├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── SUPPORT.md
└── xql
    └── BruteForceWIndows.md


/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to contribute
 2 | 
 3 | :+1::tada: First off, thanks for taking the time to contribute! :tada::+1:
 4 | 
 5 | It's people like you that make security open source such a force in preventing
 6 | successful cyber-attacks. Following these guidelines helps keep the project
 7 | maintainable, easy to contribute to, and more secure. Thank you for taking the
 8 | time to follow this guide.
 9 | 
10 | ## Where to start
11 | 
12 | There are many ways to contribute. You can fix a bug, improve the documentation,
13 | submit bug reports and feature requests, or take a first shot at a feature you
14 | need for yourself.
15 | 
16 | Pull requests are necessary for all contributions of code or documentation.
17 | 
18 | ## New to open source?
19 | 
20 | If you're **new to open source** and not sure what a pull request is, welcome!!
21 | We're glad to have you! All of us once had a contribution to make and didn't
22 | know where to start.
23 | 
24 | Even if you don't write code for your job, don't worry, the skills you learn
25 | during your first contribution to open source can be applied in so many ways,
26 | you'll wonder what you ever did before you had this knowledge. It's worth
27 | learning.
28 | 
29 | [Learn how to make a pull request](https://github.com/PaloAltoNetworks/.github/blob/master/Learn-GitHub.md#learn-how-to-make-a-pull-request)
30 | 
31 | ## Fixing a typo, or a one or two line fix
32 | 
33 | Many fixes require little effort or review, such as:
34 | 
35 | > - Spelling / grammar, typos, white space and formatting changes
36 | > - Comment clean up
37 | > - Change logging messages or debugging output
38 | 
39 | These small changes can be made directly in GitHub if you like.
40 | 
41 | Click the pencil icon in GitHub above the file to edit the file directly in
42 | GitHub. This will automatically create a fork and pull request with the change.
43 | See:
44 | [Make a small change with a Pull Request](https://www.freecodecamp.org/news/how-to-make-your-first-pull-request-on-github/)
45 | 
46 | ## Bug fixes and features
47 | 
48 | For something that is bigger than a one or two line fix, go through the process
49 | of making a fork and pull request yourself:
50 | 
51 | > 1. Create your own fork of the code
52 | > 2. Clone the fork locally
53 | > 3. Make the changes in your local clone
54 | > 4. Push the changes from local to your fork
55 | > 5. Create a pull request to pull the changes from your fork back into the
56 | >    upstream repository
57 | 
58 | Please use clear commit messages so we can understand what each commit does.
59 | We'll review every PR and might offer feedback or request changes before
60 | merging.
61 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | ISC License
 2 | 
 3 | Copyright (c) 2020, Palo Alto Networks Inc.
 4 | 
 5 | Permission to use, copy, modify, and/or distribute this software for any
 6 | purpose with or without fee is hereby granted, provided that the above
 7 | copyright notice and this permission notice appear in all copies.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Correlation Rules and XQL Queries for Cortex XDR and Cortex XSIAM
 2 | 
 3 | This repository contains samples of correlation rules and XQL queries that can be leveraged in Cortex XDR and/or Cortex XSIAM.  These queries may have dependencies which will be explained.
 4 | 
 5 | 
 6 | ## Summary
 7 | 
 8 | - [Summary](#summary)
 9 | - [Getting Started](#getting-started)
10 | - [Support](#support)
11 | - [Contributing](#contributing)
12 | - [Maintainers](#maintainers)
13 | - [Acknowledgments](#acknowledgments)
14 | 
15 | ## Getting Started
16 | 
17 | Correlation rules can be copied from this repository and inserted into your query builder by navigating to your tenant and browsing to Detection & Threat Intel > Detection Rules > Correlations.
18 | 
19 | <img width="320" alt="image" src="https://github.com/PaloAltoNetworks/cortex-xql-queries/assets/118747388/6a90274e-cf2c-4761-8c50-720cbea3e44f">
20 | 
21 | 
22 | When creating correlation rules, be sure to follow the recommendations for the Alert Fields Mapping.
23 | 
24 | <img width="959" alt="image" src="https://github.com/PaloAltoNetworks/cortex-xql-queries/assets/118747388/e421ff3e-a660-436c-bb9f-1d97f580abf7">
25 | 
26 | 
27 | 
28 | XQL queries can be copied from this repository and inserted into your query builder by navigating to your tenant and browsing to Incident Response > Investigation > Query Builder.
29 | 
30 | <img width="229" alt="image" src="https://github.com/PaloAltoNetworks/cortex/assets/118747388/fce7a10b-6f7a-44e1-9bee-fd25ff39a975">
31 | 
32 | 
33 | ## Support
34 | 
35 | Please read [SUPPORT.md](SUPPORT.md) for details on how to get support for this project.
36 | 
37 | ## Contributing
38 | 
39 | We value your contributions! Please read
40 | [CONTRIBUTING.md](https://github.com/PaloAltoNetworks/.github/CONTRIBUTING.md)
41 | for details on how to contribute, and the process for submitting pull requests
42 | to us. 
43 | 
44 | 
45 | ## Maintainers
46 |   - Kevin Mastin - (Account link coming soon)
47 |   - Ami Tsarfati - (Account link coming soon) 
48 |   - Maor Hojberg - (Account link coming soon) 
49 |   - David Soshany - (Account link coming soon) 
50 |   - Netanel Simchon - (Account link coming soon)
51 |   - Eric Boerger - (Account link coming soon)
52 |   - Joel Ebrihimi - (Account link coming soon)
53 |   - Ron Collins - (Account link coming soon)
54 |   - Raymond DePalma - [radepalma](https://github.com/radepalma) 
55 |   - David Falcon - [dfalconpanw](https://github.com/dfalconpanw)
56 |   - Mark DeDominic - (Account link coming soon)
57 |         
58 | Thank you to all the
59 | [contributors](https://github.com/PaloAltoNetworks/<your-repo>/contributors) 
60 | who participated in this project.
61 | 
62 | ## Acknowledgments 
63 | 


