Palo Alto Networks Cortex Data Lake Solution

Solution: PaloAltoCDL

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2021-10-23
Solution Folder	PaloAltoCDL
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (79%)
Pre-requisites	Common Event Format

The Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Common Event Format

Data Connectors

This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):

Connectors from dependency solutions:

Common Event Format (CEF) (dependency on Common Event Format)
Common Event Format (CEF) via AMA (dependency on Common Event Format)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`CommonSecurityLog`	Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA, [Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent	Analytics, Hunting, Workbooks

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
PaloAlto - Dropping or denying session with traffic	Medium	InitialAccess	`CommonSecurityLog`
PaloAlto - File type changed	Medium	InitialAccess	`CommonSecurityLog`
PaloAlto - Forbidden countries	Medium	InitialAccess	`CommonSecurityLog`
PaloAlto - Inbound connection to high risk ports	Medium	InitialAccess	`CommonSecurityLog`
PaloAlto - MAC address conflict	Low	InitialAccess	`CommonSecurityLog`
PaloAlto - Possible attack without response	High	InitialAccess	`CommonSecurityLog`
PaloAlto - Possible flooding	Medium	InitialAccess	`CommonSecurityLog`
PaloAlto - Possible port scan	High	Reconnaissance	`CommonSecurityLog`
PaloAlto - Put and post method request in high risk file type	High	InitialAccess	`CommonSecurityLog`
PaloAlto - User privileges was changed	Medium	InitialAccess	`CommonSecurityLog`

Hunting Queries

Name	Tactics	Tables Used
PaloAlto - Agent versions	InitialAccess	`CommonSecurityLog`
PaloAlto - Critical event result	InitialAccess	`CommonSecurityLog`
PaloAlto - Destination ports by IPs	InitialAccess	`CommonSecurityLog`
PaloAlto - File permission with PUT or POST request	InitialAccess	`CommonSecurityLog`
PaloAlto - Incomplete application protocol	InitialAccess	`CommonSecurityLog`
PaloAlto - Multiple Deny result by user	InitialAccess	`CommonSecurityLog`
PaloAlto - Outdated config vesions	InitialAccess	`CommonSecurityLog`
PaloAlto - Rare application layer protocols	InitialAccess	`CommonSecurityLog`
PaloAlto - Rare files observed	InitialAccess	`CommonSecurityLog`
PaloAlto - Rare ports by user	InitialAccess	`CommonSecurityLog`

Workbooks

Name	Tables Used
PaloAltoCDL	`CommonSecurityLog`

Parsers

Name	Description	Tables Used
PaloAltoCDLEvent	-	`CommonSecurityLog` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	12-11-2024	Removed Deprecated Data Connector
3.0.2	12-07-2024	Deprecated Data Connector
3.0.1	12-06-2024	Optimized parser
3.0.0	25-09-2023	Addition of new PaloAltoCDL AMA Data Connector