = Message.rule\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Message.rule = 'All', Message.rules = '*' \r\n)\r\n| project Message.rule, Count, Trend\r\n| order by Count desc\r\n| take 10", - "size": 4, - "exportFieldName": "Message.rule", - "exportParameterName": "RuleString", - "exportDefaultValue": "All", - "exportToExcelOptions": "visible", - "title": "Top 5 Wildfire verdicts", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.action", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "Trend", - "formatter": 9, - "formatOptions": { - "palette": "grayBlue", - "showIcon": true - } - }, - { - "columnMatch": "Message.actions", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "jkey1", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - } - ], - "sortBy": [ - { - "itemKey": "Message.action", - "sortOrder": 1 - } - ], - "labelSettings": [] - }, - "tileSettings": { - "titleContent": { - "columnMatch": "Message.rule", - "formatter": 1, + "customWidth": "33", + "name": "URL threat event summary" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:lable}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action !contains 'block'\n| summarize ProtocolCount=count() by tostring(message.proto)\n| top 5 by ProtocolCount desc", + "size": 0, + "title": "Top 5 allowed URLs, by application protocol", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ProtocolCount", + "formatter": 4, "formatOptions": { + "palette": "coldHot", "showIcon": true } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 12, + } + ] + } + }, + "customWidth": "25", + "name": "Top 5 allowed URLs by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action !contains 'block'\n| summarize ProtocolCount=count() by tostring(message.url_filename), tostring(message.proto)\n| top 5 by ProtocolCount desc", + "size": 0, + "title": "Top 5 allowed URLs, by application protocol", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ProtocolCount", + "formatter": 4, "formatOptions": { - "palette": "auto", + "palette": "coldHot", "showIcon": true - }, - "numberFormat": { - "unit": 17, - "options": { - "maximumSignificantDigits": 3, - "maximumFractionDigits": 2 - } } - }, - "secondaryContent": { - "columnMatch": "Trend", - "formatter": 9, + } + ] + } + }, + "customWidth": "50", + "name": "Top 5 allowed URLs by application protocol" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| where message.action in ('alert', 'continue')\n| summarize IPCount=count() by tostring(message.src_ip)\n| top 5 by IPCount desc\n", + "size": 0, + "title": "Top 5 allowed web traffic source IP addresses", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IPCount", + "formatter": 4, "formatOptions": { + "palette": "coldHot", "showIcon": true } - }, - "showBorder": false - } - }, - "customWidth": "25", - "name": "Top 5 Wildfire verdicts" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where threat_content_type in ('wildfire', 'wildfire-virus')\n| where '{DeviceAction}' == \"All\" or action=='{DeviceAction}'\n| where '{DeviceString}' == \"All\" or category=='{DeviceString}'\n| project TimeGenerated, LogSeverity=pri_s, DeviceAction=action, ['URL Category'] =category, DestinationPort=dport, DestinationIP=dst, Message, SourcePort=sport, SourceIP=src_ip, DestinationUserID, RequestURL", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Wildfire events", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "filter": true, - "labelSettings": [] - } - }, - "name": "Wildfire events" - }, - { - "type": 1, - "content": { - "json": "---\r\n## General statistics" - }, - "name": "text - 30" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| where \"{Destination_IP:lable}\"==\"All\" or Message.dst in ({Destination_IP}) \n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\n| where Message.threat_content_type =~ 'file'\n| where Message.action contains 'deny'\n| summarize ProtocolCount=count() by Message.proto\n| top 5 by ProtocolCount desc\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 denied files, by application protocol", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } + "customWidth": "50", + "name": "Top 5 allowed web traffic source IP addresses" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "fluentbit_CL\n| where isnotempty(FirewallName_s)\n| where ident_s == 'THREAT'\n| extend message = parse_json(Message)\n| where \"{Destination_IP:label}\"==\"All\" or message.dst in ({Destination_IP}) \n| where \"{Source_IP:label}\" == \"All\" or message.src_ip in ({Source_IP})\n| where isnotempty(message.url_category_list)\n| summarize ActionCount=count() by tostring(message.action), TimeGenerated\n", + "size": 0, + "title": "Web filter activity, by time", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ActionCount", + "formatter": 4, + "formatOptions": { + "palette": "coldHot", + "showIcon": true } - ], - "labelSettings": [] - } - }, - "customWidth": "33", - "name": "Top 5 denied files by application protocol" + } + ] + } }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "fluentbit_CL\r\n| where isnotempty(FirewallName_s)\r\n| where ident_s == 'THREAT'\r\n| where \"{Destination_IP:lable}\" == \"All\" or Message.dst in ({Destination_IP})\r\n| where \"{Source_IP:lable}\" == \"All\" or Message.src_ip in ({Source_IP})\r\n| where threat_content_type =~ 'file'\r\n| where Message.action !contains 'deny'\r\n| summarize ProtocolCount=count() by Message.proto\r\n| top 5 by ProtocolCount desc\r\n", - "size": 0, - "exportToExcelOptions": "visible", - "title": "Top 5 allowed files, by application protocol", - "timeContext": { - "durationMs": 0 - }, - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Message.proto", - "formatter": 0, - "formatOptions": { - "showIcon": true - } - }, - { - "columnMatch": "ProtocolCount", - "formatter": 4, - "formatOptions": { - "palette": "coldHot", - "showIcon": true - } - } - ], - "labelSettings": [] - } - }, - "customWidth": "33", - "name": "Top 5 allowed files by application protocol" - } - ], - "styleSettings": {}, - "fromTemplateId": "sentinel-PaloAltoOverview", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" - } \ No newline at end of file + "customWidth": "100", + "name": "Web filter activity by time" + } + ], + "fallbackResourceIds": [ + "/subscriptions/cdf6b2c9-484f-46b7-8952-68edea8f1dcb/resourcegroups/sentinel-test/providers/microsoft.operationalinsights/workspaces/cngfw-law" + ], + "fromTemplateId": "sentinel-PaloAltoOverview", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file From 7ed61140a74da8d8476e6537954491941f0fadcb Mon Sep 17 00:00:00 2001 From: abudilovskiy-panw Date: Fri, 3 Jan 2025 17:08:30 -0800 Subject: [PATCH 3/5] Remove reference to fallback resource --- .../Workbooks/CloudNGFW-NetworkThreat.json | 3 --- .../Workbooks/CloudNGFW-Overview.json | 3 --- 2 files changed, 6 deletions(-) diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json index 47bc68c93c7..d1b8be31ab2 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-NetworkThreat.json @@ -396,9 +396,6 @@ "name": "Top correlation events" } ], - "fallbackResourceIds": [ - "/subscriptions/cdf6b2c9-484f-46b7-8952-68edea8f1dcb/resourcegroups/sentinel-test/providers/microsoft.operationalinsights/workspaces/cngfw-law" - ], "fromTemplateId": "sentinel-PaloAltoNetworkThreat", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json index 9bebaccb7b1..180ccd68a5a 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Workbooks/CloudNGFW-Overview.json @@ -934,9 +934,6 @@ "name": "Web filter activity by time" } ], - "fallbackResourceIds": [ - "/subscriptions/cdf6b2c9-484f-46b7-8952-68edea8f1dcb/resourcegroups/sentinel-test/providers/microsoft.operationalinsights/workspaces/cngfw-law" - ], "fromTemplateId": "sentinel-PaloAltoOverview", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } \ No newline at end of file From 403773500192edb03036b801578cb85c6878a133 Mon Sep 17 00:00:00 2001 From: v-prasadboke Date: Thu, 9 Jan 2025 22:40:38 +0530 Subject: [PATCH 4/5] Solution packaged --- .../Package/3.0.2.zip | Bin 0 -> 20304 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 100 +++++++++--------- 3 files changed, 51 insertions(+), 51 deletions(-) create mode 100644 Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/3.0.2.zip diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/3.0.2.zip b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/3.0.2.zip new file mode 100644 index 0000000000000000000000000000000000000000..c8b0f51f4e5beb80806f275454bfdfef25da8d17 GIT binary patch literal 20304 zcmZ^pQ;aZ5)MeYYZQHhO+qP}nwr$(CZQJht{+pT1B=a!IPNi~QtFn`IvJ|9&K~Mky z03ZO?YALm(;ZqjwVF3Ur*#H30|C<^+nHsv7s#=PenpxUex>(xV(OEg$+wE%ov%?-o z{OcFkHymt1pnQ;!5d_ zdyFeF*-XT3breYS_HJ%&em>6L{5*~KM<{wGN1tEOal?z6oB7`1#ethn9Mmy$syd^3 z2L5z5TqR(8ewcw35AGfGOVM^MT{ZHsNPW2)Z6;=2%zWE23BHe7xz0Ze?&nVSUAlbM zV$LM3Y-(9^=V}|vjKs%bxCIMk_>|HF7h>sb)$quXraqrCMl$;m62^#;Wm{Zc1qf^L zuJli18$1vxlY6};H@jnQ@%AH?Qobf5|u|H z+I*0kn!i8^=2E^y7y?QjR!&9}S%H-|v4T^wFG>!+FUFS(ugt{4iy?_!nitHIrROp# zMCKo!g6EswKRB1UyqsC@@9&wQYueqtk5z|vcOR9kDp4M)ifkIfJ~Wq-k;%#mohvh{ zAseGAWIi{|T7uwp53CFiviLpM|A#iOIZ_*b^wUXYxvX@j+Kwbb8FKA@SF4o0eJ<(0 zhmTuUCh_q8U9R6hl0Po(lYsINULq`?qL1Ny8D{9K=f@!LHBv)hH*W@&oi$DRMm|T+ z+&mHDR%hWvNnbc=cLAinT8A@FNB%BSSChV=lLQ?p$F1nNgZ^1&a-I!@i=b{Gk@E}( zdN03lH*#EBkPEq$Ug6ey#K72yeUc$?o*z0+vzB2Yvgy)<(FFQtRp-#6w!%h2l?nY| zgeFHLE0_~xpGybo!lK+*uDE>yU3FGq;@1|cl)q=LD^Zdi3rjQcDmtS^bu{G3JZ^-5 zEoQhXH1BL(CqbY-<;k0R1L7craH?V)$>0rfdlZ7edp3d_y_- zIj33#ykBbDJAq`nOjnS=a7Pr=Q}&rkVlD7?CnJa08O_18V=Z1l^hs+0*I3>9O^ zYO+qZ1o;jLd;wv>G>7iZdVbV6Js8pylN{pHE&E_CJswqKsOJOWiHLo!dm(lLz|IJA z1A&JgGz#{}DN_*iYV`g%u?{3|J#x8xsA)HYwEgpxZ+(RerV{sHVb?6Fv%uT{ic8oX zy1Pq!QNl@Ej&VJ~djB$VetQ>^#0)~gEsu}W+M3LuGXF731OIB# z7KI!$jGD5RPU#1ySdR#eK|u1Nsn>o#nx!+izP zoVEereH(V1lwT5MTn@Yg-LqX~!tN4J7q>0&#wBc>g_nMaC-39MG?tx9FDIBNcHZHM zcSz+_W9`@aa7f*o)tpPhKF2DoR?G9WDCKkX+;H@q9DbeH>}PG?M(4!~J=e_STY3Lo zfQxi%E8^uE?w8x#TR`~UN34f)t#6Lun{i0cbgViI_HS5K>WM|H)SOh@|(Mk_Ad$RJ3SudZ68OW?AjR{lWk z6p2gaOx+qAczA!%=&}$wQ!r(4I8s=R0c+v9Aaw-W&tBKp-rEFmgJ0*r!uTAt&9?$e z0PF(>21z5s#8f+DU^qrp6R}yUx!XY&#W<>|>k$85$&G6KdOLg{HUM4j92-6{7+yH$ zEjjE<7#y~i(x~U~)}cfqyjnRi$v0cpBGX#hz7OgAK2eh1KM!M0kr2>cM8tJ?i9s z?BX{H3ys(oJR57D*ooNY$o_20{$!4KJNn7xCYXjtA=(77fi6Nl(IfDKLsi}m!AmaV zou`kkb`$~NK<;1i=K3h$kQ5hVDoE;fMn9){;5)*oxxa%S;dsI|0PUPRr+nK3J z5LS31I!7dR(?gn+dMoId*j6ghDG)Y*A$1i_D971_d5Ur*ouI=cEG4Xq0~1P}LnmBo z_~3*6I4Eroi_ml{AehI1YIO%^D4# z%4HKEo9Sh#7u+aKyWL=$#-P|h^?Q4?@BU!Tkot;{rN<8L_PAefBV27*gVIH7t^JkN zu(QCXQEsC;1%I*JUI}$lv)oiy(I`FwHBAxN(J_P;r4-+$g2L2_%Bv<4l&Ma=`PDGX z*-oYyEySv4={|V?XqFth645a?)e=lAK%Hg1G?%)TP+CMbc!G49s1!DF)G)f4y{wW{cdl5NTG2^g0hYF; zvwyr;(hjPzD%2d&6*BGpUY=|jSF2H5h2HJ)sOD>S?C0DX6i(A=LB&${?`N&$2)e)X@H?uuqG~cp}t6A6StX zdrpi!0jp<3-GbBbTUvaF>cv;95%p7!_LY2)>Ya)drQ#M21vw&SWZHAXvGyPd?xn_| z-aSna*sz=((lOi&f{StU+fwD@PP?INzac!&qu0$BLq2dZB#=>YbnXo(YxR{)zr z;A2rxsxVw12HT{!+>BAb-v%hvzDHo7k5tfY4TnNkFk#*3Q`lw|wWJ$hxz8|NNU1=D zswo&jlz^}zi$zUfQ}&3J)e)L6NDLFhu5KoR~KWj5?W+ zm>+jkh)l*x=S^fm*Zw-|!9-m}NLEaNfgVsL9Y^)-I)EZ3{1X8T_QEJ4fayyE0V>v$ z(ToOWt0aIr49ucZ_N-p?L7vk#nuk(bDqLU-BSLK;4Og(F;)St6YFXznarx?N)DA<- z;ibd@_!=~5z>s(WJ*P~p9ZL+uN|fQO)55bpK}H@T`#VT6#o3@$z=TShiFQEY3>F-S z2383%;R583rw;xt?*<%SJ{{~(_u{OV5hk*F0K8&{q~R90^9R&P6?*IZrkzd>3mFltWK}En9Aoc?!QlR% zH_`L_b>3eu#b9m)&V95+D=^<-k_ymE*$=s03J5wTVnN-`_-~iK4~9%SYI15w9JKVL z`MDg6yV$UM3;d6;uTw8m+B2CVy5rih3u1zv_9L(yE`R|Dn6imjR8vyEGVWOq)H+iN zd>-N^{I5U6O}{lQW?JmPImaIOAe233MTsugUtx|&AgR37I$(ZtY1(z`kIx3ost#^UNl|=Xb zz0P;r!^^(mbrX1!2|gd0pEWn@MHXSD zI(T{YuPwU{jb6(#@3UyyIlKKaoe$yz1N%hFY@%sg&T4xn*U2!B3b2)Wte4Fmx1Y~g z2mkuX<_)v)37%~s96H|v8Gc|~rzWi2C-v^`oHo(!-wAJ2Z@X4?Sqm>lX9i?Ej&qvj zFz^w%($RDw0Sc23j-?H71!zj!Oi%lXrV=m&aIXj23^XGw*NqHEpiz);U)3Us%Bc(+ z4ym|7#53?|&=%la)xCBOcv=wHVSO;M90vu_tY$AJ{CY}CJZs|%xdqYX&c?U;`FOyj zgrMPF*`t}Os$cowKCG|C|GD^WZB6vfDHcN9r=~`=s$B1tP`+2A>zf^}gS}Umr6l6jtvYg!Ni|X6ah(S+jyUIqSEEs~PJz z*LFJV{a&<{)o3wT&ZVtZ#VMsx@;&_X2UPff7_l~uv(Q)o03d4@5CHK%Mzl4wv{Ny) zb+Gx56#o|;-uhZQZ*w$Vyeqr@0k1coZ{$&52}=5zjB#FXOpdWij#+z~Sy9V*QYI#K z6iUEKZZ6K9t^Lxzm+$I3bw3gSA{A7G8*?X`8%dKa0AR(66?ZTGj{EIfJyHDt+O~?|2oXOASYuruY z%KLCTUjK_3KIpE+vMj&{gY5ZUjWwc&X~mENGM=#*-^EMDaPD!9NVANKlf==telEm0rj%Tfj(ch|2_KXo7Q05QEI0!!_33 z-}g1^!N@#k%g++`OTx0(IjM``8`F-kXTH@MiMzSLd(pYT$$zsA!Q%}ApS(FTns!X` z6hwHB5;q6E*D=U|Ik>I%w&4i=wj%G>`b$~)&gXROfc3iDFLvnC)U178>w{p3$}nm$ z`a6-`z-QYFjckn7EjN21i%jgGJMIdDaWE2RJRCP>mgEC6G7|Y1&t8N0?1UocJ04PX z2EFcMD=x<$V)d^Ad(6J>5Y+K#3r>hNDbe~Tn83>DT{qeN8Gmed;yNCNo(+fn$*yox z5G79Xk$qfDE6@PlpKlo+WsxC*Xu|4ame|SAr5F4w1kAmSeut1SbD;plb|fe2V`n4` zQssh3l|b_F!^8Zr@&4^`*^Rb1E7$hV&)fZd_@_}?m<}^DZ;J}{lYK7_Q9yih%L5rM z_ITjUJaRqWkWN>Fa&xOYB=i)tE`Axid(uUTD@6~(&n6SXtCJFCtgYy?Va)67#sLo+zg>Au`Jd+zP)?Ph~OodJVytX@Uwz)7&0A`uG|jal8^LG zGD~r_ExQz0yKc7nw#(O+{tB8(Fs~xg;pYFEX*Y-)UAh?4h_<(^$b#hg?kv>I=6ma?NWm!5rUwFYH%IEll zy)t{&@6I&;%EGGgx`whiF&@sjLYJ5_c~ z(fGB&gL`i&CQo@Qk-a)$&A{5TNPc$uj&=1=R>KMFpa?D1csdP?buRR9RSQFncn3pG zCv@T(|t+RcD`@%gN_-*fw1>NK*?qCrc>>0 zk$oGt%g!C1%e&mBt=nv`-K$o8?E-EmFFmw&MWR#sdqrZyivX#PJqq;Sg$Gg{D_LMD zH;QB@PkhK$ZfLiYL?+73`+Kdx`Zn9ny8+y~b~D6T`FViHfg5<;))nVlVLo)bI@uxh z?Z4wYP@-dt0*&DCZ8+JXlo66-M>WY|OT#Zj8iwI59gl$h9JRDmNK-O7eHoOQQgXq( zJPa3O-ka;J2(7=0t%)&mNE^OJ-!Zt5T9^6=D8nPjYRgK?)=HF>JTaTujG;S7uU-Se z_@tE#W2tSAT3y7-I+;4?cN#Y5je5A{L1AcDRiRgXluz z2r?}O)wBd_b#P#_;mfBBhPxiql+0YgpMVNx(q|wGm{@$keC|#>y+OP@Hr3W?Ye-sd zI4DygL@Lcm{%LwrC&jy5=>`<IYUGD9-n7r{oEAW}`6CBk}*VyK1 zy@3k&E5*ivY)cijl_mD3Aj(ZpdJud8(L+naVEr&bm~?|E@&{uuZj;;f*#2q!RUB^7cGe&oi~pPAzsn zA@>AAh`WW1;UZSAG9Q-oU-l$0dLuehY_g_qZ83*zLtS&e@w20E;a8cN6 zV)4KpQoI+T$I%FDaXfF}TbUyeA3599(E|$iWvt`NMUgY~Qw=*wNl-6v7S_;%MgCZX zZTu6?2efPgU+CfjT#vsZA7XGd!YdQPLDH3C7{Lid3f8D)HFiA!cn#tMIYu%OYlYZv z=pJ+BY;*qcd+8HRjo?