![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAlto-PAN-OS/logo/Palo-alto-logo.png\"){kind=logo}
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for PaloAlto-PAN-OS. You can get PaloAlto-PAN-OS CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -246,7 +222,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+ "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -260,7 +236,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+ "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
index e7637667c3c..e680cbaff9d 100644
--- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
+++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json
@@ -52,31 +52,13 @@
"_solutionVersion": "3.0.7",
"solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "PaloAltoNetworks",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "PaloAltoNetworks",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "PaloAltoNetworksAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "PaloAltoNetworksAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"huntingQueryObject1": {
- "huntingQueryVersion1": "1.0.1",
+ "huntingQueryVersion1": "1.0.2",
"_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59",
"huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]"
},
"huntingQueryObject2": {
- "huntingQueryVersion2": "1.0.4",
+ "huntingQueryVersion2": "1.0.5",
"_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d",
"huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]"
},
@@ -94,32 +76,32 @@
"_workbookContentId2": "[variables('workbookContentId2')]",
"_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.3.5",
+ "analyticRuleVersion2": "1.3.6",
"_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.5')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.6')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.4",
+ "analyticRuleVersion3": "1.0.5",
"_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.4')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.5')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.6",
+ "analyticRuleVersion4": "1.0.7",
"_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.6')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.7')))]"
},
"PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector",
"_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]",
@@ -197,708 +179,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "PaloAlto-PAN-OS data connector with template version 3.0.7",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
- "publisher": "Palo Alto Networks",
- "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Palo Alto Networks",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
- },
- {
- "description": "THREAT activity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PaloAlto)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
- "title": "2. Forward Palo Alto Networks logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Palo Alto Networks"
- },
- "support": {
- "name": "Palo Alto Networks",
- "link": "https://www.paloaltonetworks.com/company/contact-support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "PaloAlto-PAN-OS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "PaloAlto-PAN-OS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent",
- "publisher": "Palo Alto Networks",
- "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Palo Alto Networks",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PaloAlto)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
- },
- {
- "description": "THREAT activity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)",
- "title": "2. Forward Palo Alto Networks logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "PaloAlto-PAN-OS data connector with template version 3.0.7",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
- "publisher": "Palo Alto Networks",
- "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Palo Alto Networks",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
- },
- {
- "description": "THREAT activity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PaloAlto)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Palo Alto Networks logs to Syslog agent",
- "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Palo Alto Networks"
- },
- "support": {
- "name": "Palo Alto Networks",
- "link": "https://www.paloaltonetworks.com/company/contact-support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "PaloAlto-PAN-OS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "PaloAlto-PAN-OS",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA",
- "publisher": "Palo Alto Networks",
- "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Palo Alto Networks",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PaloAlto)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated"
- },
- {
- "description": "THREAT activity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Palo Alto Networks logs to Syslog agent",
- "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -975,9 +255,9 @@
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - high-risk ports",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]",
- "version": "1.0.1"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]",
+ "version": "1.0.2"
}
},
{
@@ -1060,9 +340,9 @@
"contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
"contentKind": "HuntingQuery",
"displayName": "Palo Alto - potential beaconing detected",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]",
- "version": "1.0.4"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]",
+ "version": "1.0.5"
}
},
{
@@ -1285,18 +565,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworksAma",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -1408,18 +676,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworksAma",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -1574,18 +830,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworksAma",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -1709,18 +953,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PaloAltoNetworks",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
- {
- "connectorId": "PaloAltoNetworksAma",
- "dataTypes": [
- "CommonSecurityLog"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -9933,7 +9165,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "PaloAlto-PAN-OS",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connector: 1Workbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -9957,16 +9189,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "HuntingQuery", "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index 0c0d5eef8f2..ddaabecabd5 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.7 | 08-01-2024 | Updated **Analytic Rule** for entity mappings | +| 3.0.7 | 11-11-2024 | Removed Deprecated **Data Connector** | +| | | Updated **Analytic Rule** for entity mappings | | 3.0.6 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.5 | 30-04-2024 | Updated the **Data Connector** to fix conectivity criteria query | | 3.0.4 | 16-04-2024 | Fixed existing rule for sites with private IP addresses other than 10/8 | diff --git a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json index 93a2778e1f6..fb561bd5ac9 100644 --- a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json +++ b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "",
"Description": "The [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json",
- "Solutions/PaloAlto-PAN-OS/Data Connectors/template_PaloAltoNetworksAMA.json"
- ],
"Hunting Queries": [
"Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml",
"Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml"
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 44fdc2a3243..8da138881c4 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -175,8 +175,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "PaloAltoNetworks",
- "PaloAltoNetworksAma"
+ "CefAma"
],
"previewImagesFileNames": [
"PaloAltoOverviewWhite1.png",
@@ -200,8 +199,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "PaloAltoNetworks",
- "PaloAltoNetworksAma"
+ "CefAma"
],
"previewImagesFileNames": [
"PaloAltoNetworkThreatWhite1.png",
@@ -4565,8 +4563,6 @@
"Zscaler",
"ZscalerAma",
"MicrosoftSysmonForLinux",
- "PaloAltoNetworks",
- "PaloAltoNetworksAma",
"AzureMonitor(VMInsights)",
"AzureFirewall",
"AzureNSG",
@@ -4576,7 +4572,8 @@
"CheckPoint",
"Fortinet",
"CiscoMeraki",
- "FortinetAma"
+ "FortinetAma",
+ "CefAma"
],
"previewImagesFileNames": [],
"version": "1.0.0",
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index ce5f3585878..1b19b95e381 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -282,7 +282,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "PaloAltoNetworks",
"CefAma"
],
"previewImagesFileNames": [
@@ -307,7 +306,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "PaloAltoNetworks",
"CefAma"
],
"previewImagesFileNames": [
@@ -5517,7 +5515,6 @@
"WindowsForwardedEvents",
"Zscaler",
"MicrosoftSysmonForLinux",
- "PaloAltoNetworks",
"AzureMonitor(VMInsights)",
"AzureFirewall",
"AzureNSG",