TI map IP entity to AzureFirewall

let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelIndicators
//extract key part of kv pair
     | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
     | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
     | extend NetworkSourceIP = toupper(ObservableValue)
     | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
  // Filter out indicators without relevant IP address fields
  | where TimeGenerated >= ago(ioc_lookBack)
  // Select the IP entity based on availability of different IP fields
  | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
  | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
  | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
// Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity
IP_Indicators
   | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
  // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
  | join kind=innerunique (
      union AZFWApplicationRule, AZFWNetworkRule
      | where TimeGenerated >= ago(dt_lookBack)
      //| where OperationName in ("AzureFirewallApplicationRuleLog", "AzureFirewallNetworkRuleLog")
      | parse kind=regex flags=U ActionReason with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action: ' Firewall_Action @'\.' Rest_msg
      | extend SourceAddress = SourceIp
      | extend DestinationAddress = DestinationIp
      | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, "")
      | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only
      | extend Firewall_Action = Action
      | project-rename AzureFirewall_TimeGenerated = TimeGenerated
  )
  on $left.TI_ipEntity == $right.RemoteIP
  // Filter out logs that occurred after the expiration of the corresponding indicator
  | where AzureFirewall_TimeGenerated < ValidUntil
  // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp
  | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by Id, RemoteIP
  // Select the desired output fields
  | extend Description = tostring(parse_json(Data).description)
  | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
  | project LatestIndicatorTime, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
    AzureFirewall_TimeGenerated, TI_ipEntity, ActionReason, SourceAddress, DestinationAddress, Firewall_Action, Protocol,
    NetworkSourceIP, Type, TargetUrl

query: |
  let dt_lookBack = 1h; // Look back 1 hour for AzureDiagnostics logs
  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
  // Fetch threat intelligence indicators related to IP addresses
  let IP_Indicators = ThreatIntelIndicators
  //extract key part of kv pair
       | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0)))
       | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic")
       | extend NetworkSourceIP = toupper(ObservableValue)
       | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel)
    // Filter out indicators without relevant IP address fields
    | where TimeGenerated >= ago(ioc_lookBack)
    // Select the IP entity based on availability of different IP fields
    | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP)
    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
    // Exclude local addresses using the ipv4_is_private operator and filtering out specific address prefixes
    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127."
    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue
    | where IsActive and (ValidUntil > now() or isempty(ValidUntil));
  // Perform a join between IP indicators and AzureDiagnostics logs to identify potential malicious activity
  IP_Indicators
     | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, Type, TI_ipEntity
    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
    | join kind=innerunique (
        union AZFWApplicationRule, AZFWNetworkRule
        | where TimeGenerated >= ago(dt_lookBack)
        //| where OperationName in ("AzureFirewallApplicationRuleLog", "AzureFirewallNetworkRuleLog")
        | parse kind=regex flags=U ActionReason with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\.? Action: ' Firewall_Action @'\.' Rest_msg
        | extend SourceAddress = SourceIp
        | extend DestinationAddress = DestinationIp
        | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, "")
        | where isnotempty(RemoteIP) // Filter out traffic involving public addresses only
        | extend Firewall_Action = Action
        | project-rename AzureFirewall_TimeGenerated = TimeGenerated
    )
    on $left.TI_ipEntity == $right.RemoteIP
    // Filter out logs that occurred after the expiration of the corresponding indicator
    | where AzureFirewall_TimeGenerated < ValidUntil
    // Group the results by IndicatorId and RemoteIP, and keep the log entry with the latest timestamp
    | summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by Id, RemoteIP
    // Select the desired output fields
    | extend Description = tostring(parse_json(Data).description)
    | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels))
    | project LatestIndicatorTime, Description, ActivityGroupNames, Id, ValidUntil, Confidence,
      AzureFirewall_TimeGenerated, TI_ipEntity, ActionReason, SourceAddress, DestinationAddress, Firewall_Action, Protocol,
      NetworkSourceIP, Type, TargetUrl  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: TI_ipEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: TargetUrl
    identifier: Url
triggerThreshold: 0
name: TI map IP entity to AzureFirewall
severity: Medium
relevantTechniques:
- T1071
queryPeriod: 14d
tactics:
- CommandAndControl
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelIndicators
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelIndicators
queryFrequency: 1h
version: 1.3.7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Threat Intelligence (NEW)/Analytic Rules/IPEntity_AzureFirewall.yaml
id: 4992d2f3-d6c0-4271-adac-b23532ba4492
kind: Scheduled
description: |
    Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI
triggerOperator: gt