diff --git a/palo_alto_cortex_xdr/README.md b/palo_alto_cortex_xdr/README.md index ef767ea24ce44..1adb712d95857 100644 --- a/palo_alto_cortex_xdr/README.md +++ b/palo_alto_cortex_xdr/README.md @@ -1,42 +1,75 @@ -# Agent Check: palo_alto_cortex_xdr +# Palo Alto Cortex XDR Integration For Datadog ## Overview -This check monitors [Palo Alto Cortex XDR][1]. +[Palo Alto Cortex XDR][1] is a comprehensive detection and response platform that provides advanced threat protection across endpoints, networks, and cloud environments. It integrates endpoint protection, network security, and analytics to offer real-time visibility and response capabilities and combat sophisticated cyber threats effectively. -## Setup +This integration ingests the following logs: + +- Incident +- Alert -### Installation +The Palo Alto Cortex XDR integration seamlessly collect the data of Palo Alto Cortex XDR logs using REST APIs. +Before ingesting the data, it normalizes and enriches the logs, ensuring a consistent data format and enhancing information content for downstream processing and analysis. The integration provides insights into incidents and alerts using out-of-the-box dashboards. -The Palo Alto Cortex XDR check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. +## Setup ### Configuration -1. List of steps to configure this integration +#### Get Credentials of Palo Alto Cortex XDR + +#### Steps to create API key + +1. Sign into your **Palo Alto Cortex XDR** instance. +2. Navigate to **Settings** > **Configurations** > **Integrations** > **API Keys**. +3. Click on **New Key**. +4. Choose the type of API key based on your desired security level, **Advanced** or **Standard**. +5. If you want to define a time limit on the API key authentication, check **Enable Expiration Date**, and then select the **expiration date and time**. Navigate to **Settings** > **Configurations** > **Integrations** > **API Keys** to track the **Expiration Time** setting for each API key. +6. Provide a comment that describes the purpose for the API key, if desired. +7. Select the desired level of access for this key from existing **Roles**, or you can select **Custom** to set the permissions granularly. +8. Click **Generate** to generate the API key. +9. Copy the API key, and then click **Done**. This value represents your unique **Authorization:{key}** + +#### Steps to get Cortex XDR API Key ID + +1. In the API Keys table, locate the ID field. +2. Note your corresponding ID number. This value represents the **x-xdr-auth-id:{key_id}** token. + +#### Steps to get FQDN -### Validation +1. Right-click your API key and select **View Examples**. +2. Copy the **CURL Example** URL. The example contains your unique **FQDN**. -Steps to validate integration is functioning as expected +#### Palo Alto Cortex XDR DataDog Integration Configuration + +Configure the Datadog endpoint to forward Palo Alto Cortex XDR logs to Datadog. + +1. Navigate to `Palo Alto Cortex XDR`. +2. Add your Palo Alto Cortex XDR credentials. + +| Palo Alto Cortex XDR Parameters | Description | +| ------------------------------- | ------------ | +| API key | The API key from Palo Alto Cortex XDR. | +| API Key ID | The auth id from Palo Alto Cortex XDR. | +| FQDN | The FQDN from Palo Alto Cortex XDR. It is the `baseUrl` part of `baseUrl/public_api/v1/{name of api}/{name of call}/` | ## Data Collected -### Metrics +### Logs -The Palo Alto Cortex XDR integration does not include any metrics. +The Palo Alto Cortex XDR integration collects and forwards Palo Alto Cortex XDR Incident and alert logs to Datadog. -### Service Checks +### Metrics -The Palo Alto Cortex XDR integration does not include any service checks. +The Palo Alto Cortex XDR integration does not include any metrics. ### Events The Palo Alto Cortex XDR integration does not include any events. -## Troubleshooting +## Support -Need help? Contact [Datadog support][3]. +For further assistance, contact [Datadog Support][2]. -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings#agent -[3]: https://docs.datadoghq.com/help/ \ No newline at end of file +[1]: https://docs-cortex.paloaltonetworks.com/p/XDR +[2]: https://docs.datadoghq.com/help/ diff --git a/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_alerts.json b/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_alerts.json new file mode 100644 index 0000000000000..54a86edc79b7d --- /dev/null +++ b/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_alerts.json @@ -0,0 +1,2341 @@ +{ + "title": "Palo Alto Cortex XDR - Alerts", + "description": "This dashboard provides information about the Alerts generated on Palo Alto Cortex XDR.", + "widgets": [ + { + "id": 5527090904543100, + "definition": { + "title": "", + "banner_img": "https://www.cisco.com/c/dam/assets/swa/img/anchor-info/cortex-primary-628x353.jpg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 911775482073612, + "definition": { + "type": "note", + "content": "Gain better visibility into your organization's security events by monitoring Palo Alto Cortex XDR Alert logs with this dashboard. \n\nAn attack can affect multiple hosts or users and trigger various alert types from a single event. All artifacts, assets, and alerts from a threat event are gathered into an Incident.\nAlert logs play a critical role in identifying potential security threats in real-time. Alert logs capture and save all security alerts from various sources like computers, networks, and user activities. Each alert log includes important details like the type of alert, where it came from, when it happened, and how severe it is, alert type, source, timestamp, severity, description and many more. Alert logs are used to spot potential security threats as soon as they happen, helping to catch problems early.\n\nWith the help of Alert logs, organizations can monitor their security in real-time, respond quickly to threats, and keep a record of all security activities for future analysis and compliance.\n\nFor more information, see the [Palo Alto Cortex XDR Integration Documentation](https://docs.datadoghq.com/integrations/palo_alto_cortex_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 8694280567870332, + "definition": { + "title": "Alert Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5543683964555832, + "definition": { + "title": "Severity Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "area" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4792819856660194, + "definition": { + "title": "Total Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 3836032810138480, + "definition": { + "title": "Top 10 Host Details", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@host_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + }, + "scaling": "relative" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 1293337257504016, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5996232744860254, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Alert logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security?query=source%3Apalo-alto-cortex-xdr%20service%3Aalert%20). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5342373837676104, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:critical service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 6036737878980402, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:high service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 4346871810865826, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr status:critical service:alert $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 3185915280408570, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:medium service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5886455123607734, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:low service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 6870389875269390, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:info service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 164406757998006, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr status:high service:alert $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 226673736771202, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr status:medium service:alert $Status $Starred $Type $Source $Action $Host-Name $User $Category" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 10 + } + }, + { + "id": 6764175724364526, + "definition": { + "title": "Alert Details", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8951275002456288, + "definition": { + "title": "Total High Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr @severity:high $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fed2d2" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 3646326806650042, + "definition": { + "title": "Total Medium Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr @severity:medium $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fbe2d5" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 6960874424995550, + "definition": { + "title": "Total Low Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr @severity:low $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 863619175977472, + "definition": { + "title": "Total Informational Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr @severity:informational $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow", + "custom_bg_color": "#fffdbd" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 3723092782644608, + "definition": { + "title": "Total Unknown Alerts", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr @severity:unknown $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 5406594542730830, + "definition": { + "title": "Distribution by Action", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@action_pretty", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 3346137743896856, + "definition": { + "title": "Distribution by Category", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@category", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1700216137916200, + "definition": { + "title": "Top 10 Users", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 5049950724477278, + "definition": { + "title": "Distribution Over Event Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@event_type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 8, + "height": 4 + } + }, + { + "id": 3549762571661580, + "definition": { + "title": "Distribution by Type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@alert_type", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 6751532166861096, + "definition": { + "title": "Distribution by Source", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@source", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 1195744439198472, + "definition": { + "title": "Distribution by Module Id", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@module_id", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 3839373271010038, + "definition": { + "title": "Top 10 Mitre Tactic Id and Name", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@mitre_tactic_id_and_name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 20, + "width": 3, + "height": 4 + } + }, + { + "id": 3234858784948774, + "definition": { + "title": "Featured Alert Fields", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@alert_id", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@name", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@events_length", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@contains_featured_host", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@contains_featured_user", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@contains_featured_ip", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 64, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 3, + "y": 20, + "width": 9, + "height": 4 + } + }, + { + "id": 7256105526370630, + "definition": { + "title": "Alerts by Country", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 24, + "width": 12, + "height": 4 + } + }, + { + "id": 6302728306769810, + "definition": { + "title": "Agent Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@agent_version", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_device_domain", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_os_type", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_fqdn", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_data_collection_status", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_install_type", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@agent_os_sub_type", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 128, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 28, + "width": 12, + "height": 4 + } + }, + { + "id": 2555151156464312, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@status", + "width": "auto" + }, + { + "field": "alert_id", + "width": "auto" + }, + { + "field": "name", + "width": "auto" + }, + { + "field": "description", + "width": "auto" + }, + { + "field": "action", + "width": "auto" + }, + { + "field": "action_pretty", + "width": "auto" + }, + { + "field": "alert_type", + "width": "auto" + }, + { + "field": "network.client.ip", + "width": "auto" + }, + { + "field": "host_name", + "width": "auto" + }, + { + "field": "@source", + "width": "auto" + }, + { + "field": "agent_version", + "width": "auto" + }, + { + "field": "agent_device_domain", + "width": "auto" + }, + { + "field": "agent_fqdn", + "width": "auto" + }, + { + "field": "agent_os_type", + "width": "auto" + }, + { + "field": "agent_data_collection_status", + "width": "auto" + }, + { + "field": "agent_is_vdi", + "width": "auto" + }, + { + "field": "agent_install_type", + "width": "auto" + }, + { + "field": "agent_ip_addresses_v6", + "width": "auto" + }, + { + "field": "agent_os_sub_type", + "width": "auto" + }, + { + "field": "agent_host_boot_time", + "width": "auto" + }, + { + "field": "http.url", + "width": "auto" + }, + { + "field": "contains_featured_host", + "width": "auto" + }, + { + "field": "contains_featured_user", + "width": "auto" + }, + { + "field": "contains_featured_ip", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 32, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 37, + "is_column_break": true + } + }, + { + "id": 1013286856666266, + "definition": { + "title": "Status Details", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6056471570231270, + "definition": { + "title": "Distribution by Starred Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@starred", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 3727360025629342, + "definition": { + "title": "Distribution by Matching Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@matching_status", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 4536927342541656, + "definition": { + "title": "Distribution by Whitelist Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@is_whitelisted", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 5792269137320434, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "service:alert source:palo-alto-cortex-xdr $Status $Starred $Type $Source $Action $Host-Name $User $Category", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@status", + "width": "auto" + }, + { + "field": "alert_id", + "width": "auto" + }, + { + "field": "matching_status", + "width": "auto" + }, + { + "field": "starred", + "width": "auto" + }, + { + "field": "is_whitelisted", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 56, + "width": 12, + "height": 13 + } + } + ], + "template_variables": [ + { + "name": "Status", + "prefix": "@status", + "available_values": [], + "default": "*" + }, + { + "name": "Starred", + "prefix": "@starred", + "available_values": [], + "default": "*" + }, + { + "name": "Type", + "prefix": "@alert_type", + "available_values": [], + "default": "*" + }, + { + "name": "Source", + "prefix": "@source", + "available_values": [], + "default": "*" + }, + { + "name": "Action", + "prefix": "@action", + "available_values": [], + "default": "*" + }, + { + "name": "Host-Name", + "prefix": "@host_name", + "available_values": [], + "default": "*" + }, + { + "name": "User", + "prefix": "@user_name", + "available_values": [], + "default": "*" + }, + { + "name": "Category", + "prefix": "@category", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_incidents.json b/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_incidents.json new file mode 100644 index 0000000000000..b0f21573cb4b3 --- /dev/null +++ b/palo_alto_cortex_xdr/assets/dashboards/palo_alto_cortex_xdr_incidents.json @@ -0,0 +1,1789 @@ +{ + "title": "Palo Alto Cortex XDR - Incidents", + "description": "This dashboard provides information about the Incidents generated on Palo Alto Cortex XDR.", + "widgets": [ + { + "id": 5527090904543100, + "definition": { + "title": "", + "banner_img": "https://www.cisco.com/c/dam/assets/swa/img/anchor-info/cortex-primary-628x353.jpg", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 911775482073612, + "definition": { + "type": "note", + "content": "Gain better visibility into your organization's security events by monitoring Palo Alto Cortex XDR Incident logs with this dashboard. \n\nAn attack can affect multiple hosts or users and trigger various alert types from a single event. All artifacts, assets, and alerts from a threat event are gathered into an Incident.\nIncident logs aggregate multiple alerts and events from different sources, providing a comprehensive view of a security incident, offers detailed information about the incident, including the nature of the threat, affected systems, and potential impact. They include artifacts such as malware, IP addresses, and user activities associated with the incident. Security teams can use incident logs to manage and track the progress of an incident from detection to resolution. Logs include fields for incident descriptions, resolution statuses, and actions taken.\n\nWith the help of incident logs, organizations can improve their overall security posture, ensuring that all security events are thoroughly investigated, managed, and documented.\n\nFor more information, see the [Palo Alto Cortex XDR Integration Documentation](https://docs.datadoghq.com/integrations/palo_alto_cortex_xdr).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations.", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 6 + } + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 8694280567870332, + "definition": { + "title": "Incident Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5375124172323778, + "definition": { + "title": "Severity Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@severity", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "area" + } + ] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 6585456322585292, + "definition": { + "title": "Total Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 1621054123859942, + "definition": { + "title": "Total Un-Resolved Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr @resolved_timestamp:null $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 4, + "width": 3, + "height": 4 + } + } + ] + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 9 + } + }, + { + "id": 1293337257504016, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5996232744860254, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates Incident logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security?query=source%3Apalo-alto-cortex-xdr%20service%3Aincident%20). ", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 3679104106813300, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:critical service:incident source:palo-alto-cortex-xdr $Starred $Severity-Status $Incident-Id $User" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 7654833344876316, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:high service:incident source:palo-alto-cortex-xdr $Starred $Severity-Status $Incident-Id $User" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 3497013462131200, + "definition": { + "title": "Critical Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr service:incident status:critical $Severity-Status $Starred $Incident-Id $User" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 1994785643647592, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:medium service:incident source:palo-alto-cortex-xdr $Starred $Severity-Status $Incident-Id $User" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 5221231304656460, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:low service:incident source:palo-alto-cortex-xdr $Starred $Severity-Status $Incident-Id $User" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 8115309526387882, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "status:info service:incident source:palo-alto-cortex-xdr $Starred $Severity-Status $Incident-Id $User" + } + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 7225645109603238, + "definition": { + "title": "High Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr service:incident status:high $Severity-Status $Starred $Incident-Id $User" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 7, + "height": 4 + } + }, + { + "id": 