*l$* zHPLHeHjwfO9)!9fkcwQ}*Til2#de8Z`pWAr;e;IZ6Ach#W$s2&L=zB?SWwA1DLc7+ zU9dkhJT5()Pzrm}CfqsP#&x#GJD0>L{%5$S>jZyh2+1o!o1l+_x`2sXmDh3LvL?p? zG_YEp07j-jf%xP-mkWS;@F}phtXMD{cq=OS5S#gZ8Ut*>fo06G*1APR#w~{W-iGN9 zzJe=A4q(KB?7?N+3l!P+{s8B=@rK?%&^tG`oB-~1&|=jJjyC>Ns{=98VkwLFB)E%- z2e9B=f}ZWoP+ltd*G@xMG1gKXHUFmXZblq@+42cr}-V|TDp7u@!S-XMtn?RjXu zv$AxTYtTN_GxR-siGlY~CLyYOeF#&-bQm1mPztcct2a0<@9$T$S%&|0NU)Q?MLve^ zaGs2sCWk_mz5c)!4tfR6&iG)am4LoV7NUUWvF66@EMUn0;` z4>t@XwH_WT%!Cb|pGW7X#1SdAK@|Eg(M6O1W*bUb(_#_dtptV@uqMj1#oaZUxxZ=OD>mHGjv|KKOkc*v(@Csh`8aBocIZo^;Vo0<_Lk~oet@Z;F zIrwZ2GT5cI3LLu6!E-5(M^5E+US_a1{O&3ztGgCZ@cl;gVlahbIO5Wd4gWb8Pt$2J z?oXBXv1@fTf~!g4J3fe;f?YuPQF+K9@KqoQ83APX33Zsl0>fb+vAcU^4YRnjn%ryp z;Mw@ON_0(2Qx1L^G>SQI7d=z4B`&tS$z+SGv;eVt3K5~wqyj#t<)W`7DIs!tEBz=2 ztVam5rO(OSS`lI*(*UqwAXYvgl}k9tUJa7OxW~UF%OH|mc%esKZm5c@iM!Bc5rDu1 zXDh->D@awK#r-o57#@WY)`guwtO~H3c|oJSz&vae=l#%L5F0wPGQ4*jWQ)BJHW#fD zr>VT?8G3;gwneKtfxs(te6)io4`zm}BtIRpI}==~qIAG4h>6e^X?DTztBi_9!N=T7 zb)(j@UK6U(x-^&OmTHi=E4hlchI>$aMX-UuK_XZs+XA%*3Uk;b7;#t%f!_e?xT;#x z3xVF-DKHE&xkxIy)>>db^wzC+R|EmG^A1o@?)}hwUGR0mYP*2dQ#94%fncGbu)cqK zB=z_G^LJHoLyg>kdy4&VG!-96HuwWs7Pz3MLaGh@Z-bc6$XbpQ<^~??g4k63M*`5Z zoCaFVizOgczls=5)~yU2CV-vY8I=D3DsTg&%y_Y!M|rwkrDV~3#SlY!#}o>qQGM$F zA$~bn?sqM)6#%fH8RQL+8LyRpVU4i7<_d@6F5u#@)b^U~+icTysJD9iF57h;=$XRS zy!EZ}x8(NO5!y3WdmR=j780;KN{y-5T1qjPQgeYupwAA5gPJUkR&aH%^6B5K>qzSt zFuGwoZ>~wjVGS&aoQHIGbH{d);mF?@i21M?R5N+TPj$ee+Tb*Fd|Fs(g;1fwL&rP8 zKTUia=ZgKfaH>3zEqnpgZUYDHyQb3(6>g*85x5HsJ(}p(9I=X72)?oDj~D}Z$?nih zNaX#{Dp*=n8k-F+8~)L1l4d8CNoYQ~q0Z+@`Ox3Oybmm6=meM2SyOix2^9F0YcK8COXFLwYa9pEt{+8g;`71IS)!M_pM?@ki99u}8cJg9J zCLP<;4hD|a4-E>B5IMje-M%YB(mpX^nYR^@Ux2IH`gJI)jizULIa{jL3}cLvK5qZF z=T0ceOx1(}e^};;YdW0>-wx$PZ%g?b+`>b*t3BbadqCHQ87QhzL_RU5of{ApG@v9u z5bt=r#toeoq||jze^XogdhzpJ8oQz~taE9MQYlO%JCi`9mV}R%hFw}KN<%u61Ya!$ zs$`5sQSf}%H(aORzfIpg<)1grhCl7-4H$m&<*=fkpOM08evPrKBYu;LTZ!gWu*WH9 zk6XqbzbrrH;2k&YszB2o67+H%zhLDSnHHbNfnV;nyPzje?Y82>B_i9`28T(^Ge(qG;7>vQwX)qBOZ|MGq))AxX?_MY{h-g}ZRP`yX} zr_ytnj^mQK{;mAxrjLY+RsRP5Vy5pzV5)Z=KcwwD={Wl;442mnuy4M5Em4gQ@&`8GJro1;tf=W*yutFwP7u^TPjcR zhukT^pCx0dh~J;7s+#cA-`n?VgT;*hMa<+UFe@Ey}fS z)$$5JKPSi7Vi9fwNOFP6P6Dt*XvZiJw!Dh$+$7cC>m3HXI$Zc#^YJO~9Cx71qwmnz z()|_C55n<^LTj3xYi32Lo8RS>RMMy z&=QtqPQTwnIw}qwP(TXtWcoXO!O=QnAyJ04jEaBA%WiUkh5#gP&q)zRA2{*uVaRw3 zwDV#K_ILL3+2a`87xG25RH@#-oG}OIG+~P|zP-A48Cj(_KD~ubFuK!ODD{CE;?{!~ zadI&())uTbaqn{A@AO?6>v;^iEXUH{>0k$Zj*IOUvtXDLN0=pWn<7AhNGHBX#=;u{ zRHh1-7Q{=l39PR-=m&MP>*4YD&M_XV0YpIjstaaW1n;8@Sb1na6}W4CpGy11Mj5@= zLBe@LadGDWWw>O~AV2>ASs3)2bf7=dTuAR`c?ftUOT--kPM@=?UPconNH?No-GduP zS=g37ezLa@2rke0>W3{P2wz5AP=N{$0}JpaEJ|MEvSCBlCQrxfGAKdRmYm?`;GGNk zWuT|gn2qzZH`BhN7MVY#2}7>b5T6upaow6#+dRoTpq<$lHEB{@Nq{T_#lZ_?2Dgw3 z3V|%T4MzGjfef&T5Lx?)9RmcE>Ig>W zdGgS+v_F*czWp8c%;*la|rS=`cg zzzJXbN$eM?m#DW_fJLZX)2rJ$6x5m(>#z?_i^}amD+aP2Jo=U`>Z8#AFl2y{*H3`L_v?ToNrmMC{6U5j0@I`5cp7*^ z!sK2LG@OtF4@>--imAi~yzoNl18pI3#upv)1C}Zz2A*3)AFtQT&DF6-Yz7KeEDz&7 zme&B1ny+gwDKjYt8DtM%H_wA%Z6txCeg%?-CaMl`^1)XFB(}n!NapgUm@1hg9AaRm z*R1UCX5n*tOB*I_#fCLeZKnwHY_Bj0d(#+zAR|mxAVv~_WFN3Q9EloqCvVTirtdQh zc*;fSp1Q`tl>Op(B^j*$NPae{dOSZsz#!c*-GFxLtG8t2P)q+nU1lGt^oLfGxB*D5VI{9b551PwV8by3Oj~G?|%F}zG(ilV;S`x|}P`R9DxxbmI zvJNyfRIA}qm@;m*aUq$hg!W0M?EZ&%i}s3QtQ;pL_fU#ioUO-2$XbwtjCB7?ih~pw zk6St$K<(|x0U-T~wF0=+AKHVZgk#Q<5z0|X4}4gd0mubCIra{dY`bNP%A z1*q8LrvsSj;Pz;f|MaKj^`PKh`tdNV92sC#IQuFsCV+So(!9faakU;qdY$T1s&1RN zeDb76TQ%j>8ErCMG4z+(FZc^!p~H0g;hc(z}g%T75Oy%;a-NXBZ)C@Ov z^zD}1>koZ3tuAA$1b4X;3ap*5AWEOcA)paGrcjV2U;4#fO}9UK4~W=#0NpOkfDDJ@ z-4>jFq%3lKw|3p>4x`_I3nkUmGlzjEULZoKb#-0K&z#CgF&ryno*P%8lL|#ln7&d1 z-E%}?6}n=2c{}XGUO}XJ14bVc)of1`%QzAuud+!=3-Z8@{{)ynnRS^3 z=!N>Ev+$E_R7r#-by6gePeif?sN#%Ac&RQI|iDiX+;mG{ySwxj zxGeND8U>U_3gD-Ea$yKcvI7}vii4D+2i}JfX<{tUxqgd2LH(K$s&&d8(NK3`H`tbx z!H9PS>|?W|t)JM%V*O*!f;C%n-PB^9RXb&jCu!JhP$X%1-}=I`PJ}OQTA8ubWN8|t zhS&}y4aG>3hu<$8Pwiq^78!b(WRjo;*gjvZqMsDQ#UW{_%K%Q0o-ZRFU`I|*VANbk zX#8c$GU8ijEVX1?0zZSXJKH>{)nuc9DRuIO)@)1nd97KNVNs@sWoY zIlgrDMFZacs1a{wL^&)iRhEZzpg$$Dyof6>a5uw)jVv!V@_aJeqv|QwHN&HdsxdFE zw;Uu`ervD!rK1nY8=h?)dN@9G0o z7KiA!x@pHjYRQbzt3d+{Y1IH-br59JtdF^~a>luYyo{c*rF6mIly0?jklJYf0gPGUW)%4W0=Aq{!$H71 zL<_?vUO*&#A(4HM>>r+7Y#(leN*hbGEl@a>!t~aPu`866jZ!Mh^p{?-JP|xsSS0}^ zT@&5k*(V%Vd6E(EeE6n$+#Zzt%KUT=rKxAJfJww)S|m%2EZ&&wGn}4+0D-^Gv+Rx6 z_2%mucY-#83~(E>lR2Qu<}rp|Z+K8g#R2hNr-2SY-=MPza>-kKoI5mHYvw(kuD-rK zY(WC1uysMIHQT>yaG$pxB^t+s0*?HjMnHjleS6<9HAjn*LJ&4M3SiwIooOz&jQb3Z zrhLEmdCtB$1BFWnW|}5LFStqr_wU-^Ub}Uh?lfb!oHSFsmzy|GgU;RGJlBqOUJJzk zmUkCcF5KB{x$UJM&W+_&%UkU(JPqBRt`eWt z^_vT;)|#`zx@)!aQqat{GLLmzTo;%75Xous`H={S)qo0YE;rvMI3|0C(5I&s$^=BK##G0poZJTS)Obi6W`k?$_YJ-K?c27^>-)_!a@PR-tl(#bw>T}?-g5oD z=JbtyAl_<@iIDXDZ>eeTe;2`t*5VH$iGnlHNiZ+kqzO)|pw#+j(_z%^T}w-}AEFfN z_H$F2+9RFq(Df&w>5PQvP-j#lt6|qy(Y3c`br5E{^6IHVVp`WIP}q_<{ot77VV=Q66Y<_(c!U4uA27T#qO{Chz zjCE|v9rz2ipQ-0xaZijm2ZRz)B(!GKP>r><9rv}L(@sW}RU(=a{3^6weBSIZJmY%2 zmqX%%ZdS#0K<#fqjJE_#gS?bDX`{GmU%cBkg-;`4vq6$$yclMbxxX^(Zp}$n(hAU~ z*hMGW7gi2`%6vpdpo7+`Y){FQY#OTV8jv)EzOF$in)6-VTU%L1;8kv(oQDWBgJx<( z@@WD-)K(V@XqY6VvK5nQAF1fFnG4Wj=+lw_X3DC6|s927g(L<)ofZ9pK ziUy@lOsx}$@Ov*jTwXRn$4^TKa$eraaQ>v)#7w>FgD^zt^mhW>$j<@w5n!!EJB`$L zY9j5-IAV4P_e-{x-ekLEZqrTvjmdg1?tb^Nui|y(4oztEKgBe3G<`rwtFyF%>^HcI zicSI{SC0TJcj^X0`f;X-Z^-3q#Q8nr#H2#!UR0s5r_eA}X#h)Gu_$FQZX7ITpM7x! zwGus7RS+gU(dcKy`(z8RBgG`?b$e&&Am;4aOjeZJm@}h;B)1;G z+zWIrE^T;&aF4PHTwv%O{S~@@GtMH@4cYg7$CXzf`fa8l&Zzu#*Q)(qZRLBCwZQDX z{ZRxL&x z>&8N*nji*WM;v=rDOntqrG%Qq97-u98L3jq7F%U0R}Z4D68u77>RxRv4=titCOn&I zi60B+idmZObf8~*Ma}HOWw(#L?Go0K?NzIT=K%xN*wYg@2x5Y+;kXF_G-Qkj!uIWR z$tN%QWO?^gb05W<*GIW~Xqg!G%}q=5pPU4p-P^mgH;06b;`Rp9yS-oUE`N@$YB4Nr zcOkzZwdtp#HZ_|4WmXeO713$>cuJefN!Ff|W~pj;bE$#5dZav-yo9KVTmg~?x;CDv zRiRbiUuo@{+iSMX*d09FwrSa(UAAkBn^pT8oaTGc^1h?zO!?1qM#e2ianbmd%Os3OdhYa$HaDG8`{2I8hhC-@Zj9-NG#$4?F4qh~N5o5Y`ysbF${iZKBcGjCn zI1(eekR5}FN1c?M*GMNYA{|?sLLP@ot>;w*s=P71!7r++Lb4@` zU`*vpDt-#KLw7E+F?7V*@n_@BNcC=uuh;o#RJC6Fi6j9i(=eIJ@B!otv|K*Aj4qmp z;5cBKAwbrhBQ*L2Iiu(|Bz2&2Ze|UXD=JS3&^>_CnTf0hIQZwuf90|ybR%Sf1hC+V zOIGa+30TS`#vWrhjDZp(*#Al2^2~n_rE3SiOA|5PuUzNcUVK!Swsmf=;&sUO$5yh9 z+Fsq`?isd$)Z+)8y;dC4)ClK@c0nqokm3vCjS5-y@!-AcG>yvj`#`NacF^9y(7$GU zwzYl=j6;{M`JPRD<`tJg%CXxJIzETiBr1oCd`ADeQrm6PShyw_)Bk6&Yy7zM(zM+W z(BQohx$fENPAivgI{eFZ|E?ye9lG6H8u49pfw7&e6R_Ukj|L-zwLK)a7h;iM60Jp{ zi35zrkrosipgrIsv-f$25K`Ap*AUy+#6(+A9hV6rC&V9<^6b{j3RDLKOlS(YYFGk{ z5&}m9O(AeMP3b*kkPB@B)v$8_q$|#^z6JbRb636hqfry-Iz94*fTk})_NTnKLv@>+ z)Ks!_R;9!wxk^o$4fV8o++0!TY3>W*o3ffqzHJv%qrZ9S9!u?u>G~Xo%p)hqpugXG z2(n*>cXQ+O_n#9BnM~)Zwy2>Z>k6Ld$3u*@n-7>`$PH(+ejxsF!m~^cywPW4r8~96v(;xp-Ma^(jRCK&dk_2i|sdfw|5!gGn5m#tW^K6*~ znsUMs`WFaq!$4oo^AMQy^Dv6Ca@k_GY3mw^`AJ0Z$&V=)#Yub${)v*L+Ekz>$Cg8e zP@538G9)uxWimY4Q$^$5Or~jX+pU;X?cP0RW&fNxx-!Ejb1et6On(}3wk+M$3Zx;k zTO-rO#eZ3rL-k7U@36q%*<5U-rN7sT55tcWR)26I5TnQje$ ziUH4QwOZ@-3?6(VC>~8F6zUb@u9x7`)_&KS8-qe3p|J(u5cy^yydmFJ6CVZZQx^?V zXC&L8Cb?y-t7oDsbV8%<(s(C3S~4Z1X42Pi#&{Xpq}Y6w!d;CSun;Pp2B!lmY~VCB zg7uZT3b1%fszmohgX*a%WN5OwY=R=T75Io(E~CCoxxv8Ozd-!t5;!-q3@KKcy`4SP zA=NGVlqFxrn?NAA^aE|)23Q?86a)ss@E6gBNlL(CB^6lmrZ`n2C$6NO~_ynqUzBxK_@gok|+aWS)9NR@}$(zFzSB24Jw*l=EMpK;9-J9VE z*_cBCg)8IPS(jclj*pVeA&-UJ5A`Za13-W4AJThNjubXD4MCKa1mEz^nKou!&N-y2 z`dC`Fr!z*pX1MGsNn%ylf9s{3mZH81;jx=9^%i)_TXja#~q5BVLH=&+EE+#cU-Dw!eB&3akkge2)M zt0z(?(P{bPOz=EV`z}%)v^zIv!2RO_hu>ap1SyA=B@9i0+a@hX>vMPcCB)G+N-A^r zpD@$~EcIuQG#MBp*i?Yw(~IHm;2Om}`_bX?1?xXvsWobB}GV+0$PlFTOgKArv zfO5~_I5N81G6kqjgj?iG!3{?pmclf2RG_9s6gta@7ie&=!nr?u_y-@ z9cmJ{7j1}=7>pcH>_}^n8z2u63`^!Q_!qZ-fDk!FZEf6ftRi~! z*b*P_D`N?DtvzEdb-3fT$RZXCfG?=n-W+39G*o9^>DG$^G-fLL-FID35hCD3_26F6 zD9TU?htuoPf#hW85PaXqT$SgvDIV-ZThyT%D$sDpT#~zd^X|R-m*;7~{yr;bzt0MP zyEkBi4|5Z@e9!LvW)PX+)>M`8+EW~9K2Dr<%KZL+Fx%9~FpCny6B6=$R-A0mqWSCd zJUr{X7I-%LEw4_jyx4QuQag(s+`Egb)>nERxZ1lSxc&c6*uuZ;jS9I4yk1p0^`3j4en}n$aSnMW^U-3?!<{rVK@)8@n{ZW*w}0w6KkO zHqs$Qvi!=)0K?AQ6b$aEko_LGG3F#i{fO(P5qe}VDxYQwjMOToK28gp$vO-3otEio zW43%<6(O2|L8m7mHs!?uq@t%srI;(9xjk#u9_YdF(+IEI;T^7iz+-fENwfZMdi+=6<&1NLD!ht97u<} zr!s6^F-4{|POmeLPIU8}oThk8;+mfCs+GqjIGtT9jx`FaD~>H43PSKfcF zI*J=}h_`Q2DBZc_>$l)Vt1=q8X=S}8&s7GifS!9;2d*KxgJ+iKjnL@J;q`VJ`dB1&-;Xcy*Q})xW!ZYKkePt~Q%zO6D zwK3x*+kXj^icvDyYieLdOqG}~R>zy4i9Yv<{T$)Rj&D%&lNS3LkenZy)1QQK)s;@y_kBoNs1%Aq->ysv}h?5}p(QmPYv2 zLV4bo9zUWZ)l9_f*8E#L%Z}8apJA=cA1a@VVCO3)m`Ow&HGvSg*&EM+aKyp-%-~YG zgpH?~#0UJ>a7Ubd;u{f2#0rE=P94CPbYo>_g8xhF2v0+w%nWd($2#K2L3SU~lM6A* zggg6DXCM?w*XPk9)XIAmT6c++Z=eO}78~0l)c?&=zHCbnc(j_qu6hfQb?+in4Qdf8 z$`xIMKkuvssK|s&&)?{Zdu7bZ)?RJ2{IesBRyGBgb)3=^sF z4Vn%9IU(D}`^Lb%zG_PFr^y6xFi+YAc<2TCIEJ^n4uk42Va2!~F`wL~i{FP9nn9{K zrOdIhm=50`%-pD*0{e#HT3}#9#bhI(+2z86VlTwWT>`N6$Q>xQLkQbmULOhkeEdFU zeVIvYpe|*=Cv-hG^QVW%OX)i{7p@Zou{McSPV~RDKwjcw35| zO*~^0{*?%HvKM+aRVe01&R17DO!YAo6+V*T$qZ>W(BE9DQk65&XbK;_l~)N2J}6x0 zzjuEB(a&!4is7(LU`Gu2UTUM3BmMeIVXI zn%k2FMLla2k4@T$(oc>`%XC$Zdi$tciCXE<)td7BO^(+E{sZs?{c;ke)O7LIY7NRf zkd}VSwNSkfMNmCWmSvO0W^7Jah&bP4+@DU#w{`*a(c0eC%lgT6k~)X**_N?_xPDnd zccj3z_f;_kl>CkFVFTUHeoeFtYrK1fL{E8POPHL#y%qxjZA6%s>ugedAFB&`_eJLM zn05q*IeVYC(B$G~m=}AiN+$8~)S}?ifAHs~5|4_hFg)u;<%;4xy%`&>gY_?o{XxFu zxz0R^ofqLhnK6h7O}HAN9k?dzX;{V(p~;w6>{08A3~}^a$VZiKFPc=e(kijwOigNa z_|vi#ah?lEGdBL5lOh*oLk+ltM-L#vbVqZDZuDj+w8k3*0QN0w(Xt1pP*tDRR)qgO zRD8ev@MqXz6}lavcFM%dw;-GoJ1S&+-2S<0-i_n(iC^fTbBDEmCns=pVG}0%G&V2$ z>188}148q~IX@b}oFp+9?f@v-gX} z6w!Im?`!RYHJ_x+B%jT3yg=MpWhd<=!^O0WMPBg zS?)`bXG6jw^LW~8*QWPJr#ygc(SRUIw|T)WBj*%t&)#sCSJVM!&&cUVZ{@H>kN0^6 z?cQ98k6tcurNbdyIAe7*f@@{jlrOij5@{3~cyPgOfy%C{q)G{!_`BUU#D{V~W{B`j zg&aD(Q5&C;)MpMgY;DxB$U2h%*nRhmFRqAm0tR&Hwn@obmE*7@U42ou2-^rD&I^73 z-bLvHDyd5gA#6Tp6sZJi!vg)D*>CE4gCgv}NSFf);e5+#pyRoh;agg2_Ax_^IR~UF z&elpV@4l8f($gnr59oP;K~RL~&(6(Fy04R-o=-!SF+>YO-s<4P>6J*WGZ5XB&;=7? zmkD7cdNkV2B~QWy6+v4Wv*1R>eNJO|dZf&gIpqO6VXuNzcogU9_eo`t_x$Sp>$$vh zq-CYxJJN`Ry8kHL9>9(?qg{BmC@dc5tYETq{z*_0H%`6g%tQG_n8`GV&IL$2PmK!a zs7OHa!HJ2M1(dnB&(EXgNQYT+;IYyp<6_#aHm*yV>6~)lM|(`bc`qZN%DS-yRXS!r3vuzm2WyzmS))2!x{B z%>eC*2vMeog0RHAMQ7G?ZAkGFze~GJRp=m&f7tI3*wA@9!>^G2T$eg&7a5aPvh%sx zdhpU5tZ-IJWm=xpH<}Pi4&5|LzDn5JZ3F?M0awEvN<4Tf359Mz1pbevw*>~Tt_Qm= zX8KK@%I8LsAs4dJrmZd$Cj&;QX0!uVkolAkU{p*cTwL#y35w~*K0*G~&qk&J^8II0 z?wCY{Mbq>&7pBK(IlgKA!TN$_mOgspH(e{K-*Pg`8$Sn*C0>JA@yCnPU*~% z=|Z3z2hs6GlAiY;$i=7x_^MTTD~Soy56`nTP{KCzrMn$gr?2A1@{!ALcHNyFkg55K zKiqiK4jk7;M0w7flJcIEp0UR?$c{Sem%qW|*N;pu16)sn4oCx>P;U}hv&iGl(ND|zEC;%W z{46s0-C$Xw`iO0n;f^iy&fx1fY$E4=s{O|7DT46Q#aqgO7a;eo%^6c7j`}`a< zOks$raVv?Aol9BvCleo`wSQIEf}Vl#1@y|MMb4h^wo@&J;SGojI44{0S{r*#Crsr- zlXdL6ch?F3w>$!GeBV+>k!XvZzpCBi`uvTvz%AidC*nG!IVF27>bmKSmOufiQU4@Y zYT84j%A}EsL{-a3ze3>7?p?eSFjfu8!gLS1+s%ifb1k$X zc0Jc8ZNRxzCHR97AX@MPugb;90?Xk$)z_4Y>}~7*`MzB47rx&9)QN->)mYkB4A;R5 zYwOEi6%Pt^k_|2_Ul_y%4`cQ>0si)+pO4Hba>Bi~dekaVP01p=U#1%LLSsZdb>1g` zA#X56B8pge^W&_@MLsSf+*FZ8PImO6%N6(IXF<=MIh8F({#PQYdcK+Y%x#gx?Y*` z;+*7Sm*Mo0mt}G-2On?3rd@yO-E#33`yPgND^P#*37v3G1H8-La#J9AU3@v z;)kNoI?1vuTcizh!NYBI6#=m+`JZ}fC(2vOepxKhsI;TCH;|@(ox`ph2E3jGU}P)_ zS$B;tN4+`l^+(X?^F|d1SZCjO-krz(xlIo3)ErmMo|#RM4E#ZgY^S#i5BkTm5~_q1 zS3&2SLwW)vYrqM|<$`9%fn;X>t=erR zlWfLfoU8&oF$^K}KXE*<4Xr9|v-@w|E8EbZeF&i(v&Oj-AXY{+?}b;~cBA^x(USej zD9zPs(6Sr;2EO5=1KqBNfIC)@r za8I_w2b8{_dhK6m87f5f?EaA-yHYx@>*-`$Q*x>_7ssJY!tHL7_|RajV@wlsu!Yux_5lfF!YJ=C<)2gP+ZG%Xj4S5{A zkFwV1`QeV~;m2dy1A#V(^{z^YD%XW3S#K^Y^fZEiQjVq#{3QOh#dGMhXNyo=1k z^NBVWqrh=iA)pY=*>|x5H6?Qz#)vvczQ(Gr-4j}F={=sFKe+wo^TQ@f<9)MF5-Fxu z^yU|!_9{EQ9|>s@#=TbCgaZjI4f;lu0dF0fcTKv$*VuT&Jr}xZudUY;H@9!>*dFPO zD2740!v+8e!rNGxhgUp5sU0F8s{9@cb1XFI3m^LWXUt8h(7+njNXpXaC%?)Xr`b{% zki<{aVT=sn_g3RA2dZ0d7bU?zF!B1JrsAv}w%G=9@5$6?RV&|J{VIqFHy@0ht=oLv zIKQ#APkwf@7Zj= z8CkNR2jHjq9EJ`ERd)RO-xx$-yOAosS7y*FN$3Q* z-VuX&C@PnDfc{ulYPiHgpxU@mGHl%Pcok)5PmbDlk9fmW4jCiKG3#hfcVwhI`0!h# z^g_sv;tyfo*3D*)yBXunXuqnSBzW~eCJfD3U3vFy(bE%&WQKJws{=^(%me>FF~wzF zS^c{&QYE?8DSV6R&-O2D$Fz83&jfafrnrTO*OHWbP01arOH2>)W9+A&r~j~;QQRg255aMj;0OL}K2hqEqe7 zT9v}ccQiV!BFI>hE7VBpRo^V%wYX#+W0>-L*=E)o@D9v1mPRch55F{zrXMDQl-oZa>^_s z>RO~fx@~W&HDO|_^oJhAavoK$wc-6)ib}0;jTOOXpvP{jU@|j3TUU&GubDcW9&Gdw zo>&3ddNtBYZ0U5rmBKjPVc!Er#Ew zt}Z&4&2_^lr9c$#y7&!(I8|3ZS-ah7J#$MK$Akx{5hV7!