--------------------------------------------------------------------------------
/SUPPORT.md:
--------------------------------------------------------------------------------
 1 | Community Supported
 2 | 
 3 | The software and templates in the repo are released under an as-is, best effort,
 4 | support policy. This software should be seen as community supported and Palo
 5 | Alto Networks will contribute our expertise as and when possible. We do not
 6 | provide technical support or help in using or troubleshooting the components of
 7 | the project through our normal support options such as Palo Alto Networks
 8 | support teams, or ASC (Authorized Support Centers) partners and backline support
 9 | options. The underlying product used (the VM-Series firewall) by the scripts or
10 | templates are still supported, but the support is only for the product
11 | functionality and not for help in deploying or using the template or script
12 | itself. Unless explicitly tagged, all projects or work posted in our GitHub
13 | repository (at https://github.com/PaloAltoNetworks) or sites other than our
14 | official Downloads page on https://support.paloaltonetworks.com are provided
15 | under the best effort policy.
16 | 


--------------------------------------------------------------------------------
/xql/BruteForceWIndows.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ```shell
 4 | dataset = microsoft_windows_raw 
 5 | | filter event_id = 4625
 6 | | alter TargetUserName = json_extract_scalar(event_data , "$.TargetUserName"), WorkstationName = json_extract_scalar(event_data , "$.WorkstationName"),LogonType = json_extract_scalar(event_data , "$.LogonType"),IpAddress = json_extract_scalar(event_data , "$.IpAddress")
 7 | | filter TargetUserName !~= ".*\$"
 8 | | comp count(), max(_time) as mt by TargetUserName , WorkstationName
 9 | | join conflict_strategy = both  
10 | (dataset = microsoft_windows_raw 
11 | | filter event_id = 4624
12 | | alter TargetUserName = json_extract_scalar(event_data , "$.TargetUserName"), WorkstationName = json_extract_scalar(event_data , "$.WorkstationName"),LogonType = json_extract_scalar(event_data , "$.LogonType"),IpAddress = json_extract_scalar(event_data , "$.IpAddress")
13 | | filter TargetUserName !~= ".*\$" |alter success_time = _time) as succesfull_login succesfull_login.TargetUserName =TargetUserName and succesfull_login.WorkstationName =WorkstationName
14 | | filter timestamp_diff(success_time ,mt, "second") >0 and timestamp_diff(success_time ,mt, "second") < 6000
15 | ```
16 | 


--------------------------------------------------------------------------------