Additional Rules for Sentinel

Brass Contributor



Trying to find a source for rules/rule packs for Checkpoint and Zscalar so these are then be incorporated into a standard set of rules going forward.





1 Reply



There are a couple of examples in the Github for Checkpoint:


You can also look in the Workbooks, you can see the Zscalar and Checkpoint queries within those: 
Personally I'd run the workbooks to look at the data to find the queries that match the rules you wish to create (you might look at how other people do some of theirs in other workbooks)?.

Just open the JSON files  in Github, or edit from within a Workbook in Sentinel, and look for the lines that start:




You will have to remove any escape characters 


"CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n|





| where DeviceVendor == "Zscaler"


Also if you see { parameter } - or anything in {} then its likely to be a workbook parameter that you will have to replace.

Fake example:



| where DeviceVendor == "{vendor name}"


You would change to 



| where DeviceVendor == "Zscaler"