Palo Alto Threat signatures from Unusual IP addresses

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall

Attribute	Value
Type	Analytic Rule
Solution	PaloAlto-PAN-OS
ID	89a86f70-615f-4a79-9621-6f68c50f365f
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Discovery, Exfiltration, CommandAndControl
Techniques	T1046, T1030, T1071.001
Required Connectors	CefAma
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
CommonSecurityLog	DeviceEventClassID in "file,flood,packet,scan,spyware,virus,vulnerability,wildfire,wildfire-virus" DeviceVendor == "Palo Alto Networks"	✓	✓	?
fluentbit_CL 🔶		?	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to PaloAlto-PAN-OS