Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. High severity malicious activity detected

High severity malicious activity detected

Back
Id504257c1-81e2-4609-8d40-b395e62f11c7
RulenameHigh severity malicious activity detected
DescriptionIdentifies high severity malicious activity in Azure Firewall IDPS logs.
SeverityHigh
TacticsInitialAccess
Exfiltration
CredentialAccess
CommandAndControl
Execution
TechniquesT1190
T1041
T1003
T1204
Required data connectorsAzureFirewall
KindScheduled
Query frequency1h
Query period24h
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
Version1.0.0
Arm template504257c1-81e2-4609-8d40-b395e62f11c7.json
Deploy To Azure
let TimeWindow   = 90d;    // How far back to look 
let HitThreshold = 10;     // Minimum hits to alert per SourceIp + Category
let MinSeverity  = 1;      // Set Minimum Severity
let EnableCategoryFilter    = true;   // Filter 1: use CategoriesOfInterest
let EnableDescriptionFilter = false;  // Filter 2: use DescriptionsOfInterest
let EnableActionFilter      = false;  // Filter 3: use MatchActions
let CategoriesOfInterest    = dynamic([
    "Targeted Malicious Activity was Detected",
    "Exploit Kit Activity Detected",
    "Domain Observed Used for C2 Detected",
    "Successful Credential Theft Detected",
    "Malware Command and Control Activity Detected",
    "Executable code was detected",
    "A Network Trojan was detected"
]);
let DescriptionsOfInterest  = dynamic([
    "targeted-activity",
    "exploit-kit",
    "domain-c2",
    "credential-theft",
    "command-and-control",
    "shellcode-detect",
    "trojan-activity"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
// Filter 1: Category filter (optional)
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
// Filter 2: Description filter (optional)
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
// Filter 3: Action filter (optional)
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
    StartTime   = min(TimeGenerated),
    EndTime     = max(TimeGenerated),
    TotalHits   = count(),
    MaxSeverity = max(Severity),
    Actions     = make_set(Action, 5),
    Signatures  = make_set(SignatureId, 20),
    Description = make_set(substring(tostring(Description), 0, 120), 3)
    by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
    StartTime,
    EndTime,
    SourceIp,
    ThreatCategory,
    TotalHits,
    MaxSeverity,
    Actions,
    Signatures,
    Description
| order by MaxSeverity desc, TotalHits desc

relevantTechniques:
- T1190
- T1041
- T1003
- T1204
name: High severity malicious activity detected
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 1
severity: High
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AZFWIdpsSignature
tactics:
- InitialAccess
- Exfiltration
- CredentialAccess
- CommandAndControl
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
query: |
  let TimeWindow   = 90d;    // How far back to look 
  let HitThreshold = 10;     // Minimum hits to alert per SourceIp + Category
  let MinSeverity  = 1;      // Set Minimum Severity
  let EnableCategoryFilter    = true;   // Filter 1: use CategoriesOfInterest
  let EnableDescriptionFilter = false;  // Filter 2: use DescriptionsOfInterest
  let EnableActionFilter      = false;  // Filter 3: use MatchActions
  let CategoriesOfInterest    = dynamic([
      "Targeted Malicious Activity was Detected",
      "Exploit Kit Activity Detected",
      "Domain Observed Used for C2 Detected",
      "Successful Credential Theft Detected",
      "Malware Command and Control Activity Detected",
      "Executable code was detected",
      "A Network Trojan was detected"
  ]);
  let DescriptionsOfInterest  = dynamic([
      "targeted-activity",
      "exploit-kit",
      "domain-c2",
      "credential-theft",
      "command-and-control",
      "shellcode-detect",
      "trojan-activity"
  ]);
  let MatchActions = dynamic(["Deny", "alert"]);
  AZFWIdpsSignature
  | where TimeGenerated >= ago(TimeWindow)
  | where Severity >= MinSeverity
  // Filter 1: Category filter (optional)
  | where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
  // Filter 2: Description filter (optional)
  | where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
  // Filter 3: Action filter (optional)
  | where (EnableActionFilter == false) or (Action in~ (MatchActions))
  | summarize
      StartTime   = min(TimeGenerated),
      EndTime     = max(TimeGenerated),
      TotalHits   = count(),
      MaxSeverity = max(Severity),
      Actions     = make_set(Action, 5),
      Signatures  = make_set(SignatureId, 20),
      Description = make_set(substring(tostring(Description), 0, 120), 3)
      by SourceIp, ThreatCategory = Category
  | where TotalHits >= HitThreshold
  | project
      StartTime,
      EndTime,
      SourceIp,
      ThreatCategory,
      TotalHits,
      MaxSeverity,
      Actions,
      Signatures,
      Description
  | order by MaxSeverity desc, TotalHits desc  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
queryPeriod: 24h
triggerOperator: gt
id: 504257c1-81e2-4609-8d40-b395e62f11c7
status: Available
description: |
    Identifies high severity malicious activity in Azure Firewall IDPS logs.