{8Mh?0F$2mCHheSaBw@}^r= z41C88dqU6YId-!RR%6sUNP*-p+yESKW*Mggq_t!w@l6N^!QWlO+GD{c`bZK6I!O|fUP1nlTq*vG1hI%AGCcuB@*8Rm2{Ga#_6uW<4^6y}S d|J}fM>;J(V80wKz{7VA-o8f\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Cloud%20NGFW%20by%20Palo%20Alto%20Networks/ReleaseNotes.md) \n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Cloud NGFW By Palo Alto Networks](https://docs.paloaltonetworks.com/cloud-ngfw/azure) Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 3, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Cloud%20NGFW%20By%20Palo%20Alto%20Networks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Cloud NGFW By Palo Alto Networks](https://docs.paloaltonetworks.com/cloud-ngfw/azure) Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 3, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json index d375b82fff6..4b6d8335963 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Azure Cloud NGFW By Palo Alto Networks", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "paloaltonetworks.cloudngfw-sentinel-solution", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureCloudNGFWByPaloAltoNetworks", @@ -117,7 +117,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure Cloud NGFW By Palo Alto Networks data connector with template version 3.0.1", + "description": "Azure Cloud NGFW By Palo Alto Networks data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -450,7 +450,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudNGFW-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -466,7 +466,7 @@ "eTag": "*", "displayName": "Palo Alto - high-risk ports", "category": "Hunting Queries", - "query": "let HighRiskPorts = datatable (Port:int, Protocol:string, RiskType:string, RiskDescription:string)[\n13,\"udp\",\"3rd Party Attacks\",\"Daytime protocol used in reflection/amplification attacks\",\n17,\"udp\",\"3rd Party Attacks\",\"QOTD protocol, reflection/amplification attacks\",\n19,\"udp\",\"3rd Party Attacks\",\"Chargen protocol, reflection/amplification attacks\",\n20,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n21,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n22,\"tcp\",\"Management\",\"SSH, brute force attacks common\",\n23,\"tcp\",\"Management\",\"Telnet, allows unauthenticated and/or unencrypted\",\n53,\"udp\",\"3rd Party Attacks\",\"DNS, reflection/amplification attacks\",\n69,\"udp\",\"Management\",\"TFTP, allows unauthenticated and/or unencrypted\",\n111,\"udp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n111,\"tcp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n119,\"tcp\",\"Unsecure\",\"NNTP, unencrypted authentication\",\n123,\"udp\",\"3rd Party Attacks\",\"Network Time Protocol, reflection/amplification attacks\",\n135,\"tcp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n135,\"udp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n137,\"tcp\",\"Hacker Recon\",\"Netbios Name Service\",\n137,\"udp\",\"Hacker Recon\",\"Netbios Name Service\",\n138,\"tcp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n138,\"udp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n139,\"tcp\",\"Hacker Recon\",\"Netbios Session Service\",\n161,\"tcp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n161,\"udp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n162,\"tcp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n162,\"udp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n389,\"tcp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n389,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n443,\"udp\",\"3rd Party Attacks\",\"UDP Reflection / Amplification attacks\",\n445,\"tcp\",\"Unsecure\",\"SMB - well known attack vector\",\n512,\"tcp\",\"Management\",\"Rexec on Linux, remote commands w/o encrypt auth\",\n514,\"tcp\",\"Management\",\"Remote Shell, remote commands w/o auth or encrypt\",\n593,\"tcp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n593,\"udp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n636,\"tcp\",\"Hacker Recon\",\"Lightweight Directory Access Protocol\",\n873,\"tcp\",\"Management\",\"Rsync, unencrypted file transfer\",\n1433,\"tcp\",\"Data Access/Mgmt\",\"MS SQL Management & Data Access\",\n1434,\"udp\",\"Data Access/Mgmt\",\"MS SQL Monitor Port\",\n1900,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"Simple Service Discovery Protocol, unencrypted\",\n2049,\"tcp\",\"Unsecure\",\"Network File System\",\n2049,\"udp\",\"Unsecure\",\"Network File System\",\n2301,\"tcp\",\"Hacker Recon\",\"Compaq Management Service, no recent incidents\",\n2381,\"tcp\",\"Management\",\"Compaq Management Service, no recent incidents\",\n3268,\"tcp\",\"Hacker Recon\",\"Microsoft Global Catalog LDAP\",\n3306,\"tcp\",\"Data Access/Mgmt\",\"MySQL Database Management Port\",\n3389,\"tcp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n3389,\"udp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n4333,\"tcp\",\"Data Access/Mgmt\",\"MSql\",\n5353,\"udp\",\"3rd Party Attacks\",\"mDNS\",\n5432,\"tcp\",\"Data Access/Mgmt\",\"PostgresSQL Database Management\",\n5800,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5900,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5985,\"tcp\",\"Management\",\"Windows Powershell\",\n5986,\"tcp\",\"Management\",\"Windows Powershell\",\n6379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n7000,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7001,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7199,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9042,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9160,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9200,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9300,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9987,\"udp\",\"3rd Party Attack\",\"DSM/SCM Target Interface\",\n11211,\"udp\",\"Unencrypted\",\"Memcached\",\n16379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n26379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n27017,\"tcp\",\"Data Access/Mgmt\",\"MongoDB\",\n];\nHighRiskPorts\n| join kind=inner (\n fluentbit_CL\n | where FirewallName_s == \"palocloudfw\" and ident_s == \"TRAFFIC\" and Message.action != \"deny\"\n | extend DestinationIP = tostring(parse_json(Message).dst_ip), DestinationPort = toint(parse_json(Message).dport), Protocol = tostring(parse_json(Message).proto), SourceIP = tostring(parse_json(Message).src_ip)\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\n //Remove private IP communication from DestinationIP\n | extend result = ipv4_is_private(DestinationIP) \n | where result == 0\n | summarize\n Count = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated)\n by \n FirewallName_s,\n SourceIP,\n DestinationIP,\n DestinationPort,\n Protocol\n) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol\n| project-away Protocol1, Port\n| order by FirewallName_s asc, SourceIP asc, DestinationIP asc, DestinationPort asc\n| extend timestamp = StartTime, IPCustomEntity = SourceIP\n", + "query": "let HighRiskPorts = datatable (Port:int, Protocol:string, RiskType:string, RiskDescription:string)[\n13,\"udp\",\"3rd Party Attacks\",\"Daytime protocol used in reflection/amplification attacks\",\n17,\"udp\",\"3rd Party Attacks\",\"QOTD protocol, reflection/amplification attacks\",\n19,\"udp\",\"3rd Party Attacks\",\"Chargen protocol, reflection/amplification attacks\",\n20,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n21,\"tcp\",\"Unencrypted\",\"Unencrypted FTP Traffic\",\n22,\"tcp\",\"Management\",\"SSH, brute force attacks common\",\n23,\"tcp\",\"Management\",\"Telnet, allows unauthenticated and/or unencrypted\",\n53,\"udp\",\"3rd Party Attacks\",\"DNS, reflection/amplification attacks\",\n69,\"udp\",\"Management\",\"TFTP, allows unauthenticated and/or unencrypted\",\n111,\"udp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n111,\"tcp\",\"Management\",\"RPC, unencrypted authentication allowed\",\n119,\"tcp\",\"Unsecure\",\"NNTP, unencrypted authentication\",\n123,\"udp\",\"3rd Party Attacks\",\"Network Time Protocol, reflection/amplification attacks\",\n135,\"tcp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n135,\"udp\",\"Management\",\"End Point Mapper, multiple remote management srvcs\",\n137,\"tcp\",\"Hacker Recon\",\"Netbios Name Service\",\n137,\"udp\",\"Hacker Recon\",\"Netbios Name Service\",\n138,\"tcp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n138,\"udp\",\"Hacker Recon\",\"Netbios Datagram Service\",\n139,\"tcp\",\"Hacker Recon\",\"Netbios Session Service\",\n161,\"tcp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n161,\"udp\",\"Unsecure/3rd Party Attacks\",\"SNMP, unsecure / no authentication UDP Reflection attacks\",\n162,\"tcp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n162,\"udp\",\"Unsecure\",\"SNMP Trap, unsecure / no authentication\",\n389,\"tcp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n389,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"LDAP/CLDAP\",\n443,\"udp\",\"3rd Party Attacks\",\"UDP Reflection / Amplification attacks\",\n445,\"tcp\",\"Unsecure\",\"SMB - well known attack vector\",\n512,\"tcp\",\"Management\",\"Rexec on Linux, remote commands w/o encrypt auth\",\n514,\"tcp\",\"Management\",\"Remote Shell, remote commands w/o auth or encrypt\",\n593,\"tcp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n593,\"udp\",\"Management\",\"HTTP RPC EPMAP, unencrypted remote procedure call\",\n636,\"tcp\",\"Hacker Recon\",\"Lightweight Directory Access Protocol\",\n873,\"tcp\",\"Management\",\"Rsync, unencrypted file transfer\",\n1433,\"tcp\",\"Data Access/Mgmt\",\"MS SQL Management & Data Access\",\n1434,\"udp\",\"Data Access/Mgmt\",\"MS SQL Monitor Port\",\n1900,\"udp\",\"Hacker Recon/3rd Party Attacks\",\"Simple Service Discovery Protocol, unencrypted\",\n2049,\"tcp\",\"Unsecure\",\"Network File System\",\n2049,\"udp\",\"Unsecure\",\"Network File System\",\n2301,\"tcp\",\"Hacker Recon\",\"Compaq Management Service, no recent incidents\",\n2381,\"tcp\",\"Management\",\"Compaq Management Service, no recent incidents\",\n3268,\"tcp\",\"Hacker Recon\",\"Microsoft Global Catalog LDAP\",\n3306,\"tcp\",\"Data Access/Mgmt\",\"MySQL Database Management Port\",\n3389,\"tcp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n3389,\"udp\",\"Management/3rd Party Attacks\",\"RDP, Common brute force attack port\",\n4333,\"tcp\",\"Data Access/Mgmt\",\"MSql\",\n5353,\"udp\",\"3rd Party Attacks\",\"mDNS\",\n5432,\"tcp\",\"Data Access/Mgmt\",\"PostgresSQL Database Management\",\n5800,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5900,\"tcp\",\"Management\",\"VNC Remote Frame Buffer over HTTP\",\n5985,\"tcp\",\"Management\",\"Windows Powershell\",\n5986,\"tcp\",\"Management\",\"Windows Powershell\",\n6379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n7000,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7001,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n7199,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9042,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9160,\"tcp\",\"Data Access/Mgmt\",\"Cassandra\",\n9200,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9300,\"tcp\",\"Data Access/Mgmt\",\"Elastic Search\",\n9987,\"udp\",\"3rd Party Attack\",\"DSM/SCM Target Interface\",\n11211,\"udp\",\"Unencrypted\",\"Memcached\",\n16379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n26379,\"tcp\",\"Data Access/Mgmt\",\"Redis\",\n27017,\"tcp\",\"Data Access/Mgmt\",\"MongoDB\",\n];\nHighRiskPorts\n| join kind=inner (\n fluentbit_CL\n | extend message = parse_json(Message)\n | where ident_s == \"TRAFFIC\" and message.action != \"deny\"\n | extend DestinationIP = tostring(message.dst_ip), DestinationPort = toint(message.dport), Protocol = tostring(message.proto), SourceIP = tostring(message.src_ip)\n | where isnotempty(DestinationIP) and isnotempty(SourceIP)\n //Remove private IP communication from DestinationIP\n | extend result = ipv4_is_private(DestinationIP) \n | where result == 0\n | summarize\n Count = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated)\n by \n FirewallName_s,\n SourceIP,\n DestinationIP,\n DestinationPort,\n Protocol\n) on $left.Port == $right.DestinationPort and $left.Protocol == $right.Protocol\n| project-away Protocol1, Port\n| order by FirewallName_s asc, SourceIP asc, DestinationIP asc, DestinationPort asc\n| extend timestamp = StartTime, IPCustomEntity = SourceIP\n", "version": 2, "tags": [ { @@ -531,7 +531,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-PotentialBeaconing_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CloudNGFW-PotentialBeaconing_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -616,7 +616,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-Overview Workbook with template version 3.0.1", + "description": "CloudNGFW-Overview Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -634,7 +634,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"
Azure CloudNGFW By Palo Alto Networks - Overview
\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"a5c18655-3e2d-4d12-8ba4-82e57b296581\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Source_IP\",\"label\":\"Source IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\\n| extend SourceIP = tostring(parse_json(Message).src_ip)\\n| summarize Count = count()/1000 by SourceIP\\n| where SourceIP != \\\"\\\"\\n| order by Count desc, SourceIP asc\\n| project Value = SourceIP, Label = strcat(SourceIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":1800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b937ca33-bc62-4183-bc0f-9ad8306dc36a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Destination_IP\",\"label\":\"Destination IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\\n| extend DestinationIP = case(ident_s == 'DECRYPTION', tostring(parse_json(Message).dst), tostring(parse_json(Message).dst_ip))\\n| summarize Count = count()/1000 by DestinationIP\\n| where DestinationIP != \\\"\\\"\\n| order by Count desc, DestinationIP asc\\n| project Value = DestinationIP, Label = strcat(DestinationIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"7f28bae3-a11f-408a-832f-77a0f3e633d7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventClass\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| distinct threat_content_type\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 35\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP})\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or \\\"{EventClass:lable}\\\" == \\\"All\\\" or ident_s in ({EventClass});\\ndata\\n| summarize Count = count() by ident_s\\n| join kind = inner (data\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by ident_s)\\non ident_s\\n| project-away ident_s1, TimeGenerated\\n| extend Activities = ident_s\\n| union (\\ndata \\n | summarize Count = count() \\n | extend jkey = 1\\n | join kind=inner (data\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\n | extend jkey = 1) on jkey\\n | extend ident_s = 'All', Activities = '*' \\n)\\n| order by Count desc\\n| take 10\",\"size\":4,\"exportFieldName\":\"Activities\",\"exportParameterName\":\"activities\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Activities, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activities\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}},{\"columnMatch\":\"Activities\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activities\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"name\":\"all activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP})\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or ident_s == '{EventClass}'\\n| where '{activities}' == \\\"All\\\" or ident_s == '{activities}'\\n| summarize LogVolume=count() by threat_content_type, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"aggregation\":3,\"exportToExcelOptions\":\"visible\",\"title\":\"Event trend, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"threat_content_type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LogVolume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Event trend by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//trend by severity\\r\\nfluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or ident_s == 'THREAT' and Message.threat_content_type in ({EventClass})\\r\\n| where '{activities}' == \\\"All\\\" or ident_s == '{activities}'\\r\\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), Message.severity\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Events severity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message.severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Message.severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Events severity over time\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n### Traffic events summary\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where ident_s =~ \\\"THREAT\\\";\\r\\ndata\\r\\n| summarize Count = count() by threat_content_type\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_type)\\r\\n on threat_content_type\\r\\n| project-away threat_content_type1, TimeGenerated\\r\\n| extend threat_content_types = threat_content_type\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend threat_content_type = 'All', threat_content_types = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"threat_content_type\",\"exportParameterName\":\"EventClass\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threat event type summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"threat_content_type\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"Threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where ident_s =~ \\\"TRAFFIC\\\";\\r\\ndata\\r\\n| summarize Count = count() by Message.action\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.action)\\r\\n on Message.action\\r\\n| project-away Message.action1, TimeGenerated\\r\\n| extend Message.action = Message.action\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Message.action = 'All', Message.actions = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"Message.action\",\"exportParameterName\":\"Message.action\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Traffic action summary - click to filter the graph below\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.action\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Message.actions\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Message.action\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Traffic activity summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where '{DeviceAction}' == \\\"All\\\" or Message.action=='{DeviceAction}'\\n| where ident_s =~ \\\"TRAFFIC\\\"\\n| summarize EventCount= count() by Message.threat_content_type, bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Traffic class ID by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"Traffic class ID by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'TRAFFIC' \\n| extend Reason = coalesce(\\r\\n column_ifexists(\\\"session_end_reason\\\", \\\"\\\"),\\r\\n extract(';reason=(.*?);',1,Message),\\r\\n \\\"\\\"\\r\\n )\\n| summarize ReasonCount= count() by Reason, TimeGenerated \\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Reasons for session ending, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Reasons for session ending\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// Data sent outbound vs inbound\\r\\nfluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where ident_s =~ 'TRAFFIC'\\r\\n| extend Direction=iff(Message.rule=~'Trust','Outbound' ,'Inbound' )\\r\\n| summarize DataSentOutBoundMB=sumif(todouble(Message.bytes_sent), Direction=~'Outbound')/1048576, DataRecievedInboundMB=sumif(todouble(Message.bytes_recv), Direction=~'Inbound')/1048576 by TimeGenerated\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Sent and received data, by volume\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Sent and received data by volume\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Web filter\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where ident_s == 'THREAT'\\r\\n| where Message.threat_content_type =~ 'url'\\r\\n| where Message.action contains 'block'\\r\\n| summarize ProtocolCount=count() by Message.proto\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"purple\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'url'\\n| where Message.action in ('block-url', 'block-continue')\\n| summarize CategoryCount=count() by Message.category\\n| project-rename CategoryName= Message.category\\n| top 5 by CategoryCount\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URL blocked, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 URL blocked by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type == 'url'\\n| where Message.action in ('block-url', 'block-continue')\\n| summarize URLCount=count() by tostring(Message.RequestURL)\\n| top 5 by URLCount desc\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 blocked URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"Top 5 blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'url'\\n| summarize ProtocolCount=count() by tostring(Message.proto)\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 URLs, by application protocols\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 URLs by application protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\" == \\\"All\\\" or Message.dst_ip in ({Destination_IP})\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type == 'url'\\n| where Message.action in ('alert', 'continue')\\n| summarize URLCount=count() by tostring(Message.RequestURL)\\n| top 5 by URLCount desc\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RequestURL\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"URLCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type == 'url'\\n| summarize ActionCount=count() by Message.action\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"URL threat event summary\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.action\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"URL threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'url'\\n| where Message.action in ('alert', 'continue')\\n| summarize CategoryCount=count() by Message.category\\n| project-rename CategoryName= Message.category\\n| top 5 by CategoryCount desc\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by category\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryName\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs, by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'url'\\n| where Message.action !contains 'block'\\n| summarize ProtocolCount=count() by Message.proto\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'url'\\n| where Message.action !contains 'block'\\n| summarize ProtocolCount=count() by Message.proto\\n| top 5 by ProtocolCount desc\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst_ip in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type == 'url'\\n| summarize ActionCount=count() by Message.action, TimeGenerated\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Web filter activity, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.action\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Web filter activity by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where threat_content_type =~ 'url'\\n| where Message.action in ('alert', 'continue')\\n| summarize IPCount=count() by Message.src_ip\\n| top 5 by IPCount desc\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed web traffic source IP addresses\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.src_ip\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"IPCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed web traffic source IP addresses\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Wildfire\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type == 'wildfire'\\n| summarize ActionCount=count() by Message.action, TimeGenerated\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events, by time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"50\",\"name\":\"Wildfire events, by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT'\\r\\n| where Message.threat_content_type =~ 'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\" == \\\"All\\\" or Message.dst in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by Message.action\\r\\n| join kind = inner (data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.action)\\r\\non Message.action\\r\\n| project-away Message.action1, TimeGenerated\\r\\n| extend DeviceActions = Message.action\\r\\n| union (\\r\\ndata\\r\\n| summarize Count = count()\\r\\n| extend jkey = 1\\r\\n| join kind=inner (data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n| extend jkey = 1) on jkey\\r\\n| extend Message.action = 'All', DeviceActions = '*'\\r\\n)\\r\\n| project Message.action, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"Message.action\",\"exportParameterName\":\"Message.action\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.action\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"DeviceActions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"Message.action\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Message.action\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT'\\r\\n| where threat_content_type =~ 'wildfire'\\r\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by Message.rule\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Message.rule)\\r\\n on Message.rule\\r\\n| project-away Message.rule1, TimeGenerated\\r\\n| extend Message.rules = Message.rule\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Message.rule = 'All', Message.rules = '*' \\r\\n)\\r\\n| project Message.rule, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"exportFieldName\":\"Message.rule\",\"exportParameterName\":\"RuleString\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 Wildfire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.action\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"grayBlue\",\"showIcon\":true}},{\"columnMatch\":\"Message.actions\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}}],\"sortBy\":[{\"itemKey\":\"Message.action\",\"sortOrder\":1}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Message.rule\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Top 5 Wildfire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where threat_content_type in ('wildfire', 'wildfire-virus')\\n| where '{DeviceAction}' == \\\"All\\\" or action=='{DeviceAction}'\\n| where '{DeviceString}' == \\\"All\\\" or category=='{DeviceString}'\\n| project TimeGenerated, LogSeverity=pri_s, DeviceAction=action, ['URL Category'] =category, DestinationPort=dport, DestinationIP=dst, Message, SourcePort=sport, SourceIP=src_ip, DestinationUserID, RequestURL\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Wildfire events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"Wildfire events\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## General statistics\"},\"name\":\"text - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or Message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\n| where Message.threat_content_type =~ 'file'\\n| where Message.action contains 'deny'\\n| summarize ProtocolCount=count() by Message.proto\\n| top 5 by ProtocolCount desc\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 denied files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 denied files by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT'\\r\\n| where \\\"{Destination_IP:lable}\\\" == \\\"All\\\" or Message.dst in ({Destination_IP})\\r\\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or Message.src_ip in ({Source_IP})\\r\\n| where threat_content_type =~ 'file'\\r\\n| where Message.action !contains 'deny'\\r\\n| summarize ProtocolCount=count() by Message.proto\\r\\n| top 5 by ProtocolCount desc\\r\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top 5 allowed files, by application protocol\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message.proto\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed files by application protocol\"}],\"fromTemplateId\":\"sentinel-PaloAltoOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"
Azure CloudNGFW By Palo Alto Networks - Overview
