Additional Rules for Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1750123%22%20slang%3D%22en-US%22%3EAdditional%20Rules%20for%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1750123%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20find%20a%20source%20for%20rules%2Frule%20packs%20for%20Checkpoint%20and%20Zscalar%20so%20these%20are%20then%20be%20incorporated%20into%20a%20standard%20set%20of%20rules%20going%20forward.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1750685%22%20slang%3D%22en-US%22%3ERe%3A%20Additional%20Rules%20for%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1750685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20a%20couple%20of%20examples%20in%20the%20Github%20for%20Checkpoint%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fsearch%3Fl%3DYAML%26amp%3Bq%3Dcheckpoint%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fsearch%3Fl%3DYAML%26amp%3Bq%3Dcheckpoint%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20look%20in%20the%20Workbooks%2C%20you%20can%20see%20the%20Zscalar%20and%20Checkpoint%20queries%20within%20those%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FWorkbooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FWorkbooks%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EPersonally%20I'd%20run%20the%20workbooks%20to%20look%20at%20the%20data%20to%20find%20the%20queries%20that%20match%20the%20rules%20you%20wish%20to%20create%20(you%20might%20look%20at%20how%20other%20people%20do%20some%20of%20theirs%20in%20other%20workbooks)%3F.%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20open%20the%20JSON%20files%26nbsp%3B%20in%20Github%2C%20or%20edit%20from%20within%20a%20Workbook%20in%20Sentinel%2C%20and%20look%20for%20the%20lines%20that%20start%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22pl-s%22%3E%3CSPAN%20class%3D%22pl-pds%22%3E%22%3C%2FSPAN%3Equery%3CSPAN%20class%3D%22pl-pds%22%3E%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20will%20have%20to%20remove%20any%20escape%20characters%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22pl-pds%22%3E%22%3C%2FSPAN%3ECommonSecurityLog%3CSPAN%20class%3D%22pl-cce%22%3E%5Cr%5Cn%3C%2FSPAN%3E%7C%20where%20DeviceVendor%20%3D%3D%20%3CSPAN%20class%3D%22pl-cce%22%3E%5C%22%3C%2FSPAN%3EZscaler%3CSPAN%20class%3D%22pl-cce%22%3E%5C%22%5Cr%5Cn%3C%2FSPAN%3E%7C%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Eto%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECommonSecurityLog%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%7C%20where%20DeviceVendor%20%3D%3D%20%3CSPAN%20class%3D%22pl-cce%22%3E%22%3C%2FSPAN%3EZscaler%3CSPAN%20class%3D%22pl-cce%22%3E%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20if%20you%20see%20%7B%20parameter%20%7D%20-%20or%20anything%20in%20%7B%7D%20then%20its%20likely%20to%20be%20a%20workbook%20parameter%20that%20you%20will%20have%20to%20replace.%3CBR%20%2F%3E%3CBR%20%2F%3EFake%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECommonSecurityLog%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%7C%20where%20DeviceVendor%20%3D%3D%20%3CSPAN%20class%3D%22pl-cce%22%3E%22%3CSTRONG%3E%7Bvendor%20name%7D%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-cce%22%3E%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22pl-cce%22%3EYou%20would%20change%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECommonSecurityLog%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%7C%20where%20DeviceVendor%20%3D%3D%20%3CSPAN%20class%3D%22pl-cce%22%3E%22%3C%2FSPAN%3E%3CSTRONG%3EZscaler%3C%2FSTRONG%3E%3CSPAN%20class%3D%22pl-cce%22%3E%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

Trying to find a source for rules/rule packs for Checkpoint and Zscalar so these are then be incorporated into a standard set of rules going forward.

 

Regards,

 

Tim

1 Reply

@tipper1510 

 

There are a couple of examples in the Github for Checkpoint: https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=checkpoint

 

You can also look in the Workbooks, you can see the Zscalar and Checkpoint queries within those: https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks 
Personally I'd run the workbooks to look at the data to find the queries that match the rules you wish to create (you might look at how other people do some of theirs in other workbooks)?.

Just open the JSON files  in Github, or edit from within a Workbook in Sentinel, and look for the lines that start:

 

"query":

 

You will have to remove any escape characters 

 

"CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n|

 

to 

 

CommonSecurityLog

| where DeviceVendor == "Zscaler"

 

Also if you see { parameter } - or anything in {} then its likely to be a workbook parameter that you will have to replace.

Fake example:

 

CommonSecurityLog

| where DeviceVendor == "{vendor name}"

 

You would change to 

 

CommonSecurityLog

| where DeviceVendor == "Zscaler"