forked from rod-trent/SentinelKQL
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCEFDevices.txt
More file actions
13 lines (13 loc) · 875 Bytes
/
CEFDevices.txt
File metadata and controls
13 lines (13 loc) · 875 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
union isfuzzy=true withsource = TableName
// Microsoft
(AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" ),
(WindowsFirewall | summarize count() by FirewallAction ),
// Barracuda GlodGen Syslog
(CGFWFirewallActivity| summarize count() by DeviceName = Computer ),
// CEF section
(CommonSecurityLog | where DeviceVendor == "Barracuda" ),
(CommonSecurityLog | where DeviceVendor == "Fortinet" | summarize count() by DeviceVendor, DeviceName = DeviceExternalID),
(CommonSecurityLog | where DeviceVendor == "TestCommonEventFormat" | summarize count() by DeviceVendor, DeviceName = DeviceExternalID),
(CommonSecurityLog | where DeviceVendor == "Palo Alto Networks" | where isnotempty(DeviceName) | summarize count() by DeviceVendor, DeviceName)
// show devices found
| summarize count() by DeviceName , DeviceVendor