Detecting Palo Alto Firewall Exploits.kql

SlimKQL · Feb 21, 2025 · 5343e47 · 5343e47
1 parent 6194d57
commit 5343e47
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/Sentinel/Detecting Palo Alto Firewall Exploits.kql b/Sentinel/Detecting Palo Alto Firewall Exploits.kql
@@ -0,0 +1,11 @@
+// Detecting Palo Alto Firewall Exploits
+// https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/
+
+let GreyNoiseIPs = dynamic(["193.143.1.65", "49.15.245.66", "146.190.147.92", "64.39.98.72", "14.145.63.144", "45.61.139.121", "72.5.42.10", "85.239.56.148", "62.204.35.249", "38.54.50.252", "43.157.45.216", "47.190.9.241", "43.159.135.197", "198.12.122.248", "139.87.112.3", "123.116.247.134", "38.54.101.65", "84.17.43.35", "1.55.112.205", "196.251.89.129", "85.31.231.183", "46.246.9.213", "194.233.96.86", "198.23.171.159", "45.88.222.89", "161.81.158.136", "93.115.0.34", "199.19.95.31", "193.27.90.90", "172.86.84.84", "47.89.242.61", "149.88.26.226", "34.121.207.116", "104.131.69.106"]);
+CommonSecurityLog
+| where TimeGenerated > ago(10d)
+| where DeviceVendor == "Palo Alto Networks"
+| where DeviceProduct == "PAN-OS"
+| where SourceIP has_any(GreyNoiseIPs)
+| summarize AttackCount=count() by SourceIP, DeviceAction
+| sort by DeviceAction asc