\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a5c18655-3e2d-4d12-8ba4-82e57b296581\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"32f5a8aa-9c54-4fd1-a2b9-8461b2c57f55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Source_IP\",\"label\":\"Source IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\\n| extend SourceIP = tostring(parse_json(Message).src_ip)\\n| summarize Count = count()/1000 by SourceIP\\n| where SourceIP != \\\"\\\"\\n| order by Count desc, SourceIP asc\\n| project Value = SourceIP, Label = strcat(SourceIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\\n\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":1800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b937ca33-bc62-4183-bc0f-9ad8306dc36a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Destination_IP\",\"label\":\"Destination IP\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s in ('TRAFFIC', 'DECRYPTION', 'THREAT')\\n| extend DestinationIP = case(ident_s == 'DECRYPTION', tostring(parse_json(Message).dst), tostring(parse_json(Message).dst_ip))\\n| summarize Count = count()/1000 by DestinationIP\\n| where DestinationIP != \\\"\\\"\\n| order by Count desc, DestinationIP asc\\n| project Value = DestinationIP, Label = strcat(DestinationIP, \\\" - \\\", Count, \\\"k\\\"), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"limitSelectTo\":10,\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7f28bae3-a11f-408a-832f-77a0f3e633d7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EventClass\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where isnotempty(message.sub_type)\\n| distinct tostring(message.sub_type)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"spyware\",\"vulnerability\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 35\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\" == \\\"All\\\" or message.dst in ({Destination_IP})\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where \\\"{EventClass:label}\\\" == \\\"All\\\" or \\\"{EventClass:label}\\\" == \\\"All\\\" or message.sub_type in ({EventClass});\\ndata\\n| summarize Count = count() by tostring(message.sub_type)\\n| join kind = inner (data\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.sub_type))\\non message_sub_type\\n| project-away message_sub_type1, TimeGenerated\\n| extend Activities = message_sub_type\\n| union (\\ndata \\n | summarize Count = count() \\n | extend jkey = 1\\n | join kind=inner (data\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\n | extend jkey = 1) on jkey\\n | extend message_sub_type = 'All', Activities = 'Total' \\n)\\n| order by Count desc\\n| take 10\",\"size\":4,\"title\":\"Activities, by volume\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Activities\",\"exportParameterName\":\"activities\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}},{\"columnMatch\":\"Activities\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activities\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"name\":\"all activities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP})\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where \\\"{EventClass}\\\" == \\\"All\\\" or message.sub_type in ({EventClass})\\n| summarize LogVolume=count() by tostring(message.sub_type), bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"aggregation\":3,\"title\":\"Event trend, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"threat_content_type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"LogVolume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Event trend by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//trend by severity\\r\\nfluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s =~ 'THREAT'\\r\\n| extend message = parse_json(Message)\\r\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\r\\n| where \\\"{EventClass:lable}\\\" == \\\"All\\\" or ident_s == 'THREAT' and message.sub_type in ({EventClass})\\r\\n| where \\\"{EventClass}\\\" == \\\"All\\\" or message.sub_type in ({EventClass})\\r\\n| summarize count() by bin_at(TimeGenerated, {TimeRange:grain},{TimeRange:start}), tostring(message.severity)\\r\\n\",\"size\":0,\"title\":\"Events severity, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Message.severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Message.severity\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"Events severity over time\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n### Traffic events summary\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s =~ 'THREAT'\\r\\n| extend message = parse_json(Message)\\r\\n| where \\\"{Destination_IP:label}\\\" == \\\"All\\\" or message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by tostring(message.sub_type)\\r\\n| join kind = inner (data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.sub_type))\\r\\n on message_sub_type\\r\\n| project-away message_sub_type1, TimeGenerated\\r\\n| extend message_sub_types = message_sub_type\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend message_sub_type = 'All', message_sub_types = 'Total' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Threat event type summary\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"message_sub_type\",\"exportParameterName\":\"EventClass\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"message_sub_type\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"100\",\"name\":\"Threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| extend message = parse_json(Message)\\r\\n| where \\\"{Destination_IP:label}\\\" == \\\"All\\\" or message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP});\\r\\ndata\\r\\n| summarize Count = count() by tostring(message.action)\\r\\n| join kind = inner (data\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.action))\\r\\n on message_action\\r\\n| project-away message_action1, TimeGenerated\\r\\n| extend message_actions = message_action\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend message_action = 'All', message_actions = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Traffic action summary\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},{\"columnMatch\":\"jkey\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"TimeGenerated\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"jkey1\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"message_actions\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"message_action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"100\",\"name\":\"Traffic activity summary\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e25d603d-5f93-4330-a519-1781a9d36eb0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DeviceAction\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| extend message = parse_json(Message)\\n| where isnotempty(message.sub_type)\\n| distinct tostring(message.action)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 35 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ \\\"THREAT\\\"\\n| extend message = parse_json(Message)\\n| where isempty(message.url_idx)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where \\\"{DeviceAction:label}\\\" == \\\"All\\\" or message.action in ({DeviceAction})\\n| summarize EventCount= count() by tostring(message.threat_category), bin_at(TimeGenerated, {TimeRange:grain}, {TimeRange:start})\",\"size\":0,\"title\":\"Threat category by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"100\",\"name\":\"Threat category by time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s =~ 'TRAFFIC'\\r\\n| extend message = parse_json(Message)\\r\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\r\\n| summarize DataSentMB=sum(todouble(message.bytes_sent)/1048576), DataRecievedMB=sum(todouble(message.bytes_recv)/1048576) by TimeGenerated\\r\\n\",\"size\":0,\"title\":\"Sent and received data, by volume\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"100\",\"name\":\"Sent and received data by volume\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ \\\"TRAFFIC\\\"\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\" == \\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| extend Reason = coalesce(tostring(message.session_end_reason), \\\"Unknown\\\")\\n| summarize ReasonCount = count() by Reason, bin(TimeGenerated, 1h)\\n\",\"size\":0,\"title\":\"Reasons for session ending, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"customWidth\":\"100\",\"name\":\"Reasons for session ending\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\n## Web filter\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT'\\r\\n| extend message = parse_json(Message)\\r\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\r\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\r\\n| where isnotempty(message.url_category_list)\\r\\n| where message.action contains 'block'\\r\\n| summarize Count=count() by tostring(message.url_filename), tostring(message.proto) \\r\\n| top 5 by Count desc\\r\\n\",\"size\":0,\"title\":\"Top 5 blocked URLs, by application protocol\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"purple\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 blocked URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action in ('block-url', 'block-continue')\\n| summarize Count=count() by tostring(message.url_filename), tostring(message.url_category_list)\\n| project-rename CategoryName= message_url_category_list\\n| top 5 by Count\\n\",\"size\":0,\"title\":\"Top 5 URL blocked, by category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 URL blocked by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action in ('block-url', 'block-continue')\\n| summarize Count=count() by tostring(message.url_filename)\\n| top 5 by Count desc\\n\",\"size\":0,\"title\":\"Top 5 blocked URLs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"Top 5 blocked URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| summarize Count=count() by tostring(message.url_filename), tostring(message.proto)\\n| top 5 by Count desc\",\"size\":0,\"title\":\"Top 5 URLs, by application protocols\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"50\",\"name\":\"Top 5 URLs by application protocols\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\" == \\\"All\\\" or message.dst in ({Destination_IP})\\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action in ('alert', 'continue')\\n| summarize Count=count() by tostring(message.url_filename)\\n| top 5 by Count desc\\n\",\"size\":0,\"title\":\"Top 5 allowed URLs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URLCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"50\",\"name\":\"Top 5 allowed URLs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action in ('alert', 'continue')\\n| summarize Count=count() by tostring(message.url_filename), tostring(message.url_category_list)\\n| project-rename CategoryName= message_url_category_list\\n| top 5 by Count desc\\n\",\"size\":0,\"title\":\"Top 5 allowed URLs, by category\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CategoryCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"33\",\"name\":\"Top 5 allowed URLs, by category\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| summarize ActionCount=count() by tostring(message.action)\\n\",\"size\":0,\"title\":\"URL threat event summary\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"message_action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"ActionCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"message_action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"ActionCount\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"ActionCount\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"ActionCount\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"ActionCount\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"33\",\"name\":\"URL threat event summary\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:lable}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:lable}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action !contains 'block'\\n| summarize ProtocolCount=count() by tostring(message.proto)\\n| top 5 by ProtocolCount desc\",\"size\":0,\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"25\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action !contains 'block'\\n| summarize ProtocolCount=count() by tostring(message.url_filename), tostring(message.proto)\\n| top 5 by ProtocolCount desc\",\"size\":0,\"title\":\"Top 5 allowed URLs, by application protocol\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProtocolCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"50\",\"name\":\"Top 5 allowed URLs by application protocol\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| where message.action in ('alert', 'continue')\\n| summarize IPCount=count() by tostring(message.src_ip)\\n| top 5 by IPCount desc\\n\",\"size\":0,\"title\":\"Top 5 allowed web traffic source IP addresses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IPCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"50\",\"name\":\"Top 5 allowed web traffic source IP addresses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where \\\"{Destination_IP:label}\\\"==\\\"All\\\" or message.dst in ({Destination_IP}) \\n| where \\\"{Source_IP:label}\\\" == \\\"All\\\" or message.src_ip in ({Source_IP})\\n| where isnotempty(message.url_category_list)\\n| summarize ActionCount=count() by tostring(message.action), TimeGenerated\\n\",\"size\":0,\"title\":\"Web filter activity, by time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActionCount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"customWidth\":\"100\",\"name\":\"Web filter activity by time\"}],\"fromTemplateId\":\"sentinel-PaloAltoOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -704,7 +704,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-NetworkThreat Workbook with template version 3.0.1", + "description": "CloudNGFW-NetworkThreat Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -722,7 +722,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure CloudNGFW By Palo Alto Networks - Network Threat\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"query\":\"\",\"parameters\":[{\"id\":\"d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":43200000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s =~ 'THREAT';\\r\\ndata\\r\\n| summarize Count = count() by threat_content_type\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_type)\\r\\n on threat_content_type\\r\\n| project-away threat_content_type1, TimeGenerated\\r\\n| extend threat_content_types = threat_content_type\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend threat_content_type = 'All', threat_content_types = '*' \\r\\n)\\r\\n| project threat_content_type, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"threat_content_type\",\"exportParameterName\":\"SelectedSubtype\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by subtypes\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"threat_content_type\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats by subtypes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT'\\r\\n| where threat_content_type == 'wildfire';\\r\\ndata\\r\\n| summarize Count = count() by threat_content_name\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by threat_content_name)\\r\\n on threat_content_name\\r\\n| project-away threat_content_name1, TimeGenerated\\r\\n| extend threat_content_names = threat_content_name\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend threat_content_name = 'All', threat_content_names = '*' \\r\\n)\\r\\n| project threat_content_name, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"threat_content_name\",\"exportParameterName\":\"SelectedWildfire\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"WildFire verdicts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"threat_content_name\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"WildFire verdicts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file';\\r\\ndata\\r\\n| summarize Count = count() by severity\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by severity)\\r\\n on severity\\r\\n| project-away severity1, TimeGenerated\\r\\n| extend severitys = severity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend severity = 'All', severitys = '*' \\r\\n)\\r\\n| project severity, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"exportFieldName\":\"severity\",\"exportParameterName\":\"SelectedSeverity\",\"exportDefaultValue\":\"All\",\"exportToExcelOptions\":\"visible\",\"title\":\"Threats severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"severity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"severity\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Threats severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}' == threat_content_type\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}' == threat_content_name\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}' == severity\\n| summarize count() by bin(TimeGenerated, 1h), threat_content_type\\n| render timechart\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat subtypes over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat subtypes over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}' == threat_content_type\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}' == threat_content_type\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}' == severity\\n| summarize count() by bin(TimeGenerated, 1h), severity\\n| render timechart\\n\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat severity over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat severity over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| where ident_s == 'THREAT' and threat_content_type != 'url' and threat_content_type != 'file' and threat_content_type != 'wildfire'\\r\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}' == threat_content_type\\r\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}' == severity\\r\\n| summarize Count = count() by app = parse_json(Message).app\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by app)\\r\\n on app\\r\\n| project-away app1, TimeGenerated\\r\\n| extend ApplicationProtocols = app\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend app = 'All', ApplicationProtocols = '*' \\r\\n)\\r\\n| project ApplicationProtocol = app, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threats, by application\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Threats by application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where '{SelectedSubtype}' == \\\"All\\\" or '{SelectedSubtype}' == threat_content_type\\n| where '{SelectedWildfire}' == \\\"All\\\" or '{SelectedWildfire}' == threat_content_type\\n| where '{SelectedSeverity}' == \\\"All\\\" or '{SelectedSeverity}' == severity\\n| project TimeGenerated, LogSeverity=severity, DeviceAction=action, ['URL Category'] = category, DestinationPort=dport, DestinationIP=dst, Message, SourcePort=sport, SourceIP=src_ip, DestinationUserID\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Threat events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"All Threat Events\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| where Message.threat_content_type =~ 'vulnerability' or Message.threat_content_type =~ 'wildfire'\\n| extend ThreatId = coalesce(\\n column_ifexists(\\\"Message.threat_content_name\\\", \\\"\\\"),\\n extract('cat=([^;]+)',1,Message),\\n \\\"\\\"\\n )\\n| summarize Amount=count() by ThreatId, Message.severity\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top vulnerability events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Message.severity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Top vulnerability events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| search threat_content_type in ('virus', 'wildfire', 'wildfire-virus')\\n| summarize Amount=count() by Message, threat_content_type, Message.dst, Message.src_ip, Message.app\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Virus and malware events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"threat_content_type\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Message.dst\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Message.src_ip\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Message.app\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Virus and malware events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend ThreatId = coalesce(\\n tostring(Message.threat_content_type),\\n \\\"\\\"\\n )\\n| extend ThreatCategory = tostring(Message.threat_category)\\n| summarize Amount=count() by ThreatId, ThreatCategory, Message.severity\\n| top 20 by Amount\",\"size\":0,\"exportToExcelOptions\":\"visible\",\"title\":\"Top correlation events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatId\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ThreatCategory\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"severity\",\"formatter\":0,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"name\":\"Top correlation events\"}],\"fromTemplateId\":\"sentinel-PaloAltoNetworkThreat\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure CloudNGFW By Palo Alto Networks - Network Threat\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d0ccb5c6-8a07-4b7e-9abf-38fa4dcc0baf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"a2094f99-1479-450e-8a18-e9677a18fdaf\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubType\",\"label\":\"Sub Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ \\\"THREAT\\\"\\n| extend message = parse_json(Message)\\n| where isnotempty(message.sub_type)\\n| distinct tostring(message.sub_type)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"51f92c36-ed03-408d-b392-11a1ae74aff3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s =~ \\\"THREAT\\\"\\n| extend message = parse_json(Message)\\n| where isnotempty(message.sub_type)\\n| distinct tostring(message.severity)\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let UrlThreats = fluentbit_CL\\r\\n | extend message = parse_json(Message)\\r\\n | where isnotempty(message.url_category_list)\\r\\n | where ident_s =~ 'THREAT'\\r\\n | project FirewallName_s, ident_s, message.url_category_list\\r\\n | summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_url_category_list);\\r\\n\\r\\nlet Threats = fluentbit_CL\\r\\n| extend message = parse_json(Message)\\r\\n| where isnotempty(message.sub_type)\\r\\n| where ident_s =~ 'THREAT'\\r\\n| project FirewallName_s, ident_s, message.sub_type, message.threat_category\\r\\n| summarize Count = count(), FirewallName = any(FirewallName_s) by tostring(message_threat_category);\\r\\n\\r\\nUrlThreats \\r\\n| union Threats\\r\\n| extend Threat = strcat(message_url_category_list, \\\" \\\", message_threat_category)\\r\\n| project FirewallName, Threat, Count\",\"size\":3,\"title\":\"Threats, by subtypes\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"threat_content_type\",\"exportParameterName\":\"SelectedSubtype\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Threat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"Threats by subtypes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = fluentbit_CL\\r\\n| where isnotempty(FirewallName_s)\\r\\n| extend message = parse_json(Message)\\r\\n| where ident_s == 'THREAT' and isnotempty(message.sub_type);\\r\\ndata\\r\\n| summarize Count = count() by tostring(message.severity)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by tostring(message.severity))\\r\\n on message_severity\\r\\n| project-away message_severity1, TimeGenerated\\r\\n| extend message_severities = message_severity\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend message_severity = 'All', messsage_severities = '*' \\r\\n)\\r\\n| project message_severity, Count, Trend\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":3,\"title\":\"Threats severity\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"severity\",\"exportParameterName\":\"SelectedSeverity\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"lightBlue\",\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"message_severity\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"Threats severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| extend message = parse_json(Message)\\n| where ident_s == 'THREAT' and isnotempty(message.sub_type)\\n| where \\\"{SubType:label}\\\" == \\\"All\\\" or message.sub_type in ({SubType})\\n| where \\\"{Severity:label}\\\" == \\\"All\\\" or message.severity in ({Severity})\\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.sub_type)\\n| render timechart\\n\",\"size\":0,\"title\":\"Threat subtypes over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat subtypes over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where '{SubType:label}' == \\\"All\\\" or message.sub_type in ({SubType})\\n| where '{Severity:label}' == \\\"All\\\" or message.severity in ({Severity})\\n| summarize count() by bin(TimeGenerated, 1h), tostring(message.severity)\\n| render timechart\\n\",\"size\":0,\"title\":\"Threat severity over time\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"37.5\",\"name\":\"Threat severity over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\r\\n| extend message = parse_json(Message)\\r\\n| where isnotempty(message.sub_type)\\r\\n| where ident_s =~ 'THREAT'\\r\\n| project TimeGenerated,FirewallName_s, ident_s, message.sub_type, message.threat_category, message.app\\r\\n| summarize Count = count() by bin(TimeGenerated, 1h), tostring(message_app)\\r\\n| render timechart \",\"size\":0,\"title\":\"Threats, by application\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"showIcon\":true}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"ApplicationProtocol\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blueDark\",\"showIcon\":true}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"Threats by application\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| extend message = parse_json(Message)\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| project TimeGenerated, FirewallName=FirewallName_s, LogSeverity=message.severity, DeviceAction=message.action, ['Threat Category'] = message.threat_category, App=message.app, SourceIP=message.src_ip, SourcePort=message.sport, DestinationIP=message.dst, DestinationPort=message.dport\",\"size\":0,\"title\":\"Threat events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"All Threat Events\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| where message.sub_type =~ 'vulnerability' or message.sub_content_type =~ 'wildfire'\\n| extend ThreatId = coalesce(\\n column_ifexists(\\\"threat_content_name\\\", \\\"\\\"),\\n extract(\\\"\\\\\\\\((.*?)\\\\\\\\)\\\",1,tostring(message.threat_content_name)),\\n \\\"\\\"\\n )\\n| summarize Amount=count() by ThreatId, tostring(message.severity)\\n| top 20 by Amount\",\"size\":0,\"title\":\"Top vulnerability events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"100\",\"name\":\"Top vulnerability events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"fluentbit_CL\\n| where isnotempty(FirewallName_s)\\n| where ident_s == 'THREAT'\\n| extend message = parse_json(Message)\\n| extend ThreatId = coalesce(\\n column_ifexists(\\\"threat_content_name\\\", \\\"\\\"),\\n extract(\\\"\\\\\\\\((.*?)