8513009730624912, + "definition": { + "title": "Medium Security Signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:palo-alto-cortex-xdr service:incident status:medium $Severity-Status $Starred $Incident-Id $User" + } + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 7, + "y": 5, + "width": 5, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 10 + } + }, + { + "id": 6764175724364526, + "definition": { + "title": "Incident Details", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 1485828861062888, + "definition": { + "title": "Total Critical Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr @severity:critical $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 7834203291553320, + "definition": { + "title": "Total High Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr @severity:high $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffe6d1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 3, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 6372127791080892, + "definition": { + "title": "Total Medium Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr @severity:medium $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#fdf3bf" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 6756055597915178, + "definition": { + "title": "Total Low Incidents", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr @severity:low $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 284296062168366, + "definition": { + "title": "Incident Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@incident_id", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@description", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@http.url", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "COUNT", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto", + "custom_links": [ + { + "label": "View Incident in Palo Alto Cortex XDR", + "link": "https://demo.xdr.in.paloaltonetworks.com/incident-view?caseId={{@incident_id.value}}" + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 89960314986630, + "definition": { + "title": "Distribution by Alert Severity", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@incident_id", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@http.url", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@alert_count", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@critical_severity_alert_count", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@high_severity_alert_count", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@med_severity_alert_count", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@low_severity_alert_count", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 128, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto", + "custom_links": [ + { + "label": "View incident in Palo Alto Cortex XDR", + "link": "https://demo.xdr.in.paloaltonetworks.com/incident-view?caseId={{@incident_id.value}}" + } + ] + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + }, + { + "id": 121019023702424, + "definition": { + "title": "Top 10 Resolved Comments", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@incident_id" + }, + "group_by": [ + { + "facet": "@resolve_comment", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@incident_id" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr -@resolve_comment:null -@resolve_comment:\"\" $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 1100845506239758, + "definition": { + "title": "Assigned User Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "cardinality", + "metric": "@incident_id" + }, + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@incident_id" + } + }, + { + "facet": "@usr.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "cardinality", + "metric": "@incident_id" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 100, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 8221393006701252, + "definition": { + "title": "Distribution by Malware, Phishing, and Grayware artifacts", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@incident_id", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@incident_name", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@rule_based_score", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@predicted_score", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@manual_score", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@aggregated_score", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + }, + { + "facet": "@wildfire_hits", + "limit": 2, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 128, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + }, + { + "id": 6486900034829074, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "service:incident $Severity-Status $Starred $Incident-Id $User", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "severity", + "width": "auto" + }, + { + "field": "incident_id", + "width": "auto" + }, + { + "field": "incident_name", + "width": "auto" + }, + { + "field": "description", + "width": "auto" + }, + { + "field": "usr.email", + "width": "auto" + }, + { + "field": "usr.name", + "width": "auto" + }, + { + "field": "alert_count", + "width": "auto" + }, + { + "field": "critical_severity_alert_count", + "width": "auto" + }, + { + "field": "high_severity_alert_count", + "width": "auto" + }, + { + "field": "med_severity_alert_count", + "width": "auto" + }, + { + "field": "low_severity_alert_count", + "width": "auto" + }, + { + "field": "resolve_comment", + "width": "auto" + }, + { + "field": "resolved_timestamp", + "width": "auto" + }, + { + "field": "http.url", + "width": "auto" + }, + { + "field": "rule_based_score", + "width": "auto" + }, + { + "field": "predicted_score", + "width": "auto" + }, + { + "field": "manual_score", + "width": "auto" + }, + { + "field": "aggregated_score", + "width": "auto" + }, + { + "field": "wildfire_hits", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 20, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 19, + "width": 12, + "height": 25, + "is_column_break": true + } + }, + { + "id": 4413598443382000, + "definition": { + "title": "Status Details", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6608731476131742, + "definition": { + "title": "Distribution by Starred Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@starred", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 6904166440920928, + "definition": { + "title": "Distribution by Alert Grouping Status", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "data_source": "logs", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@alerts_grouping_status", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "service:incident source:palo-alto-cortex-xdr $Severity-Status $Starred $Incident-Id $User" + }, + "storage": "hot" + } + ], + "style": { + "palette": "datadog16" + }, + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 4 + } + }, + { + "id": 5910127934954158, + "definition": { + "title": "Log Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "service:incident $Severity-Status $Starred $Incident-Id $User", + "indexes": [], + "storage": "hot", + "sort": { + "order": "desc", + "column": "timestamp" + } + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "incident_id", + "width": "auto" + }, + { + "field": "incident_name", + "width": "auto" + }, + { + "field": "starred", + "width": "auto" + }, + { + "field": "alerts_grouping_status", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 44, + "width": 12, + "height": 9 + } + } + ], + "template_variables": [ + { + "name": "Severity-Status", + "prefix": "@severity_status", + "available_values": [], + "default": "*" + }, + { + "name": "Starred", + "prefix": "@starred", + "available_values": [], + "default": "*" + }, + { + "name": "Incident-Id", + "prefix": "@incident_id", + "available_values": [], + "default": "*" + }, + { + "name": "User", + "prefix": "@usr.name", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr.yaml b/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr.yaml new file mode 100644 index 0000000000000..13386ed93deef --- /dev/null +++ b/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr.yaml @@ -0,0 +1,212 @@ +id: palo-alto-cortex-xdr +metric_id: palo-alto-cortex-xdr +backend_only: false +facets: + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User Email + path: usr.email + source: log + - groups: + - User + name: User Name + path: usr.name + source: log + - groups: + - DNS + name: Question Name + path: dns.question.name + source: log +pipeline: + type: pipeline + name: Palo Alto Cortex XDR + enabled: true + filter: + query: "source:palo-alto-cortex-xdr" + processors: + - type: pipeline + name: Palo Alto Cortex XDR - Incident + enabled: true + filter: + query: "service:incident" + processors: + - type: date-remapper + name: Define `modification_time` as the official date of the log + enabled: true + sources: + - modification_time + - name: Lookup on `severity` to `severity_status` + enabled: true + source: severity + target: severity_status + lookupTable: |- + low, info + medium, warning + high, critical + critical, critical + type: lookup-processor + - type: status-remapper + name: Define `severity_status` as the official status of the log + enabled: true + sources: + - severity_status + - type: attribute-remapper + name: Map `assigned_user_mail` to `usr.email` + enabled: true + sources: + - assigned_user_mail + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `assigned_user_pretty_name` to `usr.name` + enabled: true + sources: + - assigned_user_pretty_name + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `xdr_url` to `http.url` + enabled: true + sources: + - xdr_url + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: pipeline + name: Palo Alto Cortex XDR - Alert + enabled: true + filter: + query: "service:alert" + processors: + - type: date-remapper + name: Define `detection_timestamp` as the official date of the log + enabled: true + sources: + - detection_timestamp + - name: Lookup on `severity` to `status` + enabled: true + source: severity + target: status + lookupTable: |- + informational, info + low, info + medium, warning + high, critical + critical, critical + unknown, unknown + type: lookup-processor + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: attribute-remapper + name: Map `host_ip` to `network.client.ip` + enabled: true + sources: + - host_ip + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `fw_email_recipient` to `usr.email` + enabled: true + sources: + - fw_email_recipient + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `malicious_urls` to `http.url` + enabled: true + sources: + - malicious_urls + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `user_name` to `usr.name` + enabled: true + sources: + - user_name + sourceType: attribute + target: usr.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `dns_query_name` to `dns.question.name` + enabled: true + sources: + - dns_query_name + sourceType: attribute + target: dns.question.name + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: geo-ip-parser + name: GeoIp Parser for `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing diff --git a/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr_tests.yaml b/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr_tests.yaml new file mode 100644 index 0000000000000..06f452765fc13 --- /dev/null +++ b/palo_alto_cortex_xdr/assets/logs/palo-alto-cortex-xdr_tests.yaml @@ -0,0 +1,617 @@ +id: "palo-alto-cortex-xdr" +tests: + - + sample: |- + { + "creation_time" : 1720170253000, + "notes" : "null", + "wildfire_hits" : 16, + "host_count" : 1, + "description" : "'Suspicious Disk Modification' along with 23 other alerts generated by XDR Agent detected on host assettag-eid-new involving user test", + "detection_time" : "null", + "med_severity_alert_count" : 22, + "alert_categories" : [ "Malware" ], + "manual_severity" : "null", + "incident_sources" : [ "XDR Agent" ], + "incident_id" : "5", + "alert_count" : 24, + "starred" : "false", + "original_tags" : [ "EG:CDS-Windows", "DS:PANW/XDR Agent" ], + "critical_severity_alert_count" : 0, + "incident_name" : "null", + "resolved_timestamp" : "null", + "severity" : "high", + "manual_description" : "null", + "starred_manually" : "false", + "hosts" : [ "assettag-eid-new:16adfdb6bbe145d59ac4f69e80e2053d" ], + "low_severity_alert_count" : 0, + "alerts_grouping_status" : "Enabled", + "manual_score" : "null", + "mitre_techniques_ids_and_names" : "null", + "assigned_user_pretty_name" : "dummy_pretty_name1", + "high_severity_alert_count" : 2, + "rule_based_score" : "null", + "users" : [ "test" ], + "resolve_comment" : "null", + "aggregated_score" : "null", + "tags" : [ "EG:CDS-Windows", "DS:PANW/XDR Agent" ], + "assigned_user_mail" : "dummy1@dummy.net", + "user_count" : 1, + "xdr_url" : "https://demo.xdr.in.paloaltonetworks.com/incident-view?caseId=5", + "mitre_tactics_ids_and_names" : "null", + "modification_time" : 1720175414000, + "status" : "new", + "predicted_score" : "null" + } + result: + custom: + aggregated_score: "null" + alert_categories: + - "Malware" + alert_count: 24 + alerts_grouping_status: "Enabled" + assigned_user_mail: "dummy1@dummy.net" + assigned_user_pretty_name: "dummy_pretty_name1" + creation_time: 1720170253000 + critical_severity_alert_count: 0 + description: "'Suspicious Disk Modification' along with 23 other alerts generated by XDR Agent detected on host assettag-eid-new involving user test" + detection_time: "null" + high_severity_alert_count: 2 + host_count: 1 + hosts: + - "assettag-eid-new:16adfdb6bbe145d59ac4f69e80e2053d" + incident_id: "5" + incident_name: "null" + incident_sources: + - "XDR Agent" + low_severity_alert_count: 0 + manual_description: "null" + manual_score: "null" + manual_severity: "null" + med_severity_alert_count: 22 + mitre_tactics_ids_and_names: "null" + mitre_techniques_ids_and_names: "null" + modification_time: 1720175414000 + notes: "null" + original_tags: + - "EG:CDS-Windows" + - "DS:PANW/XDR Agent" + predicted_score: "null" + resolve_comment: "null" + resolved_timestamp: "null" + rule_based_score: "null" + severity: "high" + starred: "false" + starred_manually: "false" + status: "new" + tags: + - "EG:CDS-Windows" + - "DS:PANW/XDR Agent" + user_count: 1 + users: + - "test" + wildfire_hits: 16 + xdr_url: "https://demo.xdr.in.paloaltonetworks.com/incident-view?caseId=5" + message: |- + { + "creation_time" : 1720170253000, + "notes" : "null", + "wildfire_hits" : 16, + "host_count" : 1, + "description" : "'Suspicious Disk Modification' along with 23 other alerts generated by XDR Agent detected on host assettag-eid-new involving user test", + "detection_time" : "null", + "med_severity_alert_count" : 22, + "alert_categories" : [ "Malware" ], + "manual_severity" : "null", + "incident_sources" : [ "XDR Agent" ], + "incident_id" : "5", + "alert_count" : 24, + "starred" : "false", + "original_tags" : [ "EG:CDS-Windows", "DS:PANW/XDR Agent" ], + "critical_severity_alert_count" : 0, + "incident_name" : "null", + "resolved_timestamp" : "null", + "severity" : "high", + "manual_description" : "null", + "starred_manually" : "false", + "hosts" : [ "assettag-eid-new:16adfdb6bbe145d59ac4f69e80e2053d" ], + "low_severity_alert_count" : 0, + "alerts_grouping_status" : "Enabled", + "manual_score" : "null", + "mitre_techniques_ids_and_names" : "null", + "assigned_user_pretty_name" : "dummy_pretty_name1", + "high_severity_alert_count" : 2, + "rule_based_score" : "null", + "users" : [ "test" ], + "resolve_comment" : "null", + "aggregated_score" : "null", + "tags" : [ "EG:CDS-Windows", "DS:PANW/XDR Agent" ], + "assigned_user_mail" : "dummy1@dummy.net", + "user_count" : 1, + "xdr_url" : "https://demo.xdr.in.paloaltonetworks.com/incident-view?caseId=5", + "mitre_tactics_ids_and_names" : "null", + "modification_time" : 1720175414000, + "status" : "new", + "predicted_score" : "null" + } + tags: + - "source:LOGS_SOURCE" + - + sample: |- + { + "fw_app_category" : "null", + "os_actor_process_image_name" : "null", + "fw_xff" : "null", + "last_modified_ts" : "null", + "causality_actor_process_image_path" : "null", + "actor_thread_thread_id" : "null", + "fw_email_subject" : "null", + "agent_host_boot_time" : "null", + "action_process_causality_id" : "null", + "fw_email_sender" : "null", + "contains_featured_host" : "NO", + "causality_actor_process_image_sha256" : "null", + "fw_serial_number" : "null", + "action_registry_full_key" : "null", + "image_name" : "null", + "bioc_category_enum_key" : "null", + "event_type" : "Process Execution", + "starred" : "false", + "action_pretty" : "Prevented (Blocked)", + "resolution_comment" : "null", + "action" : "BLOCKED", + "malicious_urls" : "https://example3.com", + "actor_process_instance_id" : "AdrOwIRofA8AAI2EAAAAAA==", + "action_file_macro_sha256" : "null", + "fw_rule_id" : "null", + "action_registry_value_name" : "null", + "event_sub_type" : "null", + "causality_actor_causality_id" : "null", + "resolution_status" : "STATUS_010_NEW", + "resource_sub_type" : "null", + "os_actor_process_instance_id" : "null", + "matching_service_rule_id" : "null", + "tags" : "EG:CDS-Windows,DS:PANW/XDR Agent", + "action_file_sha256" : "null", + "container_id" : "null", + "agent_device_domain" : "WORKGROUP", + "os_actor_causality_id" : "null", + "os_actor_process_os_pid" : "null", + "user_name" : "Dummy User", + "endpoint_id" : "16adfdb6bbe145d59ac4f69e80e2053d", + "external_id" : "270a6ca4ed904cac90f9c28efcd2e02a", + "action_file_md5" : "null", + "action_process_signature_status" : "N/A", + "event_timestamp" : 1720172922000, + "is_pcap" : "false", + "mac" : "c0:b8:83:20:cb:78", + "action_file_path" : "null", + "alert_type" : "Unclassified", + "agent_data_collection_status" : "false", + "detection_timestamp" : 1720172922000, + "end_match_attempt_ts" : "null", + "agent_os_sub_type" : "10.0.22631", + "actor_process_image_md5" : "ac8c3751aea0484e6ca4561568d6ad3d", + "fw_interface_to" : "null", + "causality_actor_process_command_line" : "null", + "action_registry_key_name" : "null", + "fw_device_name" : "null", + "actor_process_os_pid" : 36228, + "actor_process_command_line" : "\"C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe\" ", + "host_ip" : "192.168.5.116", + "fw_app_id" : "null", + "action_country" : "UNKNOWN", + "cloud_provider" : "null", + "event_id" : "null", + "container_name" : "null", + "action_remote_port" : "null", + "filter_rule_id" : "null", + "actor_process_image_path" : "C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe", + "local_insert_ts" : 1720172939788, + "fw_vsys" : "null", + "os_actor_effective_username" : "null", + "action_process_image_name" : "null", + "fw_is_phishing" : "N/A", + "causality_actor_process_signature_vendor" : "null", + "agent_os_type" : "Windows", + "project" : "null", + "source" : "XDR Agent", + "is_whitelisted" : "false", + "os_actor_process_signature_vendor" : "null", + "os_actor_process_image_sha256" : "null", + "dst_agent_id" : "null", + "causality_actor_process_image_name" : "null", + "action_external_hostname" : "null", + "fw_rule" : "null", + "fw_app_subcategory" : "null", + "alert_id" : "133", + "case_id" : 5, + "mitre_tactic_id_and_name" : "null", + "causality_actor_process_signature_status" : "N/A", + "os_actor_process_image_path" : "null", + "os_actor_process_signature_status" : "N/A", + "identity_type" : "null", + "action_local_port" : "null", + "fw_email_recipient" : "dummy3@dummy.net", + "fw_misc" : "null", + "dst_association_strength" : "null", + "association_strength" : 50, + "actor_process_signature_vendor" : "null", + "resource_type" : "null", + "dst_action_external_port" : "null", + "module_id" : "MBR Protection", + "identity_sub_type" : "null", + "action_process_instance_id" : "null", + "action_registry_data" : "null", + "name" : "Suspicious Disk Modification", + "matching_status" : "UNMATCHABLE", + "agent_is_vdi" : "false", + "agent_install_type" : "STANDARD", + "image_id" : "null", + "os_actor_process_command_line" : "null", + "contains_featured_ip" : "NO", + "action_process_image_sha256" : "null", + "action_process_signature_vendor" : "null", + "os_actor_process_causality_id" : "null", + "bioc_indicator" : "null", + "action_process_image_command_line" : "null", + "story_id" : "null", + "actor_causality_id" : "null", + "attempt_counter" : 0, + "events_length" : 1, + "description" : "Suspicious disk modification detected", + "causality_actor_process_execution_time" : "null", + "action_remote_ip" : "null", + "os_actor_thread_thread_id" : "null", + "referenced_resource" : "null", + "fw_url_domain" : "null", + "agent_ip_addresses_v6" : "null", + "action_file_name" : "null", + "dynamic_fields" : "null", + "original_tags" : "EG:CDS-Windows,DS:PANW/XDR