Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. [Deprecated] -Known Barium IP

[Deprecated] -Known Barium IP

Back
Id6ee72a9e-2e54-459c-bc9a-9c09a6502a63
Rulename[Deprecated] -Known Barium IP
DescriptionThis query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft’s Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
SeverityHigh
TacticsCommandAndControl
Required data connectorsAWS
AWSS3
AzureActiveDirectory
AzureActivity
AzureFirewall
AzureMonitor(IIS)
AzureMonitor(VMInsights)
AzureMonitor(WireData)
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
GCPDNSDataConnector
InfobloxNIOS
MicrosoftSysmonForLinux
MicrosoftThreatProtection
NXLogDnsLogs
Office365
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumIPIOC112020.yaml
Version2.0.0
Arm template6ee72a9e-2e54-459c-bc9a-9c09a6502a63.json
Deploy To Azure
let IPList = dynamic(["216.24.185.74", "107.175.189.159", "192.210.132.102", "67.230.163.214", 
  "199.19.110.240", "107.148.130.176", "154.212.129.218", "172.86.75.54", "45.61.136.199", 
  "149.28.150.195", "108.61.214.194", "144.202.98.198", "149.28.84.98", "103.99.209.78", 
  "45.61.136.2", "176.122.162.149", "192.3.80.245", "149.28.23.32", "107.182.18.149", "107.174.45.134", 
  "149.248.18.104", "65.49.192.74", "156.255.2.154", "45.76.6.149", "8.9.11.130", "140.238.27.255", 
  "107.182.24.70", "176.122.188.254", "192.161.161.108", "64.64.234.24", "104.224.185.36", 
  "104.233.224.227", "104.36.69.105", "119.28.139.120", "161.117.39.130", "66.42.100.42", "45.76.31.159", 
  "149.248.8.134", "216.24.182.48", "66.42.103.222", "218.89.236.11", "180.150.227.249", "47.75.80.23",
  "124.156.164.19", "149.248.62.83", "150.109.76.174", "222.209.187.207", "218.38.191.38", 
  "119.28.226.59", "66.42.98.220", "74.82.201.8", "173.242.122.198", "45.32.130.72", "89.35.178.10", 
  "89.43.60.113"]); 
(union isfuzzy=true 
(CommonSecurityLog 
| where isnotempty(SourceIP) or isnotempty(DestinationIP) 
| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
| extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message")  
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch 
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")  
), 
(OfficeActivity 
|extend SourceIPAddress = ClientIP, Account = UserId 
| where  SourceIPAddress in (IPList) 
| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account 
),
(_Im_Dns (response_has_any_prefix=IPList)
| extend DestinationIPAddress = ResponseName,  Host = SrcIpAddr 
| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host 
), 
(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)
 | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User
), 
(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)
| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User
), 
(WireData  
| where isnotempty(RemoteIP) 
| where RemoteIP in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
), 
(SigninLogs 
| where isnotempty(IPAddress) 
| where IPAddress in (IPList) 
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
),
(AADNonInteractiveUserSignInLogs 
| where isnotempty(IPAddress) 
| where IPAddress in (IPList) 
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
), 
(W3CIISLog  
| where isnotempty(cIP) 
| where cIP in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName 
), 
(AzureActivity  
| where isnotempty(CallerIpAddress) 
| where CallerIpAddress in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
), 
( 
AWSCloudTrail 
| where isnotempty(SourceIpAddress) 
| where SourceIpAddress in (IPList) 
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
), 
( 
DeviceNetworkEvents 
| where isnotempty(RemoteIP)  
| where RemoteIP in (IPList)  
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (IPList)  
| extend DestinationIP = DestinationHost 
| extend IPCustomEntity = SourceHost
),
(
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (IPList)  
| extend DestinationIP = DestinationHost 
| extend IPCustomEntity = SourceHost
),
(
AZFWApplicationRule
| where Fqdn has_any (IPList)
| extend IPCustomEntity = SourceIp
),
(
AZFWNetworkRule
| where DestinationIp has_any (IPList)
| extend IPCustomEntity = SourceIp
)
) 

