Merge pull request Azure#11911 from Azure/Summary-rules-examples

Summary rules examples

Author: v-atulyadav

Summary rules/DNS/ZscalarDNSEventsIPSummary.yaml

@@ -0,0 +1,27 @@
+id: 260f16fc-4734-4635-babd-ba3c860f328b
+displayName: Zscaler Internet Access DNS events IP Summary
+description: |
+  'This summary rule aggregates DNS events from Zscaler Internet Access devices, providing hourly insights into event count by event result details, dns query, source username, source and destination IP addresses .'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: ZscalerDNSEventsSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Zscaler"
+  | where DeviceProduct == "NSSDNSlog"
+  | extend DeviceCustomString6 = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR')
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count() by SourceIP, SourceUserName, DestinationIP, DnsQuery=DeviceCustomString5, EventResultDetails=DeviceCustomString6, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - DNS" ]

Summary rules/Network/FortinetFortigateNetworkSessionIPSummary.yaml

@@ -0,0 +1,27 @@
+id: 3fdb3c31-d528-4b94-8268-918838cdaee8
+displayName: Fortinet Fortigate NetworkSession IP Summary
+description: |
+  'This summary rule aggregates network session logs from Fortinet Fortigate devices, providing hourly insights into session count, data sent and data received by device actions, destination port, protocol, source and destination IP addresses.'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: FortinetFortigateNetworkSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Fortinet"
+    and DeviceProduct startswith "FortiGate" 
+    and (column_ifexists("DeviceEventCategory","") has "traffic"  or AdditionalExtensions has "cat=traffic")
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by SourceIP, DestinationIP, DestinationPort, DeviceAction, Protocol, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]

Summary rules/Network/PaloAltoPANOSNetworkSessionIPSummary.yaml

@@ -0,0 +1,25 @@
+id: 29e6b3fb-5942-4a1a-95da-2c0821863e90
+displayName: Palo Alto PAN-OS NetworkSession IPSummary
+description: |
+  'This summary rule aggregates network session logs from Palo Alto PAN-OS devices, providing hourly insights into session count, data sent, data received by device actions, destination port, source and destination IP addresses.'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: PaloAltoPANOSNetworkSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Palo Alto Networks" and DeviceProduct == "PAN-OS" and Activity == "TRAFFIC"
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes=sum(SentBytes), ReceivedBytes=sum(ReceivedBytes) by SourceIP, DestinationIP, DestinationPort, DeviceAction, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]

Summary rules/Network/ZscalarNetworkSessionIPSummary.yaml

@@ -0,0 +1,26 @@
+id: 6457ab65-69ea-4444-981d-1ecaf414fda7
+displayName: Zscaler Internet Access NetworkSession IP Summary
+description: |
+  'This summary rule aggregates network session logs from Zscaler Internet Access devices, providing hourly insights into session count, data sent, data received by device actions, destination port, protocol, source and destination IP addresses.'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: ZscalerNetworkSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Zscaler"
+  | where DeviceProduct == "NSSFWlog"
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by SourceIP, DestinationIP, DestinationPort, DeviceAction, Protocol, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]

Summary rules/WebSession/FortinetFortigateWebSessionIPSummary.yaml

@@ -0,0 +1,27 @@
+id: 9862489b-230a-4b70-b45a-8a2771360a86
+displayName: Fortinet Fortigate WebSession IP Summary
+description: |
+  'This summary rule aggregates web session logs from Fortinet Fortigate devices, providing hourly insights into session count, data sent and data received by device actions, destination hostname, source and destination IP addresses.'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: FortinetFortigateWebSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor  == "Fortinet"
+          and DeviceProduct startswith "Fortigate"
+          and Activity has_all ('webfilter', 'utm')
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by SourceIP, DestinationIP, DestinationPort, DestinationHostName, DeviceAction, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]

Summary rules/WebSession/PaloAltoPANOSWebSessionIPSummary.yaml

@@ -0,0 +1,28 @@
+id: 1ccf0f4e-4f5d-4a46-819b-5ba857394f2a
+displayName: Palo Alto PAN-OS WebSession IPSummary
+description: |
+  'This summary rule aggregates web session logs from Palo Alto PAN-OS devices, providing hourly insights into session count, data sent, data received by device actions, sourceUserName, destination hostname, source and destination IP addresses.'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: PaloAltoPANOSWebSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Palo Alto Networks"
+            and DeviceProduct == "PAN-OS"
+            and Activity == "THREAT"
+            and DeviceEventClassID == "url"
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by SourceIP, SourceUserName, DestinationIP, DestinationHostName, DeviceAction, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]

Summary rules/WebSession/ZscalarWebSessionIPSummary.yaml

@@ -0,0 +1,26 @@
+id: b45e1d40-58c0-4f6c-83f0-1019c9237cb4
+displayName: Zscaler Internet Access WebSession IP Summary
+description: |
+  'This summary rule aggregates web session logs from Zscaler Internet Access devices, providing hourly insights into session count, data sent and data received by device action, destination hostname, source and destination IP addresses .'
+requiredDataConnectors:
+  - connectorId: CefAma
+    dataTypes:
+      - CommonSecurityLog
+destinationTable: ZscalerWebSessionSummary_CL
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Zscaler"
+  | where DeviceProduct == "NSSWeblog"
+  // You can customize the summary table by adding or removing fields based on your requirement.
+  | summarize Count = count(), SentBytes = sum(SentBytes), ReceivedBytes = sum(ReceivedBytes) by SourceIP, DestinationIP, DestinationHostName, DeviceAction, bin(TimeGenerated,1h)
+binSize: 60
+version: 1.0.0
+metadata:
+    source:
+        kind: Community
+    author:
+        name: Microsoft
+    support:
+        tier: Community
+    categories:
+        domains: [ "Security - Network" ]