Agent", + "dst_action_external_hostname" : "null", + "actor_process_image_name" : "Vanadium.exe", + "action_remote_ip_v6" : "null", + "fw_app_technology" : "null", + "user_agent" : "null", + "severity" : "high", + "fw_interface_from" : "null", + "cluster_name" : "null", + "actor_process_causality_id" : "null", + "contains_featured_user" : "NO", + "action_local_ip" : "null", + "dns_query_name" : "example.com", + "actor_process_image_sha256" : "5068dd8ea932244114bb20d4d61440baf27d5155e0b178999259f31651797ee8", + "mitre_technique_id_and_name" : "null", + "actor_process_signature_status" : "N/A", + "causality_actor_process_image_md5" : "null", + "dst_action_country" : "null", + "operation_name" : "null", + "agent_version" : "8.5.0.624", + "deduplicate_tokens" : "null", + "agent_fqdn" : "AssetTag-EID-New.WORKGROUP", + "action_local_ip_v6" : "null", + "dst_causality_actor_process_execution_time" : "null", + "namespace" : "null", + "category" : "Malware", + "host_name" : "AssetTag-EID-New" + } + result: + custom: + action: "BLOCKED" + action_country: "UNKNOWN" + action_external_hostname: "null" + action_file_macro_sha256: "null" + action_file_md5: "null" + action_file_name: "null" + action_file_path: "null" + action_file_sha256: "null" + action_local_ip: "null" + action_local_ip_v6: "null" + action_local_port: "null" + action_pretty: "Prevented (Blocked)" + action_process_causality_id: "null" + action_process_image_command_line: "null" + action_process_image_name: "null" + action_process_image_sha256: "null" + action_process_instance_id: "null" + action_process_signature_status: "N/A" + action_process_signature_vendor: "null" + action_registry_data: "null" + action_registry_full_key: "null" + action_registry_key_name: "null" + action_registry_value_name: "null" + action_remote_ip: "null" + action_remote_ip_v6: "null" + action_remote_port: "null" + actor_causality_id: "null" + actor_process_causality_id: "null" + actor_process_command_line: "\"C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe\" " + actor_process_image_md5: "ac8c3751aea0484e6ca4561568d6ad3d" + actor_process_image_name: "Vanadium.exe" + actor_process_image_path: "C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe" + actor_process_image_sha256: "5068dd8ea932244114bb20d4d61440baf27d5155e0b178999259f31651797ee8" + actor_process_instance_id: "AdrOwIRofA8AAI2EAAAAAA==" + actor_process_os_pid: 36228 + actor_process_signature_status: "N/A" + actor_process_signature_vendor: "null" + actor_thread_thread_id: "null" + agent_data_collection_status: "false" + agent_device_domain: "WORKGROUP" + agent_fqdn: "AssetTag-EID-New.WORKGROUP" + agent_host_boot_time: "null" + agent_install_type: "STANDARD" + agent_ip_addresses_v6: "null" + agent_is_vdi: "false" + agent_os_sub_type: "10.0.22631" + agent_os_type: "Windows" + agent_version: "8.5.0.624" + alert_id: "133" + alert_type: "Unclassified" + association_strength: 50 + attempt_counter: 0 + bioc_category_enum_key: "null" + bioc_indicator: "null" + case_id: 5 + category: "Malware" + causality_actor_causality_id: "null" + causality_actor_process_command_line: "null" + causality_actor_process_execution_time: "null" + causality_actor_process_image_md5: "null" + causality_actor_process_image_name: "null" + causality_actor_process_image_path: "null" + causality_actor_process_image_sha256: "null" + causality_actor_process_signature_status: "N/A" + causality_actor_process_signature_vendor: "null" + cloud_provider: "null" + cluster_name: "null" + container_id: "null" + container_name: "null" + contains_featured_host: "NO" + contains_featured_ip: "NO" + contains_featured_user: "NO" + deduplicate_tokens: "null" + description: "Suspicious disk modification detected" + detection_timestamp: 1720172922000 + dns_query_name: "example.com" + dst_action_country: "null" + dst_action_external_hostname: "null" + dst_action_external_port: "null" + dst_agent_id: "null" + dst_association_strength: "null" + dst_causality_actor_process_execution_time: "null" + dynamic_fields: "null" + end_match_attempt_ts: "null" + endpoint_id: "16adfdb6bbe145d59ac4f69e80e2053d" + event_id: "null" + event_sub_type: "null" + event_timestamp: 1720172922000 + event_type: "Process Execution" + events_length: 1 + external_id: "270a6ca4ed904cac90f9c28efcd2e02a" + filter_rule_id: "null" + fw_app_category: "null" + fw_app_id: "null" + fw_app_subcategory: "null" + fw_app_technology: "null" + fw_device_name: "null" + fw_email_recipient: "dummy3@dummy.net" + fw_email_sender: "null" + fw_email_subject: "null" + fw_interface_from: "null" + fw_interface_to: "null" + fw_is_phishing: "N/A" + fw_misc: "null" + fw_rule: "null" + fw_rule_id: "null" + fw_serial_number: "null" + fw_url_domain: "null" + fw_vsys: "null" + fw_xff: "null" + host_ip: "192.168.5.116" + host_name: "AssetTag-EID-New" + identity_sub_type: "null" + identity_type: "null" + image_id: "null" + image_name: "null" + is_pcap: "false" + is_whitelisted: "false" + last_modified_ts: "null" + local_insert_ts: 1720172939788 + mac: "c0:b8:83:20:cb:78" + malicious_urls: "https://example3.com" + matching_service_rule_id: "null" + matching_status: "UNMATCHABLE" + mitre_tactic_id_and_name: "null" + mitre_technique_id_and_name: "null" + module_id: "MBR Protection" + name: "Suspicious Disk Modification" + namespace: "null" + operation_name: "null" + original_tags: "EG:CDS-Windows,DS:PANW/XDR Agent" + os_actor_causality_id: "null" + os_actor_effective_username: "null" + os_actor_process_causality_id: "null" + os_actor_process_command_line: "null" + os_actor_process_image_name: "null" + os_actor_process_image_path: "null" + os_actor_process_image_sha256: "null" + os_actor_process_instance_id: "null" + os_actor_process_os_pid: "null" + os_actor_process_signature_status: "N/A" + os_actor_process_signature_vendor: "null" + os_actor_thread_thread_id: "null" + project: "null" + referenced_resource: "null" + resolution_comment: "null" + resolution_status: "STATUS_010_NEW" + resource_sub_type: "null" + resource_type: "null" + severity: "high" + source: "XDR Agent" + starred: "false" + story_id: "null" + tags: "EG:CDS-Windows,DS:PANW/XDR Agent" + user_agent: "null" + user_name: "Dummy User" + message: |- + { + "fw_app_category" : "null", + "os_actor_process_image_name" : "null", + "fw_xff" : "null", + "last_modified_ts" : "null", + "causality_actor_process_image_path" : "null", + "actor_thread_thread_id" : "null", + "fw_email_subject" : "null", + "agent_host_boot_time" : "null", + "action_process_causality_id" : "null", + "fw_email_sender" : "null", + "contains_featured_host" : "NO", + "causality_actor_process_image_sha256" : "null", + "fw_serial_number" : "null", + "action_registry_full_key" : "null", + "image_name" : "null", + "bioc_category_enum_key" : "null", + "event_type" : "Process Execution", + "starred" : "false", + "action_pretty" : "Prevented (Blocked)", + "resolution_comment" : "null", + "action" : "BLOCKED", + "malicious_urls" : "https://example3.com", + "actor_process_instance_id" : "AdrOwIRofA8AAI2EAAAAAA==", + "action_file_macro_sha256" : "null", + "fw_rule_id" : "null", + "action_registry_value_name" : "null", + "event_sub_type" : "null", + "causality_actor_causality_id" : "null", + "resolution_status" : "STATUS_010_NEW", + "resource_sub_type" : "null", + "os_actor_process_instance_id" : "null", + "matching_service_rule_id" : "null", + "tags" : "EG:CDS-Windows,DS:PANW/XDR Agent", + "action_file_sha256" : "null", + "container_id" : "null", + "agent_device_domain" : "WORKGROUP", + "os_actor_causality_id" : "null", + "os_actor_process_os_pid" : "null", + "user_name" : "Dummy