High severity malicious activity detected
| Id | 504257c1-81e2-4609-8d40-b395e62f11c7 |
| Rulename | High severity malicious activity detected |
| Description | Identifies high severity malicious activity in Azure Firewall IDPS logs. |
| Severity | High |
| Tactics | InitialAccess Exfiltration CredentialAccess CommandAndControl Execution |
| Techniques | T1190 T1041 T1003 T1204 |
| Required data connectors | AzureFirewall |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 24h |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml |
| Version | 1.0.0 |
| Arm template | 504257c1-81e2-4609-8d40-b395e62f11c7.json |
let TimeWindow = 90d; // How far back to look
let HitThreshold = 10; // Minimum hits to alert per SourceIp + Category
let MinSeverity = 1; // Set Minimum Severity
let EnableCategoryFilter = true; // Filter 1: use CategoriesOfInterest
let EnableDescriptionFilter = false; // Filter 2: use DescriptionsOfInterest
let EnableActionFilter = false; // Filter 3: use MatchActions
let CategoriesOfInterest = dynamic([
"Targeted Malicious Activity was Detected",
"Exploit Kit Activity Detected",
"Domain Observed Used for C2 Detected",
"Successful Credential Theft Detected",
"Malware Command and Control Activity Detected",
"Executable code was detected",
"A Network Trojan was detected"
]);
let DescriptionsOfInterest = dynamic([
"targeted-activity",
"exploit-kit",
"domain-c2",
"credential-theft",
"command-and-control",
"shellcode-detect",
"trojan-activity"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
// Filter 1: Category filter (optional)
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
// Filter 2: Description filter (optional)
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
// Filter 3: Action filter (optional)
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
TotalHits = count(),
MaxSeverity = max(Severity),
Actions = make_set(Action, 5),
Signatures = make_set(SignatureId, 20),
Description = make_set(substring(tostring(Description), 0, 120), 3)
by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
StartTime,
EndTime,
SourceIp,
ThreatCategory,
TotalHits,
MaxSeverity,
Actions,
Signatures,
Description
| order by MaxSeverity desc, TotalHits desc
name: High severity malicious activity detected
relevantTechniques:
- T1190
- T1041
- T1003
- T1204
id: 504257c1-81e2-4609-8d40-b395e62f11c7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
requiredDataConnectors:
- dataTypes:
- AZFWIdpsSignature
connectorId: AzureFirewall
version: 1.0.0
severity: High
triggerThreshold: 1
queryPeriod: 24h
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIp
entityType: IP
queryFrequency: 1h
status: Available
query: |
let TimeWindow = 90d; // How far back to look
let HitThreshold = 10; // Minimum hits to alert per SourceIp + Category
let MinSeverity = 1; // Set Minimum Severity
let EnableCategoryFilter = true; // Filter 1: use CategoriesOfInterest
let EnableDescriptionFilter = false; // Filter 2: use DescriptionsOfInterest
let EnableActionFilter = false; // Filter 3: use MatchActions
let CategoriesOfInterest = dynamic([
"Targeted Malicious Activity was Detected",
"Exploit Kit Activity Detected",
"Domain Observed Used for C2 Detected",
"Successful Credential Theft Detected",
"Malware Command and Control Activity Detected",
"Executable code was detected",
"A Network Trojan was detected"
]);
let DescriptionsOfInterest = dynamic([
"targeted-activity",
"exploit-kit",
"domain-c2",
"credential-theft",
"command-and-control",
"shellcode-detect",
"trojan-activity"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
// Filter 1: Category filter (optional)
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
// Filter 2: Description filter (optional)
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
// Filter 3: Action filter (optional)
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
TotalHits = count(),
MaxSeverity = max(Severity),
Actions = make_set(Action, 5),
Signatures = make_set(SignatureId, 20),
Description = make_set(substring(tostring(Description), 0, 120), 3)
by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
StartTime,
EndTime,
SourceIp,
ThreatCategory,
TotalHits,
MaxSeverity,
Actions,
Signatures,
Description
| order by MaxSeverity desc, TotalHits desc
tactics:
- InitialAccess
- Exfiltration
- CredentialAccess
- CommandAndControl
- Execution
kind: Scheduled
description: |
Identifies high severity malicious activity in Azure Firewall IDPS logs.
triggerOperator: gt