Oct 06 2020 10:04 AM
Hi,
Trying to find a source for rules/rule packs for Checkpoint and Zscalar so these are then be incorporated into a standard set of rules going forward.
Regards,
Tim
Oct 06 2020 11:24 AM
There are a couple of examples in the Github for Checkpoint: https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=checkpoint
You can also look in the Workbooks, you can see the Zscalar and Checkpoint queries within those: https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks
Personally I'd run the workbooks to look at the data to find the queries that match the rules you wish to create (you might look at how other people do some of theirs in other workbooks)?.
Just open the JSON files in Github, or edit from within a Workbook in Sentinel, and look for the lines that start:
"query":
You will have to remove any escape characters
"CommonSecurityLog\r\n| where DeviceVendor == \"Zscaler\"\r\n|
to
CommonSecurityLog
| where DeviceVendor == "Zscaler"
Also if you see { parameter } - or anything in {} then its likely to be a workbook parameter that you will have to replace.
Fake example:
CommonSecurityLog
| where DeviceVendor == "{vendor name}"
You would change to
CommonSecurityLog
| where DeviceVendor == "Zscaler"