Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. High severity malicious activity detected

High severity malicious activity detected

Back
Id504257c1-81e2-4609-8d40-b395e62f11c7
RulenameHigh severity malicious activity detected
DescriptionIdentifies high severity malicious activity in Azure Firewall IDPS logs.
SeverityHigh
TacticsInitialAccess
Exfiltration
CredentialAccess
CommandAndControl
Execution
TechniquesT1190
T1041
T1003
T1204
Required data connectorsAzureFirewall
KindScheduled
Query frequency1h
Query period24h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
Version1.0.1
Arm template504257c1-81e2-4609-8d40-b395e62f11c7.json
Deploy To Azure
let TimeWindow   = 90d;    // How far back to look 
let HitThreshold = 10;     // Minimum hits to alert per SourceIp + Category
let MinSeverity  = 1;      // Set Minimum Severity
let EnableCategoryFilter    = true;   // Filter 1: use CategoriesOfInterest
let EnableDescriptionFilter = false;  // Filter 2: use DescriptionsOfInterest
let EnableActionFilter      = false;  // Filter 3: use MatchActions
let CategoriesOfInterest    = dynamic([
    "Targeted Malicious Activity was Detected",
    "Exploit Kit Activity Detected",
    "Domain Observed Used for C2 Detected",
    "Successful Credential Theft Detected",
    "Malware Command and Control Activity Detected",
    "Executable code was detected",
    "A Network Trojan was detected"
]);
let DescriptionsOfInterest  = dynamic([
    "targeted-activity",
    "exploit-kit",
    "domain-c2",
    "credential-theft",
    "command-and-control",
    "shellcode-detect",
    "trojan-activity"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
// Filter 1: Category filter (optional)
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
// Filter 2: Description filter (optional)
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
// Filter 3: Action filter (optional)
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
    StartTime   = min(TimeGenerated),
    EndTime     = max(TimeGenerated),
    TotalHits   = count(),
    MaxSeverity = max(Severity),
    Actions     = make_set(Action, 5),
    Signatures  = make_set(SignatureId, 20),
    Description = make_set(substring(tostring(Description), 0, 120), 3)
    by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
    StartTime,
    EndTime,
    SourceIp,
    ThreatCategory,
    TotalHits,
    MaxSeverity,
    Actions,
    Signatures,
    Description
| order by MaxSeverity desc, TotalHits desc

name: High severity malicious activity detected
query: |
  let TimeWindow   = 90d;    // How far back to look 
  let HitThreshold = 10;     // Minimum hits to alert per SourceIp + Category
  let MinSeverity  = 1;      // Set Minimum Severity
  let EnableCategoryFilter    = true;   // Filter 1: use CategoriesOfInterest
  let EnableDescriptionFilter = false;  // Filter 2: use DescriptionsOfInterest
  let EnableActionFilter      = false;  // Filter 3: use MatchActions
  let CategoriesOfInterest    = dynamic([
      "Targeted Malicious Activity was Detected",
      "Exploit Kit Activity Detected",
      "Domain Observed Used for C2 Detected",
      "Successful Credential Theft Detected",
      "Malware Command and Control Activity Detected",
      "Executable code was detected",
      "A Network Trojan was detected"
  ]);
  let DescriptionsOfInterest  = dynamic([
      "targeted-activity",
      "exploit-kit",
      "domain-c2",
      "credential-theft",
      "command-and-control",
      "shellcode-detect",
      "trojan-activity"
  ]);
  let MatchActions = dynamic(["Deny", "alert"]);
  AZFWIdpsSignature
  | where TimeGenerated >= ago(TimeWindow)
  | where Severity >= MinSeverity
  // Filter 1: Category filter (optional)
  | where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
  // Filter 2: Description filter (optional)
  | where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
  // Filter 3: Action filter (optional)
  | where (EnableActionFilter == false) or (Action in~ (MatchActions))
  | summarize
      StartTime   = min(TimeGenerated),
      EndTime     = max(TimeGenerated),
      TotalHits   = count(),
      MaxSeverity = max(Severity),
      Actions     = make_set(Action, 5),
      Signatures  = make_set(SignatureId, 20),
      Description = make_set(substring(tostring(Description), 0, 120), 3)
      by SourceIp, ThreatCategory = Category
  | where TotalHits >= HitThreshold
  | project
      StartTime,
      EndTime,
      SourceIp,
      ThreatCategory,
      TotalHits,
      MaxSeverity,
      Actions,
      Signatures,
      Description
  | order by MaxSeverity desc, TotalHits desc  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
queryPeriod: 24h
version: 1.0.1
tactics:
- InitialAccess
- Exfiltration
- CredentialAccess
- CommandAndControl
- Execution
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
relevantTechniques:
- T1190
- T1041
- T1003
- T1204
id: 504257c1-81e2-4609-8d40-b395e62f11c7
severity: High
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AZFWIdpsSignature
status: Available
description: |
    Identifies high severity malicious activity in Azure Firewall IDPS logs.
queryFrequency: 1h