Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Medium severity malicious activity detected

Medium severity malicious activity detected

Back
Iddfbe3963-42fb-4ebe-a00c-1cc44e2aa9f0
RulenameMedium severity malicious activity detected
DescriptionIdentifies medium severity malicious activity in Azure Firewall IDPS logs.
SeverityMedium
TacticsInitialAccess
Execution
DefenseEvasion
Impact
TechniquesT1496
T1204
T1036
Required data connectorsAzureFirewall
KindScheduled
Query frequency1h
Query period24h
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml
Version1.0.0
Arm templatedfbe3963-42fb-4ebe-a00c-1cc44e2aa9f0.json
Deploy To Azure
let TimeWindow   = 90d;    
let HitThreshold = 10;
let MinSeverity  = 2;
let EnableCategoryFilter    = true;
let EnableDescriptionFilter = false;
let EnableActionFilter      = false;
let CategoriesOfInterest = dynamic([
    "Possibly Unwanted Program Detected",
    "Possible Social Engineering Attempted",
    "Crypto Currency Mining Activity Detected",
    "A suspicious filename was detected",
    "A system call was detected"
]);
let DescriptionsOfInterest = dynamic([
    "pup-activity",
    "social-engineering",
    "coin-mining",
    "suspicious-filename-detect",
    "system-call-detect"
]);
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
    StartTime   = min(TimeGenerated),
    EndTime     = max(TimeGenerated),
    TotalHits   = count(),
    MaxSeverity = max(Severity),
    Actions     = make_set(Action, 5),
    Signatures  = make_set(SignatureId, 20),
    Description = make_set(substring(tostring(Description), 0, 120), 3)
    by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
    StartTime,
    EndTime,
    SourceIp,
    ThreatCategory,
    TotalHits,
    MaxSeverity,
    Actions,
    Signatures,
    Description
| order by MaxSeverity desc, TotalHits desc

name: Medium severity malicious activity detected
kind: Scheduled
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- Impact
triggerThreshold: 1
triggerOperator: gt
version: 1.0.0
status: Available
queryFrequency: 1h
id: dfbe3963-42fb-4ebe-a00c-1cc44e2aa9f0
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AZFWIdpsSignature
relevantTechniques:
- T1496
- T1204
- T1036
description: |
    Identifies medium severity malicious activity in Azure Firewall IDPS logs.
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml
queryPeriod: 24h
severity: Medium
query: |
  let TimeWindow   = 90d;    
  let HitThreshold = 10;
  let MinSeverity  = 2;
  let EnableCategoryFilter    = true;
  let EnableDescriptionFilter = false;
  let EnableActionFilter      = false;
  let CategoriesOfInterest = dynamic([
      "Possibly Unwanted Program Detected",
      "Possible Social Engineering Attempted",
      "Crypto Currency Mining Activity Detected",
      "A suspicious filename was detected",
      "A system call was detected"
  ]);
  let DescriptionsOfInterest = dynamic([
      "pup-activity",
      "social-engineering",
      "coin-mining",
      "suspicious-filename-detect",
      "system-call-detect"
  ]);
  let MatchActions = dynamic(["Deny", "alert"]);
  AZFWIdpsSignature
  | where TimeGenerated >= ago(TimeWindow)
  | where Severity >= MinSeverity
  | where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
  | where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
  | where (EnableActionFilter == false) or (Action in~ (MatchActions))
  | summarize
      StartTime   = min(TimeGenerated),
      EndTime     = max(TimeGenerated),
      TotalHits   = count(),
      MaxSeverity = max(Severity),
      Actions     = make_set(Action, 5),
      Signatures  = make_set(SignatureId, 20),
      Description = make_set(substring(tostring(Description), 0, 120), 3)
      by SourceIp, ThreatCategory = Category
  | where TotalHits >= HitThreshold
  | project
      StartTime,
      EndTime,
      SourceIp,
      ThreatCategory,
      TotalHits,
      MaxSeverity,
      Actions,
      Signatures,
      Description
  | order by MaxSeverity desc, TotalHits desc