User", + "endpoint_id" : "16adfdb6bbe145d59ac4f69e80e2053d", + "external_id" : "270a6ca4ed904cac90f9c28efcd2e02a", + "action_file_md5" : "null", + "action_process_signature_status" : "N/A", + "event_timestamp" : 1720172922000, + "is_pcap" : "false", + "mac" : "c0:b8:83:20:cb:78", + "action_file_path" : "null", + "alert_type" : "Unclassified", + "agent_data_collection_status" : "false", + "detection_timestamp" : 1720172922000, + "end_match_attempt_ts" : "null", + "agent_os_sub_type" : "10.0.22631", + "actor_process_image_md5" : "ac8c3751aea0484e6ca4561568d6ad3d", + "fw_interface_to" : "null", + "causality_actor_process_command_line" : "null", + "action_registry_key_name" : "null", + "fw_device_name" : "null", + "actor_process_os_pid" : 36228, + "actor_process_command_line" : "\"C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe\" ", + "host_ip" : "192.168.5.116", + "fw_app_id" : "null", + "action_country" : "UNKNOWN", + "cloud_provider" : "null", + "event_id" : "null", + "container_name" : "null", + "action_remote_port" : "null", + "filter_rule_id" : "null", + "actor_process_image_path" : "C:\\Users\\test\\AppData\\Local\\Temp\\c5007232-657f-4900-ba4c-f23761b4b8cd_malwaredatabase-old-main.zip.8cd\\malwaredatabase-old-main\\Vanadium.exe", + "local_insert_ts" : 1720172939788, + "fw_vsys" : "null", + "os_actor_effective_username" : "null", + "action_process_image_name" : "null", + "fw_is_phishing" : "N/A", + "causality_actor_process_signature_vendor" : "null", + "agent_os_type" : "Windows", + "project" : "null", + "source" : "XDR Agent", + "is_whitelisted" : "false", + "os_actor_process_signature_vendor" : "null", + "os_actor_process_image_sha256" : "null", + "dst_agent_id" : "null", + "causality_actor_process_image_name" : "null", + "action_external_hostname" : "null", + "fw_rule" : "null", + "fw_app_subcategory" : "null", + "alert_id" : "133", + "case_id" : 5, + "mitre_tactic_id_and_name" : "null", + "causality_actor_process_signature_status" : "N/A", + "os_actor_process_image_path" : "null", + "os_actor_process_signature_status" : "N/A", + "identity_type" : "null", + "action_local_port" : "null", + "fw_email_recipient" : "dummy3@dummy.net", + "fw_misc" : "null", + "dst_association_strength" : "null", + "association_strength" : 50, + "actor_process_signature_vendor" : "null", + "resource_type" : "null", + "dst_action_external_port" : "null", + "module_id" : "MBR Protection", + "identity_sub_type" : "null", + "action_process_instance_id" : "null", + "action_registry_data" : "null", + "name" : "Suspicious Disk Modification", + "matching_status" : "UNMATCHABLE", + "agent_is_vdi" : "false", + "agent_install_type" : "STANDARD", + "image_id" : "null", + "os_actor_process_command_line" : "null", + "contains_featured_ip" : "NO", + "action_process_image_sha256" : "null", + "action_process_signature_vendor" : "null", + "os_actor_process_causality_id" : "null", + "bioc_indicator" : "null", + "action_process_image_command_line" : "null", + "story_id" : "null", + "actor_causality_id" : "null", + "attempt_counter" : 0, + "events_length" : 1, + "description" : "Suspicious disk modification detected", + "causality_actor_process_execution_time" : "null", + "action_remote_ip" : "null", + "os_actor_thread_thread_id" : "null", + "referenced_resource" : "null", + "fw_url_domain" : "null", + "agent_ip_addresses_v6" : "null", + "action_file_name" : "null", + "dynamic_fields" : "null", + "original_tags" : "EG:CDS-Windows,DS:PANW/XDR Agent", + "dst_action_external_hostname" : "null", + "actor_process_image_name" : "Vanadium.exe", + "action_remote_ip_v6" : "null", + "fw_app_technology" : "null", + "user_agent" : "null", + "severity" : "high", + "fw_interface_from" : "null", + "cluster_name" : "null", + "actor_process_causality_id" : "null", + "contains_featured_user" : "NO", + "action_local_ip" : "null", + "dns_query_name" : "example.com", + "actor_process_image_sha256" : "5068dd8ea932244114bb20d4d61440baf27d5155e0b178999259f31651797ee8", + "mitre_technique_id_and_name" : "null", + "actor_process_signature_status" : "N/A", + "causality_actor_process_image_md5" : "null", + "dst_action_country" : "null", + "operation_name" : "null", + "agent_version" : "8.5.0.624", + "deduplicate_tokens" : "null", + "agent_fqdn" : "AssetTag-EID-New.WORKGROUP", + "action_local_ip_v6" : "null", + "dst_causality_actor_process_execution_time" : "null", + "namespace" : "null", + "category" : "Malware", + "host_name" : "AssetTag-EID-New" + } + tags: + - "source:LOGS_SOURCE" \ No newline at end of file diff --git a/palo_alto_cortex_xdr/assets/palo_alto_cortex_xdr.svg b/palo_alto_cortex_xdr/assets/palo_alto_cortex_xdr.svg new file mode 100644 index 0000000000000..6644039ddedb2 --- /dev/null +++ b/palo_alto_cortex_xdr/assets/palo_alto_cortex_xdr.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/palo_alto_cortex_xdr/assets/service_checks.json b/palo_alto_cortex_xdr/assets/service_checks.json index 0637a088a01e8..fe51488c7066f 100644 --- a/palo_alto_cortex_xdr/assets/service_checks.json +++ b/palo_alto_cortex_xdr/assets/service_checks.json @@ -1 +1 @@ -[] \ No newline at end of file +[] diff --git a/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_alerts.png b/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_alerts.png new file mode 100644 index 0000000000000..2d8da458891ea Binary files /dev/null and b/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_alerts.png differ diff --git a/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_incidents.png b/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_incidents.png new file mode 100644 index 0000000000000..5c90a5c06b50e Binary files /dev/null and b/palo_alto_cortex_xdr/images/palo_alto_cortex_xdr_incidents.png differ diff --git a/palo_alto_cortex_xdr/manifest.json b/palo_alto_cortex_xdr/manifest.json index 5c9cf0d8012cf..d3f4970a87018 100644 --- a/palo_alto_cortex_xdr/manifest.json +++ b/palo_alto_cortex_xdr/manifest.json @@ -10,7 +10,18 @@ "changelog": "CHANGELOG.md", "description": "Gain insights into palo alto cortex xdr logs", "title": "Palo Alto Cortex XDR", - "media": [], + "media": [ + { + "caption": "Palo Alto Cortex XDR - Incidents", + "image_url": "images/palo_alto_cortex_xdr_incidents.png", + "media_type": "image" + }, + { + "caption": "Palo Alto Cortex XDR - Alerts", + "image_url": "images/palo_alto_cortex_xdr_alerts.png", + "media_type": "image" + } + ], "classifier_tags": [ "Category::Log Collection", "Category::Security", @@ -29,6 +40,13 @@ "service_checks": { "metadata_path": "assets/service_checks.json" } + }, + "dashboards": { + "Palo Alto Cortex XDR - Incidents" : "assets/dashboards/palo_alto_cortex_xdr_incidents.json", + "Palo Alto Cortex XDR - Alerts" : "assets/dashboards/palo_alto_cortex_xdr_alerts.json" + }, + "logs": { + "source": "palo-alto-cortex-xdr" } }, "author": { @@ -36,6 +54,5 @@ "name": "Datadog", "homepage": "https://www.datadoghq.com", "sales_email": "info@datadoghq.com" - }, - "oauth": {} -} \ No newline at end of file + } +}