Azure · v-prasadboke · Jan 9, 2025 · Dec 5, 2024 · Dec 20, 2024 · Dec 24, 2024
@@ -21,20 +21,26 @@ relevantTechniques:
 query: |
   fluentbit_CL
   | where ident_s == "TRAFFIC"
-  | extend DestinationPort = tostring(parse_json(Message).dport)
-  | where isnotempty(DestinationPort) and parse_json(Message).action !in ("reset-both", "deny")
+  | where isnotempty(FirewallName_s)
+  | extend message = parse_json(Message)
+  | extend DestinationPort = tostring(message.dport)
+  | extend SourceIP = tostring(message.src_ip)
+  | extend DestinationIP = tostring(message.dst_ip)
+  | extend Application = tostring(message.app)
+  | extend Protocol = tostring(message.proto)
+  | extend Action = tostring(message.action)
+  | where isnotempty(DestinationPort) and message.action !in ("reset-both", "deny")
   | where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
-  | where parse_json(Message).app == "incomplete"
+  | where message.app == "incomplete"
   | where toint(DestinationPort) !between (49512 .. 65535)
-  | where isnotempty(FirewallName_s)
-  | where parse_json(Message).dst_ip !startswith "10."
-  | extend Reason = coalesce(column_ifexists("Reason", ""), tostring(parse_json(Message).session_end_reason), "")
+  | where message.dst_ip !startswith "10."
+  | extend Reason = coalesce(column_ifexists("Reason", ""), tostring(message.session_end_reason), "")
   | where Reason !has "aged-out"
   | where Reason !has "tcp-fin"
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action), tostring(parse_json(Message).dst_ip),Message
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action, DestinationIP
   | where count_ >= 10
-  | summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(parse_json(Message).dst_ip), totalcount = sum(count_) by FirewallName_s, tostring(parse_json(Message).src_ip), tostring(parse_json(Message).app), Reason, DestinationPort, tostring(parse_json(Message).proto), ident_s, tostring(parse_json(Message).action),Message
-  | extend IPAddress = tostring(parse_json(Message).src_ip)
+  | summarize StartTime = min(StartTime), EndTime = max(EndTime), makeset(DestinationIP), totalcount = sum(count_) by FirewallName_s, SourceIP, Application, Reason, DestinationPort, Protocol, ident_s, Action
+  | extend IPAddress = SourceIP
   | extend HostName = tostring(split(FirewallName_s, ".")[0]), DomainIndex = toint(indexof(FirewallName_s, '.'))
   | extend HostNameDomain = iff(DomainIndex != -1, substring(FirewallName_s, DomainIndex + 1), FirewallName_s)
 entityMappings:
@@ -50,5 +56,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled
@@ -32,18 +32,20 @@ query: |
   let CurrThreshold = 10; 
   let HistoricalThreats = fluentbit_CL
   | where ident_s == "THREAT"
-  | where isnotempty(parse_json(Message).src_ip)
+  | extend message = parse_json(Message)
+  | where isnotempty(message.src_ip)
   | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
-  | where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
-  | extend src_ip = tostring(parse_json(Message).src_ip)
-  | summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s;
+  | where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
+  | extend src_ip = tostring(message.src_ip)
+  | summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s;
   let CurrentHourThreats = fluentbit_CL
   | where ident_s == "THREAT"
-  | where isnotempty(parse_json(Message).src_ip)
+  | extend message = parse_json(Message)
+  | where isnotempty(message.src_ip)
   | where TimeGenerated > ago(timeframe)
-  | where parse_json(Message).threat_content_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
-  | extend src_ip = tostring(parse_json(Message).src_ip)
-  | summarize TotalEvents = count(), ThreatTypes = make_set(parse_json(Message).threat_content_type), DestinationIpList = make_set(parse_json(Message).dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, parse_json(Message).action, FirewallName_s;
+  | where message.sub_type in ('spyware', 'scan', 'file', 'vulnerability', 'flood', 'packet', 'virus','wildfire', 'wildfire-virus')
+  | extend src_ip = tostring(message.src_ip)
+  | summarize TotalEvents = count(), ThreatTypes = make_set(message.sub_type), DestinationIpList = make_set(message.dst), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by src_ip, tostring(message.action), FirewallName_s;
   CurrentHourThreats 
   | where TotalEvents < CurrThreshold
   | join kind = leftanti (HistoricalThreats 
@@ -53,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: src_ip
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
@@ -81,8 +81,9 @@ query: |
   HighRiskPorts
   | join kind=inner (
     fluentbit_CL
-    | where FirewallName_s == "palocloudfw" and ident_s == "TRAFFIC" and Message.action != "deny"
-    | extend DestinationIP = tostring(parse_json(Message).dst_ip), DestinationPort = toint(parse_json(Message).dport), Protocol = tostring(parse_json(Message).proto), SourceIP = tostring(parse_json(Message).src_ip)
+    | extend message = parse_json(Message)
+    | where ident_s == "TRAFFIC" and message.action != "deny"
+    | extend DestinationIP = tostring(message.dst_ip), DestinationPort = toint(message.dport), Protocol = tostring(message.proto), SourceIP = tostring(message.src_ip)
     | where isnotempty(DestinationIP) and isnotempty(SourceIP)
     //Remove private IP communication from DestinationIP
     | extend result = ipv4_is_private(DestinationIP) 

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Cloud%20NGFW%20by%20Palo%20Alto%20Networks/ReleaseNotes.md) \n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Cloud NGFW By Palo Alto Networks](https://docs.paloaltonetworks.com/cloud-ngfw/azure) Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 3, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Cloud%20NGFW%20By%20Palo%20Alto%20Networks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure Cloud NGFW By Palo Alto Networks](https://docs.paloaltonetworks.com/cloud-ngfw/azure) Solution for Microsoft Sentinel allows you to easily connect your Cloud NGFW logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 3, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",