tactics:
- CommandAndControl
id: 6ee72a9e-2e54-459c-bc9a-9c09a6502a63
severity: High
status: Available
name: '[Deprecated] -Known Barium IP'
requiredDataConnectors:
- connectorId: AWSS3
  datatypes:
  - AWSVPCFlow
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: Office365
  dataTypes:
  - OfficeActivity
- connectorId: DNS
  dataTypes:
  - DnsEvents
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: AzureMonitor(WireData)
  dataTypes:
  - WireData
- connectorId: AzureMonitor(IIS)
  dataTypes:
  - W3CIISLog
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: InfobloxNIOS
  dataTypes:
  - Syslog
- connectorId: GCPDNSDataConnector
  dataTypes:
  - GCP_DNS_CL
- connectorId: NXLogDnsLogs
  dataTypes:
  - NXLog_DNS_Server_CL
- connectorId: CiscoUmbrellaDataConnector
  dataTypes:
  - Cisco_Umbrella_dns_CL
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
query: |
  let IPList = dynamic(["216.24.185.74", "107.175.189.159", "192.210.132.102", "67.230.163.214", 
    "199.19.110.240", "107.148.130.176", "154.212.129.218", "172.86.75.54", "45.61.136.199", 
    "149.28.150.195", "108.61.214.194", "144.202.98.198", "149.28.84.98", "103.99.209.78", 
    "45.61.136.2", "176.122.162.149", "192.3.80.245", "149.28.23.32", "107.182.18.149", "107.174.45.134", 
    "149.248.18.104", "65.49.192.74", "156.255.2.154", "45.76.6.149", "8.9.11.130", "140.238.27.255", 
    "107.182.24.70", "176.122.188.254", "192.161.161.108", "64.64.234.24", "104.224.185.36", 
    "104.233.224.227", "104.36.69.105", "119.28.139.120", "161.117.39.130", "66.42.100.42", "45.76.31.159", 
    "149.248.8.134", "216.24.182.48", "66.42.103.222", "218.89.236.11", "180.150.227.249", "47.75.80.23",
    "124.156.164.19", "149.248.62.83", "150.109.76.174", "222.209.187.207", "218.38.191.38", 
    "119.28.226.59", "66.42.98.220", "74.82.201.8", "173.242.122.198", "45.32.130.72", "89.35.178.10", 
    "89.43.60.113"]); 
  (union isfuzzy=true 
  (CommonSecurityLog 
  | where isnotempty(SourceIP) or isnotempty(DestinationIP) 
  | where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) 
  | extend IPMatch = case(SourceIP in (IPList), "SourceIP", DestinationIP in (IPList), "DestinationIP", "Message")  
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch 
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")  
  ), 
  (OfficeActivity 
  |extend SourceIPAddress = ClientIP, Account = UserId 
  | where  SourceIPAddress in (IPList) 
  | extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account 
  ),
  (_Im_Dns (response_has_any_prefix=IPList)
  | extend DestinationIPAddress = ResponseName,  Host = SrcIpAddr 
  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host 
  ), 
  (_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)
   | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User
  ), 
  (_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)
  | extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User
  ), 
  (WireData  
  | where isnotempty(RemoteIP) 
  | where RemoteIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer 
  ), 
  (SigninLogs 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
  ),
  (AADNonInteractiveUserSignInLogs 
  | where isnotempty(IPAddress) 
  | where IPAddress in (IPList) 
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress 
  ), 
  (W3CIISLog  
  | where isnotempty(cIP) 
  | where cIP in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName 
  ), 
  (AzureActivity  
  | where isnotempty(CallerIpAddress) 
  | where CallerIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller 
  ), 
  ( 
  AWSCloudTrail 
  | where isnotempty(SourceIpAddress) 
  | where SourceIpAddress in (IPList) 
  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName 
  ), 
  ( 
  DeviceNetworkEvents 
  | where isnotempty(RemoteIP)  
  | where RemoteIP in (IPList)  
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  
  ),
  (
  AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallApplicationRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (IPList)  
  | extend DestinationIP = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
  (
  AzureDiagnostics
  | where ResourceType == "AZUREFIREWALLS"
  | where Category == "AzureFirewallNetworkRule"
  | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
  | where isnotempty(DestinationHost)
  | where DestinationHost has_any (IPList)  
  | extend DestinationIP = DestinationHost 
  | extend IPCustomEntity = SourceHost
  ),
  (
  AZFWApplicationRule
  | where Fqdn has_any (IPList)
  | extend IPCustomEntity = SourceIp
  ),
  (
  AZFWNetworkRule
  | where DestinationIp has_any (IPList)
  | extend IPCustomEntity = SourceIp
  )
  )   
queryPeriod: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
triggerOperator: gt
triggerThreshold: 0
description: |
    'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
version: 2.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumIPIOC112020.yaml
queryFrequency: 1d
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ee72a9e-2e54-459c-bc9a-9c09a6502a63')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ee72a9e-2e54-459c-bc9a-9c09a6502a63')]",
      "properties": {
        "alertRuleTemplateName": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63",
        "customDetails": null,
        "description": "'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'\n",
        "displayName": "[Deprecated] -Known Barium IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Deprecated Analytic Rules/BariumIPIOC112020.yaml",
        "query": "let IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n  \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n  \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n  \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n  \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n  \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n  \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n  \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n  \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n  \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n  \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\")  \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")  \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where  SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(_Im_Dns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName,  Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\n), \n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\n), \n(WireData  \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog  \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity  \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP)  \n| where RemoteIP in (IPList)  \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName  \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)  \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)  \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAZFWApplicationRule\n| where Fqdn has_any (IPList)\n| extend IPCustomEntity = SourceIp\n),\n(\nAZFWNetworkRule\n| where DestinationIp has_any (IPList)\n| extend IPCustomEntity = SourceIp\n)\n) \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "tags": [
          {
            "Schema": "ASIMDns",
            "SchemaVersion": "0.1.1"
          }
        ],
        "templateVersion": "2.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}