Palo Alto PAN-OS Solution
Solution: PaloAlto-PAN-OS
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.9 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-08-09 |
| Last Updated | 2026-01-14 |
| Solution Folder | PaloAlto-PAN-OS |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (91%) |
| Pre-requisites | Common Event Format |
The Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.
This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| Common Event Format |
Data Connectors
This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):
- [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent ⚠️
- [Deprecated] Palo Alto Networks (Firewall) via AMA ⚠️
Connectors from dependency solutions:
- Common Event Format (CEF) (dependency on Common Event Format)
- Common Event Format (CEF) via AMA (dependency on Common Event Format)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CommonSecurityLog |
Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Palo Alto Networks (Firewall) via AMA, [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent | Analytics, Hunting, Workbooks |
Content Items
This solution includes 16 content item(s):
| Content Type | Count |
|---|---|
| Playbooks | 7 |
| Analytic Rules | 5 |
| Hunting Queries | 2 |
| Workbooks | 2 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Microsoft COVID-19 file hash indicator matches | Medium | Execution | CommonSecurityLog |
| Palo Alto - possible internal to external port scanning | Low | Discovery | CommonSecurityLogfluentbit_CL |
| Palo Alto - possible nmap scan on with top 100 option | Medium | Reconnaissance | CommonSecurityLog |
| Palo Alto - potential beaconing detected | Low | CommandAndControl | CommonSecurityLogfluentbit_CL |
| Palo Alto Threat signatures from Unusual IP addresses | Medium | Discovery, Exfiltration, CommandAndControl | CommonSecurityLogfluentbit_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Palo Alto - high-risk ports | InitialAccess, Discovery | CommonSecurityLogfluentbit_CL |
| Palo Alto - potential beaconing detected | CommandAndControl | CommonSecurityLogfluentbit_CL |
Workbooks
| Name | Tables Used |
|---|---|
| PaloAltoNetworkThreat | CommonSecurityLog |
| PaloAltoOverview | CommonSecurityLog |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Block IP - Palo Alto PAN-OS - Entity trigger | This playbook interacts with relevant stakeholders, such incident response team, to approve blocking... | - |
| Get System Info - Palo Alto PAN-OS XML API | This playbook allows us to get System Info of a Palo Alto device for a Microsoft Sentinel alert. | - |
| Get Threat PCAP - Palo Alto PAN-OS XML API | This playbook allows us to get a threat PCAP for a given PCAP ID. | - |
| PaloAlto-PAN-OS-BlockIP | This playbook allows blocking/unblocking IPs in PaloAlto, using Address Object Groups. This allo... | - |
| PaloAlto-PAN-OS-BlockURL | This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This ... | - |
| PaloAlto-PAN-OS-BlockURL-EntityTrigger | This playbook allows blocking/unblocking URLs in PaloAlto, using predefined address group. This ... | - |
| PaloAlto-PAN-OS-GetURLCategoryInfo | When a new sentinal incident is created, this playbook gets triggered and performs below actions: | - |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.11 | 13-01-2026 | Updated non-functional link from PaloAlto-NetworkBeaconing Analytic rule |
| 3.0.10 | 13-11-2025 | Adding New Detection Rule for Nmap Top 100 Port Scan |
| 3.0.9 | 06-01-2025 | Removing Custom Entity mappings from Analytic Rule |
| 3.0.8 | 15-11-2024 | Corrected Data Connector count in CreateUiDefinition |
| 3.0.7 | 11-11-2024 | Removed Deprecated Data Connector |
| Updated Analytic Rule for entity mappings | ||
| 3.0.6 | 12-07-2024 | Deprecated Data Connector |
| 3.0.5 | 30-04-2024 | Updated the Data Connector to fix conectivity criteria query |
| 3.0.4 | 16-04-2024 | Fixed existing rule for sites with private IP addresses other than 10/8 |
| 3.0.3 | 11-04-2024 | Enhanced the existing Workbook as per requirement |
| 3.0.2 | 12-02-2024 | Addition of new PaloAlto-PAN-OS AMA Data Connector |
| 3.0.1 | 22-01-2024 | Added subTechniques in Template |
| 3.0.0 | 12-12-2023 | Fixed Playbooks issue |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