\\\\\\\\)\\\",1,tostring(message.threat_content_name)),\\n \\\"\\\"\\n )\\n| extend ThreatCategory = tostring(message.threat_category)\\n| summarize Amount=count() by ThreatId, ThreatCategory, tostring(message.severity)\\n| top 20 by Amount\",\"size\":0,\"title\":\"Top correlation events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Amount\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\",\"showIcon\":true}}]}},\"name\":\"Top correlation events\"}],\"fromTemplateId\":\"sentinel-PaloAltoNetworkThreat\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -792,7 +792,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudNGFW-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -809,7 +809,7 @@ "description": "Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \nThis detection is also leveraged and required for MDE and PAN Fusion scenario\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall", "displayName": "CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses", "enabled": false, - "query": "let starttime = 7d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet HistThreshold = 25; \nlet CurrThreshold = 10; \nlet HistoricalThreats = fluentbit_CL\n| where ident_s == \"THREAT\"\n| where isnotempty(parse_json(Message).src_ip)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| extend src_ip = tostring(parse_json(Message).src_ip)\n| summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s;\nlet CurrentHourThreats = fluentbit_CL\n| where ident_s == \"THREAT\"\n| where isnotempty(parse_json(Message).src_ip)\n| where TimeGenerated > ago(timeframe)\n| where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| extend src_ip = tostring(parse_json(Message).src_ip)\n| summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s;\nCurrentHourThreats \n| where TotalEvents < CurrThreshold\n| join kind = leftanti (HistoricalThreats \n| where TotalEvents > HistThreshold) on src_ip\n", + "query": "let starttime = 7d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet HistThreshold = 25; \nlet CurrThreshold = 10; \nlet HistoricalThreats = fluentbit_CL\n| where ident_s == \"THREAT\"\n| extend message = parse_json(Message)\n| where isnotempty(message.src_ip)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| extend src_ip = tostring(message.src_ip)\n| summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s;\nlet CurrentHourThreats = fluentbit_CL\n| where ident_s == \"THREAT\"\n| extend message = parse_json(Message)\n| where isnotempty(message.src_ip)\n| where TimeGenerated > ago(timeframe)\n| where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')\n| extend src_ip = tostring(message.src_ip)\n| summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s;\nCurrentHourThreats \n| where TotalEvents < CurrThreshold\n| join kind = leftanti (HistoricalThreats \n| where TotalEvents > HistThreshold) on src_ip\n", "queryFrequency": "PT1H", "queryPeriod": "P7D", "severity": "Medium", @@ -820,10 +820,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureCloudNGFWByPaloAltoNetworks", "dataTypes": [ "fluentbit_CL" - ] + ], + "connectorId": "AzureCloudNGFWByPaloAltoNetworks" } ], "tactics": [ @@ -841,13 +841,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "src_ip", - "identifier": "Address" + "identifier": "Address", + "columnName": "src_ip" } - ] + ], + "entityType": "IP" } ] } @@ -903,7 +903,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudNGFW-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -931,10 +931,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureCloudNGFWByPaloAltoNetworks", "dataTypes": [ "fluentbit_CL" - ] + ], + "connectorId": "AzureCloudNGFWByPaloAltoNetworks" } ], "tactics": [ @@ -946,30 +946,30 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "columnName": "FirewallName_s", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "FirewallName_s" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1025,7 +1025,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CloudNGFW-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "CloudNGFW-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1042,7 +1042,7 @@ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \"app = incomplete\" designation. The server resets coupled with an \"Incomplete\" app designation can be an indication of internal to external port scanning or probing attack.\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK", "displayName": "CloudNGFW By Palo Alto Networks - possible internal to external port scanning", "enabled": false, - "query": "fluentbit_CL\n| where ident_s == \"TRAFFIC\"\n| extend DestinationPort = tostring(parse_json(Message).dport)\n| where isnotempty(DestinationPort) and parse_json(Message).action !in (\"reset-both\", \"deny\")\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where parse_json(Message).app == \"incomplete\"\n| where toint(DestinationPort) !between (49512 .. 65535)\n| where isnotempty(FirewallName_s)\n| where parse_json(Message).dst_ip !startswith \"10.\"\n| extend Reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(parse_json(Message).session_end_reason), \"\")\n| where Reason !has \"aged-out\"\n| where Reason !has \"tcp-fin\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action), tostring(parse_json(Message).dst_ip),Message\n| where count_ >= 10\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(parse_json(Message).dst_ip), totalcount = sum(count_) by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action),Message\n| extend IPAddress = tostring(parse_json(Message).src_ip)\n| extend HostName = tostring(split(FirewallName_s, \".\")[0]), DomainIndex = toint(indexof(FirewallName_s, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(FirewallName_s, DomainIndex + 1), FirewallName_s)\n", + "query": "fluentbit_CL\n| where ident_s == \"TRAFFIC\"\n| where isnotempty(FirewallName_s)\n| extend message = parse_json(Message)\n| extend DestinationPort = tostring(message.dport)\n| extend SourceIP = tostring(message.src_ip)\n| extend DestinationIP = tostring(message.dst_ip)\n| extend Application = tostring(message.app)\n| extend Protocol = tostring(message.proto)\n| extend Action = tostring(message.action)\n| where isnotempty(DestinationPort) and message.action !in (\"reset-both\", \"deny\")\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where message.app == \"incomplete\"\n| where toint(DestinationPort) !between (49512 .. 65535)\n| where message.dst_ip !startswith \"10.\"\n| extend Reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(message.session_end_reason), \"\")\n| where Reason !has \"aged-out\"\n| where Reason !has \"tcp-fin\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action, DestinationIP\n| where count_ >= 10\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(DestinationIP), totalcount = sum(count_) by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action\n| extend IPAddress = SourceIP\n| extend HostName = tostring(split(FirewallName_s, \".\")[0]), DomainIndex = toint(indexof(FirewallName_s, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(FirewallName_s, DomainIndex + 1), FirewallName_s)\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Low", @@ -1053,10 +1053,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureCloudNGFWByPaloAltoNetworks", "dataTypes": [ "fluentbit_CL" - ] + ], + "connectorId": "AzureCloudNGFWByPaloAltoNetworks" } ], "tactics": [ @@ -1067,30 +1067,30 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "columnName": "FirewallName_s", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "FirewallName_s" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1142,12 +1142,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Azure Cloud NGFW By Palo Alto Networks", "publisherDisplayName": "Palo Alto Networks", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Azure Cloud NGFW By Palo Alto Networks Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (CEF over Syslog)
    2. \n
\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 3, Hunting Queries: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Azure Cloud NGFW By Palo Alto Networks Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Agent-based log collection (CEF over Syslog)
    2. \n
\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 3, Hunting Queries: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", From a994257a918fe7affa7d5d9ade56c26ef9d581f8 Mon Sep 17 00:00:00 2001 From: v-prasadboke Date: Thu, 9 Jan 2025 23:08:32 +0530 Subject: [PATCH 5/5] Analytic rules version corrected --- .../CloudNGFW-PortScanning.yaml | 2 +- .../CloudNGFW-UnusualThreatSignatures.yaml | 2 +- .../Package/3.0.2.zip | Bin 20304 -> 20299 bytes .../Package/mainTemplate.json | 8 ++++---- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml index c4cc7a59078..5617f7c97f7 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml @@ -56,5 +56,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.5 +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml index ec4bb81b61b..3ee6a17fd06 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-UnusualThreatSignatures.yaml @@ -55,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: src_ip -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/3.0.2.zip b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/3.0.2.zip index c8b0f51f4e5beb80806f275454bfdfef25da8d17..63bf1764b67356be6c31b56068c2705b2abf90b0 100644 GIT binary patch delta 10815 zcmZviRZtuX(52DAU4z>|aF^f&3+@u!-Gci7g9Ue&L4vyk5AN;L z(y;%-1-awSq}%qQxgEaI{E{*&!cTjAgY=C2u47WduT}_~>Sxf{YG80hTmZj(9R-6f z-QzjaIT~I*v=8in>Z!SsTN(Q`LvOOUYQX8-#+FN&S7wC>_19X44R}3tCuLVQF|^u; zE=S%gw~bCQ3NuS&`IKVKs>2-gI5}l%J>7J!y?nN=UAuTHxEZ`YpH$Z@h@xZLEr_Cz zCDpemQxEfBqtcf;M3>-FN`umJl<1P3e6?kOOE2Bg6<|Np{Gik#vI1^ia_DO-_c5Vp z%?*bB7K{rhJL)@MlxvlL{ja=>(-}D8qb0b!{*`N;%Rs>0(nxYyYm~#U!vQs!{V|bl z&8T%UXw!{YT3X(vv!48s)X1moYVVmOgye|0v;JV*^92Q+X6NY+!*A^1B;Fc(+k0&C zF(vu%-?iVElE7b55#?tVT8Lomx}B37Wawv)T2|Q@3sOqM6SlkXnOd~iSB&X$D8s`d za-3EXHa?kZ!T9#>`D}WI2M367yCwVVU0>DskC|Pv>$f8|vXzifHsAUI*gid;aJWT( zrp4~>9?xunSdk-$#;xQbnJzmkjpUv9`80N3Ek@H_=1(E#s;Wr`9z$0Ga6r^qbz|rE z%<>qCPfiwsPujn?_mf}r9ap!NVztG0C08&`YW8lIeBpZvqnQM` zZ45QNf8m(2Ep<@$a{|_r;*#Pr`b=fQQOIFFz5>ClDh-iz2n&!MW>76MkaFNU6(Onh z2M6hvr=n5Ng!ZwdQw|93*>ZCJfm_6>$n=fx26veOmLMFmQ%ucELihaHu<|Xlv(NS2 zzh>w2O{#j$GsE&W5Y=>g&L<+TAD@sE)@!CS3QMaF)+AOFJ7%o>rXT?G~|N9fjJllTEN#cJ=FY8ULe^q^e9ugI?>K1=~uH_$a9!T z#)n3qMD}4Msp1B_sW-@rVgx1|(VLL}psg#$R@i;M7P_nZn(vgQn?WxJFeUeX<@x%~ z+6w_Erz|15A%lFcd;Jl1Ja6EbME7t7OLUYaH;%Y!=r(0udSX^Lh4HF@{eaYRMJs2{ z`HQTUJjakxz6PbQTtCdryf|K6&9XbiVk!Kc&MqlEu^uS;CPMxQ)S1M=BhjMD6m(B1 zoBXlU$EPe%_nPB|AK3&}D5IB7V~|m{J=Sh>VKew|TYJ1d}TD`4@8- zfZ3~@4Z{fMHJm>q*o-|dNY+Lmwl@TRjdr2W#1Di(BN!UjiNg2%=wf$w9`vi>*LMdz z0nK2&r4out4OO$`isJ7}k0b%OJ~Nz(h;ly?J+Aquy=K0o;*)xdPKdhQX?qt28XYP! zj*}wNNTUB%EH-t#;i$>>x(b1Vd)~`(He1%8u4&l{-Uu-vsmo0iLW7J^3}2m!;15V6 zQeK0m5clA&F!E@#shUCVo%(fUlm3s#FE76KFkutKdhpc-jnBqnJB>%FWqrytV22YF0xI%j zP+UXG;Kd~jIc;AJ1<`vDKQ~uPEQ{7T-qvlOXXFOYb2(Oe*-*GY=!sNrZ&JE!Pp=l#p>!Sy0v^#}`I1*x=Ufwe*r z8h?-c9DZ!+SEBjwD;a`1kr$QDw4^YqwAvzrXc@-_->_&pVt6tu^jKZF&|%0K;%^uh zoPTvsgLkX4Z_-r*0)_)O@{UK#cTDWooR_P^*3%=vJ1qG>WWSpnr;?k-8W` z4F%@g40}|!n8u&kWwYUM%0)S?s;&59tT<$FgopgX4KOX@gGe+!u}`kT`Waj&^zfnm z{^J{Q{{CmvDZA?<&(c#5>8bn+2bSXzWOKvq^pH|JoMlraiSmGu3724P@_(L1|Ov(4ns3 zGte=1aO8KB=79RPSKxEa34Ve(`GQ(jyo(^^<2xQ$ttexHl<9)Pz1F4j!vkaz?0x!M zsbi5OBlj@aks=7)^x|@TQeu76z9sh^`1I)-MF3XP;4O58;D%@@1tgWH8EC4vs_nb! zz1GoNKW}C$n7Z4%-?Xt5-~@TH!{5qnhbQI0oJOJbUQkduRJ*qDMAE~2@jfjAA;;=r z?FFt#uT53YJ>+OHv1Z4_%%&%Q#tM?F1sDE%l*f-18m4TpxrvDc=8sx|^9q(zny#3w z1jaA!lPAS=p50)*LB2I*fOOOqe0RNOWZpf|0}~>q9OKF+qVMO^9guQlmz%Lc6vi%a zmRd0^IfpO|#!1f($v?g!698;J+3q+f?34kvNm7ST*tXC*;Y>(wBl6>$&MEh9?CU2j z(>}?d$4?08UNoX)GLVy3gRLKDUwB6Iwy%zs!xSE$ajSDALBGD04VRB$N#d4?gAsD3^9eZBk*Oah3$;HB>Mz8)6xBbm*dVhS2TG3r5Z+iyfc>ojM zLh_ic+Jfz`?Z!z8CKZPjx(tg2uxZ}f?6AAN7;V9Cgl5%0j9>qRm0%w6AJEbmVK-?z zGV>>zfek&tsXe%J#th<_?^PX@)xW3%A!h0Mcz{t{3y>A?#R7Jqr6LYsnJA&Y7L(;5 zCoueFz(OTiRZjM^vC^;zzppgROxAHhR1l}S`sWY?eivt9a%12AAgL1cBn{_dQw~8I zQ2lc4l{UPl{Py?!(WkQLZt_Waq_&w5wE~>{E-C{)f>t0WE`~M@yFM8I`B-|msA!l? zfQ=pT5LDdF|MyC#ftP9Ck6_@l>+>$4N$3mKQ;3Z!^B6(Lu9cEIcfaXA<}>|b+HdDM zOS^8mSAM6p=!>n#uJVVOb9|YhmsIP}!PG%n-S)zA;8S=tGm|`FhAt40F?Eircr{)x z+~@f+;Ch#RWKv~tET!|SwZI}#ZIDD)y(qCS2Gk3P-{M(b#;GF6)R87w)#8aamqz2L zKBjn1D}d={+tPwzp|lLpLHb^BmDKl=%Gq)p=uMBP-#Qe2r=Chp_*?+_PZG}&w3mEzb}}!F`vuvw|1zKqM z35fNA$hU=Zp67(-?V{t-yB+r;U;0z8;(7PH-DYjgeWLT%@ngeFXVRD8uO(v*HoS}0 znlV4^OD#$6{(en@c6or+w!O= zk!UTXR3zjuD&ok?7t1%>YAU(;0$U47ia|(>9r}iTdQ?$dE-Zi5i!|#-@m-s#`r$c=VA^QgKVS4$wKf zzEe8EREgHy*tRwO;gznxa(15j;F*>IscW=8-uwvc@)PVX`$}r$DhUeF9(yQiPzSMX zE%2KwX-Z76MzcGYPjI#!G$~f1nyU<-mJ#N2<)y@xWr+i?Sn5Ql7QQa}zAG74LeF^D z<5tPZeorcQZ1S8tL1!G!DVxqDOS_I9vJ{@D&8-^tVxlN2hfmUP84qrjhKiadiZoqw z18j)YpFD7tt>Q@K7j99)QMF#4$l zc?3QN0=#7Zev(M)-4_3$i}T;5fWvpMAg=C}Y#-W|D%Z>$F^rJCNe!WKpMYxA|1_^Jn0Bi^YN8RvS<+fjbm!$dG%Pv!v7d}sAvwY<+_D>v!>PXplh6a zAZ_Pff2E1SG9}g{vQeB}Eu`>_cBS&0>R`lnWtx7?%t?fCITxTiEbO_Nf_wQ78|98m z+eG^|8RxRw088&lIIFPd?*vxY(+mz!d8yMTFdCy7)9meD76he;PA^H{3`Y#z>{srb z8t=0I(au78vFy{`g1W}EaltCRK_orAlD7}n8UEgAf<3oF=y^jg1*X$q_&T~vT-Q^N z?|`rYS7LrMnh`lX1vCo`_={HQ~1+x(Oi-~pdb zYLZ-qk=&|gLM=tUw8x|nRPwl}>Oy$c)7;{HOu5_M;AFfkn?Gmghil05OAQ9Y6W_gw z_0etou$g>@dwFBjP@!Fg(AC}Er`h8VbO`$T50ef6NUV>cw9U%f8z0Sw&8ge&`F&m6 zh=4W$s$+5Jn7x(lPZu~EuWYR~N~9O8@|OnFXrw<9Q@G{$lSu2HAr`w!0G=C+8LD{R zLwt{woKm@OkR>nT;;_vct(@ZgeqQX}*}lb%R6e~*9SOfU>KX5lCwhQ+rpi1Egl?Ge z4$I#J1oruI5R8?wAHiM%Q7+{jcdAsF7$Jfk{Wt2OKJkfBY@{@yDhaXKwc#&MuuT|G zF`*TSHjtFPn|IXLemyqHplh91+b?^XrNrvNRL{#SBao4SC*LTknxMz*)XH*h z@mY@lK(ie53_vH@JEydA(`EU3=*!1Z}C4hQEX#^I1qYdvk|Hu zbA#@Y;831__{%q_bx2UszaP5-3``A5eR{S*kij4*(iLyaVTvUJh%cP=^PyYy=V9*= zwMwVOY%yXBEI~aU9Hs^H&fAdv#x9TPbBkgsiN3kOAf+Z*(!Rhs%K%M>9XCTd7Xo`w zNVEJL1@wjnic4eNRv7K!%tWt6*g$g|#v3oko)Vj-Rl4zg5+;<*puv5Ii5M;!kA7)p zx(X2K#GdGyXk9)sj*CiLnMYs5F^3uRC}7#1rQ92S@*GBySc>LOpQp^hw7IdRIi$75 znzZcCbsmg>l5}V+(1@YyfltUo6?6@fZJPWHTcD&>RVa-@ zKsbu-MBXj5=#G`fUMD!sMlW+DCVxB#WTLQNaFm1oP5GfYnBdWG1mU*$^lRgMFh(Kr zKuYb{WNh4{OHjm+_=k#%>1dZTpY*j6f`v1K&snyFSG~sB5~O$4Ce?iBnS% z#m;+w$VE|)nO&nmqlWhGxSZWk+&L!G1O3o!z+%b&lq-o8P|SUv?!jSPH>2Vl){b^& z+(}r(uWWQus3(1F{l0I_WBQXI?Bn<9+2^ni#TA{HQ1G9e)_@#Vg+7F}YB|}|+XT?