Forum Discussion

tipper1510's avatar
tipper1510
Brass Contributor
Oct 06, 2020

Additional Rules for Sentinel

Hi,   Trying to find a source for rules/rule packs for Checkpoint and Zscalar so these are then be incorporated into a standard set of rules going forward.   Regards,   Tim
CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Oct 06, 2020

tipper1510 

 

There are a couple of examples in the Github for Checkpoint: https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=checkpoint

 

You can also look in the Workbooks, you can see the Zscalar and Checkpoint queries within those: https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks 
Personally I'd run the workbooks to look at the data to find the queries that match the rules you wish to create (you might look at how other people do some of theirs in other workbooks)?.

Just open the JSON files  in Github, or edit from within a Workbook in Sentinel, and look for the lines that start:

 

"query":

 

You will have to remove any escape characters 

 

"CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n|

 

to 

 

CommonSecurityLog

| where DeviceVendor == "Zscaler"

 

Also if you see { parameter } - or anything in {} then its likely to be a workbook parameter that you will have to replace.

Fake example:

 

CommonSecurityLog

| where DeviceVendor == "{vendor name}"

 

You would change to 

 

CommonSecurityLog

| where DeviceVendor == "Zscaler"

 

 

Resources