~2zXP%xQ!1~`(x2IM^0tJ`388SWblR86JyT5KK%S3&%tZb&P zVivUXd3=t+o!JJ7*aFxZXht83yyPqUp|6LPj)Pbp(J=QUni)2Aec`+D-8 zry-67!PU4?l-xhjq}q)h-%ftPavwx+vka3`-<*1J2^~RimgUhTOK65b(@z$EiTA5* zn8S*_hkw$tU6g2HuHc?vpG&U((B&*n!68Iyp2KByh`UBc@GBjAroene;_!$nEKh^X zt$r6hNb1-Bz)m?(q4`a$8{G&BCQ-Z@h=eZpZuc{`(gMnOq)UlszOKQhkSYeyS}|jj zK=jz@-0qCfiz3N#V8~)Y_OMU{|F6Uj9KC1{UT=ViZ<f-{$pyR5&vp+Pq@#h{Cs4=VT6M zAZSyPyz~Dru>ZHdCOPf?8Fm_aJgafw%StOo>bv}jj3TRg>Z4%wgwK#_U@7>7;^O?W zKO(ph|JhL4Zvj1+!q;Z>uS)FQwRvp4H@n1Ho|DrhJHC(_)u@xbi_QJIUkQ|FJwtPg z)9+kz+yT^lmUe#OCC<8T6izodAV|7fDdlh5Ug-z?Grj#Sa_SyP@dCUlp9rZRi7rT0 zozSCW!e#At38gO2Vguu_4qRA$;_9!ywzG}AH`AxVcYMjrLLkmtmk4gFRD2qQnh4Y4 zyvMe(N#1c4l#cO(qrMj~?InY!^7calr<6LHctB3Kv(mr`RD2c&1``#xCrjTjTKF|_ z`zp^5o0%^+%+c%lmvWy7d$YkQHTB}$AFBz>HW-akq%~LC_PzubnYuoc)Qef;?#F>m@;r1UN1DmZAOaMpU z>ok=~4nER=21fl`^u1Xf1q5hfA>@uIVxzxqXP;I&h%Bn?C`W-_D}6VcXU(?{Yv@{7 zhofC(bGAQ~ns?%q7QG2_>wh6^R#njCV1xQCq#-$4>X0*i>b>BcD}5Xuz0?VP65blM zw2%ydIa`;mL_Dp*3vMHkSO!+hP2hE)2nbJY`?hv3s?RgdrbVZ4gd;D_NLH_juA^%>A@_4!y~1La7n zF%A!AHIUc%GFly2L_qPV!^YX)^v;)axt?KfAF6X&8yZT=v0JF-dE_eZMWw{Cv=pY_e27r|scx}W_nQklS#A=d zLpnVbzwa0SHuxncrcuXRdFZ2e=?&(&L7W6`N?dT^m0tCwU3F zv+|u)g}^GgM2_Av(s|U>QRBElD{VhTh;{_Hu6W%b3*;mkX(DhRjTcmTdwwxtRGe@G zG|Uk~2^V$_W)%NL74Q%gd~az+@ok_Zt_NxRE;XT)v_Sk%2hKExCe`dDQM@+fk52On zPz#DC#XR%7{-<``|BZwXhe85j-6lBbpF#p%XsotLHFh;b)hqZNYAeG`_0?+kp1tIc zf@Sg2gOj0uR=oMlniQw58$Q@LgpmoMEFrQ)R0!6V2lVHQRinwP09Ji(_b?#vUqvC= z1cM|6@qWFO*k`G3fuWU--H>t;ObL+(((4~%CAa;{4KS6$@}?w5XovH`fSgz4?z-c@ zujpFsCWip^=_$z#at1@fh57*bFYaqij*thD2pxB9*C*&*AuPoFFr%k_qs;Wg1~hWc z@Z4vC6NWx`{kU0Rhc8@6vRUjPU#`yoCj60d1cm-QMNW=5<3du*tP!?5@H~B%HJu!I zE6gCa1P38OK*e9P5WlH~mKoObd&`Dy7>lPOl;u6fKa{9^1xsw_C>DM5pNGp8*N&KrKjg|ABTO_}+p2Jg`FwwBR?s@nbwiF- z0~%PR9zj8h6Irj1pni{vT-mH%cDp1V6F1d1O9aji?2V#(2okFZ13d6P1`%MNbbc@G zqKToCzXi=U8{mR-$^w4dXOz54Eeyk>9@0r}&nO3V zjH|YZ&`}SdAdHfLUEjNLq9NyTvg6KM#l4>K9T|Ekb)wzWW9l{Se6+Y!k{h`*s3Im+ zuFz|DD2&2`Wk}8z`t>>emY+9+aiypzKg>HFB;DB-04U5 zu0BsR(3JN!_>&kS!?eFMN0p{uj%iF8Ge3g3rkOs5snXUSu+H{erkKOv1!PZ6gVsGFXHx<5>vxkUmLg^Wi}j1JH1bg!9hR(&hw-x;Y3T4}MKW6Sh0{+yaZ4w1J-OK#x;ZG%0j9K#%B% z)BGArALA+Azi<=7;9NI%lgnO$mTkXZA-ck{^B}ype9E!h6W2{>p2<6`YvmYYY0sBd zul3m1Y?>#r|L=FTh0hCU4{+k#D{p1{92odyT$x%mOay!EJ_{8xc~v%zmv58`!K2q~ zG@n`TV~TX~yqXY?p^t-tjXy_7k%<|CZI;w;broq|z=NYtC(h0>y*yODL&TfnrtkNq z7O^;BbXYD*P-5VbHJY!5{KA!p(0Jr5~bq3Hek>)!w(j6NC}QAJYgdO z@A6+NQVuT#j8Zu)&40=`1jw)sa3+@GK;F@edH&V`s~{3b)WbXqJwc~gY>r~i#-1%} zB<_pJDDaJ+$xKi<%_$!g)s6yQA5QDb?rBK&Z46P+p7jD3vcvAhMU9grWzY6<-m|IZ zV;_K5jBk#OUl=r}5;S7;w>0Cay3b0+UB*HKK2{B$#ot5=!CC`m)j6oI_8-pbL|{?d zvJLO|0B%G_nwnV_WO^cPM$hvyF}S?~^OEx{+YWk1ekY6HN}714{8vdgEY|yq?Xh>k zneA_nFo>PZ8||4MCrgcT4;lEa4E&JYE}#MUP8 zn;pEa)Ujq*FmcZhmvMGoZ@b>jmfPQi+sR#UE#QzZ$V9+U=~$8F;v`^K+v~C=5O!iy z`%^>&%DCU0>7-p;(J_OBUaId42grJ22wfcY?aaz*)v5oY^Nho1$@m^$aTgyGQL2P3 zj&P-OagXDp9r+g)@Y#QgJ?YlWpF*$jng5pydn=tO+ROq9%d#{{`;X3E81%V)#Lt(g zA|nNA5P|ongsOpy(WZRpxZ9xF5@3aKsn*sUl(Uc0GB%)Dlpw!AJ?kWxMh?6*t^Y{5 zoJ;JpL&VDYi=oGIqNOd!-=@x+_)ab{Ud1tCASa$78_JRztT8&PhA>xzXP0{GWBOC| zV=6-g@*S%gmXCY+!7CK=oMap9tiTOzM?Y_~!o$fD6SDTinUyU<`1N&hSv6rI-d8Lx>8mJ-<()V9S#{E+dMN5k00F6F<5oj6s)#r{(Y!ly&W3mHa29D`)@U)N~eKehZ`Ln ztYiIlE^4}WS;=Vl7flyrIRt5eTh_h=kssNk-LX}>=D!PKn2m9y9}`!4iw(IsNI8nu zihN-QyCZE0koX700erOB$~Y;vX2s_c+5g%=h!@7<0MRD_m&3D=!mZrkO#u=IG7P>r zfC`K8<4ugUtt{9wWkul$`*%=)p@YPIS6jfb z|Niqqh%KY(9v5G*nwrmq#olTcK|OpNKI9}z63wXEIx7xkoCxk+_4V_1OJaXPQkkfz z`xXeIPPDItif?ycQFR0LlyEC}>Aala-H0V3I5D;6@*(HQ=11@-tthvOF!`fRoi4EP zO|s6HUr)+a;4Fd<$rgHD_CfTS^)taR4!IZigffdXah|I6m^EHbHPjq*;&Kt~pRkFo z%^VRvi&F(R^gW2VVU=Qx zG{Q_OUUS5CMHgd^MW}~ZRqYULJe6mNtLYxBkW^*BmeG7V$J9)W;(@?yvx>27hIYy% zO&g6(W~>#wuRJ1u`}ABwt#`i43H{~{#Qh?~kPN@1JBMGAGO4)rC}C*vUEX zMMI~LoMCT+uF;frw*jjc(h0*;@JB@>H|R?QHK0c^ z&lm~j?caO;KeP(=9KQ0P>mtV(n7dgIUsgZlu?1Td~vvtd)ziBb96Qzr-dCn z?0L}Ff0n!`FFWis*dLu4z3c;kHwph8((uHgFa??L{#dB_kuUU%pIL&e7~k2E`eSVw zU?s1hzI?^`waAci*tS(yw2$~)IGAYIWhH`sgdZF@NO{v@A_$K} zjer={p8c0Q?l0m@_z6#RZu@DD58*Z+5!ZJV&U9r{x_v>T{W!znqIYHMboLoz4#(eO zl1Za3(tYD$LDD>ED(1_hX?5ZhW)ZkaNFx9ZCWSG0S`^oDAsmSM#t`-KcyBA}K@it` z`$`2`Ba-`=Hgb$?{kLzSh|d5nG|<@m)n>tY|CD%Z=uedZ+_c^YC0(d@fe-ZgOMt=% zmN`&epC?no&XeB8oh;r-M1G%o-$633@b6UYWLY1(|HR_WaD&K9 zS6600fSQ1@Mv8TPS{sx$0{T-qzlpo#Hvn_OKh>8vTI8H{G<-Rc&rX_gA0u3>HY|tR zB*%deA1$QFj>>xJ#gM-P9T_A@4+I%;QvduYE|?EX(NwF1mzU=5t+n~_o!QaViM>&< zu!iJzH2z!Nidc$>e7a5>`P$N99Is; zzp58F@zN9+O&6;d1JZS~P1P=(zrQoi&2-6ZQjLB9#g)8$&@|R?cW%RD`t}~1*muTX z1%Zube)+_XiSQjWQ7a*3JnrO-A=G_oFAuC)VjuNcgBaoz#Db!%Fz2#M<4}uH)_b$xP=fgeS6I)4rlrxnWI73%6eh z=wGrC#iOj&h*(-M%2QDD{_mOc>fb*kRRvf$e3<`>geDItOa4D3G#Oh(5KyoDA1(^> FzW_gs$OQlZ delta 10817 zcmZ{qQ*b2=@a1o8+nH#RiEUdq#>BSm8{3-LwkI|wwr$(quWI+d`?OW3yZYh0c2}M1 z-*^t#Ob!^LqAUa?CIA3{1uRw9Ba$J*EmhNKRi|?28#i(yqd|eDWr^t>tuYbC5=Z)e zT+9W1mb5LOAy341fh>rxe$zYK*SXJJbHH47T?zS9fd4XohpOOt+NAFD$}&jU_*>b; zDCbjyfYLy-qGae^!vSw-#h%oF-qBoGJj%6*Yp741Y-L=4WQP%`5=kPC-g1=S@N3ic zD3OVV$Kpw+(%S-*c^SLO$s3lMMq$H`3a3FZ z1peQ^2d9CbB-EcBNwJY5*>4N%-)y6hi*)mTU&^z-%(U~agR!n&4R%(!@8xsgg;=(A zC45($4q2~Ea!7glue}FIwXRWPlkPqZBsml_!%=LgHHu<3qJh|cs8C9~RU_iuFUHW~ zoX@PiX=NQ$aRZ%}hNbN$flkMH)c~LMF9fci0m6`kx!r~eZG4}%h6^!SwWUz=yMp?DqvUV>BqT$H>v_3`1sIX14RJ4$wy< zvhz1~)b_BD;-OEmE~)mM9LAqcfm>c!id#R=H)RE<|#%=t03%iCCYjzaa|k| z=h{IA$ij>QX>ouJpq|i>xsJ%l!y zG^qQ7I&KW+wFjkRYFdbui;_Z~knFRvVZ%XY&WzcsP7@k^(EvxS4`B>@Buh-OG83fQ znkH*(q;}f}0n-WLY7ug`;OBYvL93X$%M4lXz-nwjM6Q#ygForiyhjBc3AS?Jbep&6 z7{CNhNhSV)bGu=Jj{<2oA776Pe8B5qB)Yo0+71`}x|(96WmON1?UDV{MnWLPZj zqcz&Tfo4^_7{a)LMJi?1bP)0m)&k+$#0iOo%_MO4QGF8wW4ejzR9o1hY{A2RDUPo# z7`wvD*eIv4jlby?Dv+V@gqD-iFf=fH9lav+lqMQMOoy$S$8NzZEKHAQ(U^J`3YmoW zrADw-$rBH|-XrTN3Xy_z?&UAM&Q~9oc;mHEY!C(`-nUl zG^JN*{@C#zWakcdSC|?_P-nVpynWTyeM9(gPxf02zk%WhJ_B5gDGDeT{F=0`1rBir z$J@9mIKdorYL1;pouzbnTR%U)Xkyo_;4^ z_gV>7x~Yh3VHw?njit*jw5D`M!L90v(HiPj8F-82cf_)C1M1+NYqIrhnY?cBi2wcN0K9h&}3^D;qcHxg_LaZ=Wx~HMCdHyFm>RF$8`L7zy+G3 z@vr@2ZeD{pT4MASv%V#b>$@!?x9qQLR^MHE{e zl!I1(z`ANP!}^esi0wCoXujIz*YJA$3&a3Wn8sS%Q3lHl1Xg0_n{AX5UWkO;Tc+gAi~wz-yX)DAl*q4^?9vT{G{-AI~fc8DgS_& z==(E*V3y=m##f@#QLylroCoZUK#>0~2sjuv0L$i^JI))+A4au$Pw@58?rSV+yo9^(}M z_jhJt_oKu|Y!D%EslxV+0Uz%r=OkdU5C6Px?D>qDm~6 z&i_SyaW;>RMM@@9DTyBLm@6#p!V>-0DePh8Y3s2>Ei6C_gI^VmNkRr*JbnlIDyDQ_ z)*d(hU$U^%84^FDgyaF^(;L>7mA}j>?>Q?TiRa=Xq| zTznK9qjC^1-=-S?=f|BY30eW>YR3BA6Go>XWS>-EawgNURA@rTTCpjoF|X{*W*)uq z1U8f1SCo-;L>@U-S%8&bZIW-ZVD2mrb-?={7FJ!Kk?_31TjMTaw`3)>GXRvW}4KCu{aF6TfnV)llM5bh$mVwUTqUgI1H2fGbmG3~)cK zd-1jcoC}NVo?zW0Z31SPx`sYQuAhuEsC0w3eV>UGH2OaqsmasIKi##e-xr$&?&K}- zy3RjsMFkcAss6^UE_sU{YtDUm++PG4eb=oP6tHMXAXOCPG_`8|z#rvNn)^|L6LVB4 zK_27A_Dd~Z0;PsL26R*|T^O06jFre5LL(v_p<2!nQ(+0Lh15_DdLT7*ue4S`5K}4< zolLhRi9vS7EB@oOqhEbS%j&{ow@t9_655pMRjotpfe2sU*%{CWX@aBaxC#s2Z;S@X z@$Pdfpdfu`d39HH9m${5O|!XcnGpHTOHX%o<%E#g)it*@1wzNbbbCVVTHmg9S2)H| zvlx)IJ5iXCS@ly@9~;ViGpmaD72algdq|(cP4zb`)l$vy;#8ApaZhD9X%0;dqYN?! zYH1{0t4yo5r`*~#yUT2yxg%(xW!3U;X33^4QAYJ=P^#}q)ANR&GtIZ>gq&NJ(yZ|# z*Qb*}vCh_-2Piq!Gg+pl5#>?@z6aPpdcph($it35W1UApLP)BU>zV)8bDO2`d`f5F zgJ%zxaH)-Z}1GqOTeM_a3zuD)irL;Ejv^>v{-YgdD~WNv z>dQ-z@gx?8&Ws~s$0X)aBLnmrY=b~!;AoM4>&Fb^p0_)*ufQa%m!DXR9W1y@Di~E& zDe}LLnpG>8kTsFeg6e?P?q|fYKjBC7X1Vo@1T93wJAdsi-J@41=5VQ2d!ChHDHt;v zd}667CRwrxN0&dOkR%g0bYx=~BZM#Qzt&$2R&F-=dL0i%R_gsdkS2v<8K6=f*nxXM z0OsPz>0*lskAS5b0y3@~5pYg^GK;^%(FUkwr&qzdV(}G$UjvknOyo6TU|tXYJ2G=3 zpbHTbbij-!5mlu#99S`n1ZTA204`> z!#jWLn0l6skJgqCAqW}%{C>_PKk|xA15t8q)`g5rVK;~ai7<{B9~Y`SOzQKOgrj@D zEH;gA=N=l?>-_7yS0a`@+uZ4ae@q8Hd9I(;g|$Q0yNbi#3r=v?lXU!->p<9uBKYh5 zz^!15c#|kC>feMA*j%ZBG5*@UE^=G1SE#`?e;Mjxx*J&N^D1N0A%P--(aHC2pe}as z8gPgoreKSPMG%<5$aDzQLRaH7-u(vI2qy4#8#~~-l7bp*5RX+?m0KU0RS~Y^gKwzV z`f^lXDzh8EE|U@)iZ+falv$(~X=yUy?-utP%W6E$ePMl*7qfq^+eKIDub#Tc(E8%J z-iKoF0f9{V+s(U>+a<&o7d~INAWb>ABnDUYSxr@WSC||>K63ocT(D$AUSyl)9m$si zwq-<=IHMoaLzf!#J)rfmN+U?8&&Y{R+j;M#xIxC(+0&|DuOhTJG&+NQ2%fmJ0ms<< zg)r`&=etlf_D0A;a$x`FztC3b%4yV4>Z(fe-f-o;DIzR0HX0qXva{rJKqvDDaO(Te zQUP7VE3x_ZboZ7SP{{{eAzuL~HcX7Ad^Z7!A2&mo3#UzHtG2EYc&}unuY!2MNN(~& zm{-h1wT3)(AV(GzYIS_*LciQVg~`BBX9b;iBh_zv+YY6~O81UoEBpKOp@j(nxpN@m zJmX>T(Y$O!Gq|SQW|dq!h)3|WB8+^i1deGtb#O$73ax75sB`UKW+3m8_LT&N)xWbC!jlY zHmf0eXL`5}YRIPs>kt=(+iJ1e>mDZPLRd12N+iT9+FdW+r{(Vzs4Y7hlR`>!4W%yP z$wG8Rp}i_D63M3~3bMvXzD`|w%~)5@L|5d1PQ#`CN`9zlOhnzJyY7hjG^9bP@hq9Q z63>4oL^c&!2TIhysecgvEqxI%dr7Ixa7Tyb`CG)$WO3dEQ(`UPmbg?-W1eP(iN9xt z{LUp{YH%J-qBwIMlsVQa(;J-%pm_SH16EnsL>42c>?zIy89lAqm&jDmG*s(@t;6pT!be zf!koWg5VNLSD4(b2VlGe1$XV0qKEd6 z!;+;YqSQTerw&_}a`&sL-4>T@=?s%E8P2;(Q&{EqTzaXbCTpz1dTi#(JOv!G7CN8g z#krJxHXt7%V85MKE4l}KMlBmX43E<4s#d~&R^@&~Q_R>-Db3&JPm)8@kk!rL2a3;O)t$r4(4BVWWGT{AiK_>ZIX#@wv&k#kR zCTfud()(PUzKL+P4^hfph1r<2L&$s?B#s6|3peE9`gGyCJ2(Kvr5FS_}*<(T%50*CH%Segt^S_hSw~cL=1pLSm|$Lv{gZWjd{6S z7bf_ysrY;Md0tttkkhXl_q=*>rgCJ$E{|3ax|5wl&~-O!MUK;|WRMemL91GbP~8=4 zQTF`Bv-jp#j;8_V^CZxIn;qqHtJj7E@gjEqn$!EqAR^wap(5?EvoOMZggoPr_4$87 zwyBX}1`Vz!9NhDyBvqe93^Do%PqAu?gk0_CJ?)ZhMvyedYgX$EvPiE^ z-E7$WL@qO3ACE6e(=-?LNeO3^cXzEFe10W>n{DeJ6zvfcNcqi#?aADP9{D>;OuXO_ zCzgpqZQhirAY^5ePSmWGU5_5AUe880xIkV|B?&O#%uCJWo&wk7K@@FHQP6|7Y#Odd z^`QD{rpQdIYU<-OvznwcGu>th`ja|rE6`pR{5v4<@Bs3{61hjN*1<%Gz#?XGiUf&A z($CcK{hps@fXu@=evTd6Lc-xNUL~&~7X2BC%{xEEo`}Z71x~{Cw?|p@0S~Fp;h4az zD&GZL%f?VasdI6e7ei*?Ii5Bb`Y!*W97lU}foYY~34s&xd`Bscs~b5t6h?}9UyCKc4v0EZRus^pY`#z;i&P@ z*Oy~&)R*Je7O=J?=Vhv?fr2rN(yCyS8)e{=eQ8bj;xYVa10^aGJ!K1r*~gSo=M5%` zacEB*gJt!Np7vnwch$ETw`z~=$OIrqC{*WH39je=c9b6fDYV>ZYn=rMKk5 zR!@zhbq|Lhpj1sJNE^Ct0-wOECQ^XXYH)YZfRg?3q(bI6Tm;T(5XpLoGxe{-R!xH*AV^6&vq3mL4&RC6budZB{r-*Y?BNs%jT`Hvbs)rSI2abNe4>) z8>O7jZn!WXS-~;;ady#(k(BO|CPmgQ`^M_%k)rjlcp9ZhIf5m1Xd{+#ya%iO)z<`{ z>x3Szuq4MP`03FVQ0_xXvEp>Zp@y}lNJBUzc> zl;0O1O_%*+r4V!c4UWpoS$_;pC<)zdhMe3kYCP5;*$Y}C8g%xFt4F1f$P+O+bby)D zjgg-S`cI(dLB6_fxe15}k7cx%oy>0ZI~Q`yf9{-nZ2|BU?XP>Y@C(ls*d0Yyz5y0c zYaAT2@c&nHx$;ecFj49Tn;K2v)?KskRagaBm}d-iApS`UD6xNXonJ!>?&Z-7Yg^S( z3ipnPTA9?)*0Dx6vP|M304(&`1@oUE(wJe+5gTk9lH(s7FV8Ez*ZOM7L9ZtNAcFW( zPhdh$a7J*wHFTKN27Z){_>l_$S6%#Gw6G0QBx&UKefoTOX8fH=c5$%zeRA_=Zdy43`2x0d-}g z^1Ktdyh- zSWZPY4(yu7LKPXE6?knBipDU$&%D^m2s!>4%)kkX;BWGI+1qkcIY6GzA2J#Lc zX89~!K};u^NtT!q_F8!u|IQTOW_5;DR>|gM*R@k((2DhR=`h{3B)UQSeJNbLkleey z_2#@!Ohx)=XdNAoUROk-c+?XzbPW_49(?KfK$!iAkvzNpo-|Ux_t=t_&u&(^=#qdOEuec2d%N1%W3M1}(vRf~fB`Chd!kD6F>@Dy@h6*%a= z=!Ej;`!BhzUY*LZpmPv-S0wJwKj9YCiO*{5?7gxBQ(Nn~ch|SWn9kWVlFq60x`HNy zaO6Hn1dD~meaFzsYVBtns*h#mGQvvzgYed8lIg5RwH5j2gdT;S!@vaj3NV2`=}c`k zVla7dlJc$Jv<7zM(a#r z><|}?tuFPq(^m;JE0nj(LnG?-U2QlgPP}a;b6-VKYY>mTsU-SJgwo0yPj@qaVw4PA z+&HK5j8q7r4*sAM?c(lvkRyJZQ0AHP>Mo7O-|2UCX1NmhXtI;y3Vx=({)|)Wkp|bZ zAzv4$TuZW~?hjD#7FM*@f;doQr4#&^%R#XmJwzNMuf)F2S~tMlVJF|e>~dGFvJFK5 zds1DkPMR_;n}5<_M^_tEV@XlCCB2vNTlA4Q!)=w_{Tf&+jL?n|QJgHqvZ z-s&oY|J&E;A=9ycY!B5DomwI&k;|m!eo59N$#%7!5Ldh~!%Ar5l$_>#=TN4Ux z3ONTae0I>$_XgoGK77B_8g)|3ia1JI3{=O3C-`|8!<+^!HjP_IKwZ`Im0ZPa6#t{w z=uCnK9E*w$fiDMjTB)5viTxj;NK9SW6a5J$H3--C=8Yn@7-E49+^W|oHSdUr&;;Vh zu6&p6G~jHTrU3khzdWD{v8;#+&-o4d&kCYqp?u%Qyr}F5JwA9Sn;G`X`-Q=9*KbEf zKNLj#8AY*8GhN|HV*}Z|Uy?ey4$e8Z;0_ zYoNnW$u~IERoV|sj2^X>iSVg#8>>8KEB_Fbs>mH1c+z(y#g|7xvdmR`wrBims!IEk zJo!QP45+??{$E2iM30gNd@d7Bx~#U#MVG@d6D<)|WEaqS$~lM8S<-(K1ejF*d=uyS zyN76VHZp8_aagWS(d7s+Q|03(CFvK!t4ugUk0;2CrU`JUEpQ2*rA?l=78ud(#959uD{#>k=TF zhG*vM1%yn$iaY5=Pm9X3eV1TfLH(hy0n6YCIBb^^<&5RT^%u_Q1RUz-!*H{~W0sPT zB&MwJr$0ISde&%8tO0n3-azcO(Mf!}>gj1#n93166l?M$4TT5%bW6E+x;)C7)jI*K zox)L+U1KuGR2mgj4L#%*=~$uZv~aNZ;qk>R4!^j0B89wMM5>(x80pZ)w(%Na*v|7g zdd-g3zG7$cb@#n*Y%R@n|K#&8+mMOen;%awkiA(X=c$&x;YT)dO@S=sE4-(tPaf4j zy{w;o?;*S_{JoQKvY=w$BUB;t4Pi_~o>jQ07uIVA&{Ss0LIUd50s_JT-!3L;)%beD zhM%LNm@fA2Sslfvag%_ksjTk1|h3R-uMWH)qj3n?G$n zeA$a>eZbCZCvYFscR*`rUHd+^0b9jtSB?6m!g6>==tRa?*CQUWF=dm-%|DM#;7}a6!s0z?nE4(>*d_i zU0T#dqkF@VfNyd&Sl30pqtd}UBV|2V-~OQeJR zO8e8zWCihnaAP+pSh0Cf{j2A@w))Go24|6fE%iN4O|nCVLQhypkOKD zv0uP??bGP70kR@+HX~)KRJpT=20Nxw4I~3nfOmr`+yYuaI86b$(8t6M_CuVo2Mj-c z`-x}13yJNAi<2i}(#o@N6p9=AH;C`}WZ$upyGR<8qVS<_rw|Joi@rMtc$z}|d(?r> z33j~b6RGrXPNBaUUu~2PjAU?-PD~kxYE;+ND#j+yk2Qdz@7UF{5!NlXFhL94ulyCi z0r%UISWsULGn@yGa>kcl)oWfc;+QbC7d<;aO^xj{?)#8xZOqDTxpUTzkWJMOStXT@5aA-|qi7+Zl4R#E^V7_12V!qF<_svM6`qsrn z`h=8|gc?yJMrM9&;?#>To6(=#kUsjZH&VsC6A45iAipGYk81ww&uO+cIk~rJhg}PL z-?|!x%=}(WGvK6JiGfSKPngubc9N&F2qfNuT-Te0ti)XyqgokKHGeh^tS)Oe`QJV_ z<3Qg#s+Ef9W8!Ns#_}_reqbem4SYdYYqpzGnzg}*elO4)cl8JX=;^FdZ`u0@6nB&jJ45J>T~r z;m449Dl8_yrWiDTfp%c6DT;79&m|m~=BWLBVwj;k*|KePALVomz7Gi8Nb97hib|N| zLmaX{7l-vFWW`@F9K~mVX|B~_^q)hkqwj@|J-@jE;@!ze=%>!v7uF(Rot2FP>)jUA zbiU7pgflLQTbTXxW)BzneFpN?Y^HVvTrX}&n;p_QT!#^QlDJxnl}dagE{eLgbW==4 ztKOWVsd}z=LDD9@&jIAHOzOU!AGBB&?~?tT1igAFyS>9|Ds|(r<9Na?c!t z6agEiKwgjMRGUsc7ZtB~YlXVzc;T^ta0z>D{3t!aA4Js~Gz>_fyNuzK_#)dvGz*mw zx|#_xFH#r`9-Vugu@NXzFl1|jz;1HqJ;I3 zFv*?$S7Qy$F7bwQe{$AJ)(HMMnxlyh))|S~s6Y2;+CIIwgL*?KnS3&rV!^AC@@PY? z3pd-fyx>_y$NndJp(t_(ST&F_mG(5C5VrID39cHs&IReqjjNGQsA#5zqwQ+=v*#BqwTF8(tP-<|qGFYr zoPvyr-Jh+7>F&!Bx$I+VT+M;R0DHoj%IOUa<;8uN59QbixaMD`BX2uzA^eds+Y;ek z-Iolk8O~&jz^JME;a9Bj%$$OL;%IPBmA%gG`5IYL-UG@Sy0QDiLUID_QiAq&_hCFE zNgnk^eRHNhxf9~S0(0A((si_l$(KoHcmShqn4Bz8)r2v~!# z_x=yPPb|<3`l`EYyLP`<94_hS@b48?&jPsdQ#s7fD(m_fRz@$p53%7~3v(|1KDGp1Q zy&4rL{^w@9X(SKCIO2ML#0Dy#weU-vb<*2#mw4g%-Z8|zjK%D z6N*4eQE1i-)pIf~?KxkStQZVQ*jBS&)3eFj`X)=Rq0ipE!i=~?HZjj=#11nE?QFG5 zZ6naSltrh2d*UpWbO47W=i+p;mYGU}o9*uAs1>D3ih-ZCIvnk)_iT?*6eWX31Qc>x zLDkLQl|ACK-%cxh1w&*b579uN?H@rB{R<8mSWM>bgG5sZ^3VfukUX~Suk)+!2dv@Nj*T({|AL8At>-bw*dbGMgji|i`e(p diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json index 4b6d8335963..96df758dd6c 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/Package/mainTemplate.json @@ -85,11 +85,11 @@ "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.2')))]" }, "analyticRuleObject2": { "analyticRuleVersion2": "1.0.4", @@ -99,11 +99,11 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.4')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.5", + "analyticRuleVersion3": "1.0.6", "_analyticRulecontentId3": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.5')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.6')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" },