diff --git a/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml b/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml index 82a276f40af..fd5acb8ef17 100644 --- a/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml +++ b/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml @@ -36,6 +36,7 @@ query: | | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription), (AZFWThreatIntel | where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))) + | extend Fqdn = DestinationIp | summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription | where array_length(AffectedIps) > MinAffectedThreshold | mv-expand SourceIp = AffectedIps @@ -49,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Fqdn -version: 1.1.3 +version: 1.1.4 kind: Scheduled diff --git a/Solutions/Azure Firewall/Package/3.0.5.zip b/Solutions/Azure Firewall/Package/3.0.5.zip index 9d9272488b7..228ae193ac8 100644 Binary files a/Solutions/Azure Firewall/Package/3.0.5.zip and b/Solutions/Azure Firewall/Package/3.0.5.zip differ diff --git a/Solutions/Azure Firewall/Package/mainTemplate.json b/Solutions/Azure Firewall/Package/mainTemplate.json index a7723cf7988..988255e2ea5 100644 --- a/Solutions/Azure Firewall/Package/mainTemplate.json +++ b/Solutions/Azure Firewall/Package/mainTemplate.json @@ -154,11 +154,11 @@ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c5907b-1040-4692-9802-9946031017e8','-', '1.1.2')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.1.3", + "analyticRuleVersion4": "1.1.4", "_analyticRulecontentId4": "4644baf7-3464-45dd-bd9d-e07687e25f81", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4644baf7-3464-45dd-bd9d-e07687e25f81')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4644baf7-3464-45dd-bd9d-e07687e25f81')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.3')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.4')))]" }, "analyticRuleObject5": { "analyticRuleVersion5": "1.1.3", @@ -4003,7 +4003,7 @@ ], "metadata": { "comments": "This Azure Firewall connector uses Firewall, IP Groups and Firewall Policies APIs to perform different actions on the Firewall, IP Groups and Firewall Policies.", - "lastUpdateTime": "2025-08-28T17:57:43.001Z", + "lastUpdateTime": "2025-10-28T17:31:27.068Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -6497,14 +6497,14 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWApplicationRule", "AZFWNetworkRule", "AZFWFlowTrace", "AZFWIdpsSignature" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -6521,8 +6521,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6530,8 +6530,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" @@ -6618,12 +6618,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWApplicationRule", "AZFWNetworkRule" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -6636,8 +6636,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6645,8 +6645,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" @@ -6733,12 +6733,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWApplicationRule", "AZFWNetworkRule" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -6751,8 +6751,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6760,8 +6760,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" @@ -6837,7 +6837,7 @@ "description": "Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.", "displayName": "Multiple Sources Affected by the Same TI Destination", "enabled": false, - "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n", + "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| extend Fqdn = DestinationIp\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n", "queryFrequency": "P1D", "queryPeriod": "P1D", "severity": "Medium", @@ -6848,11 +6848,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWThreatIntel" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -6867,8 +6867,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6876,8 +6876,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" @@ -6964,12 +6964,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWApplicationRule", "AZFWNetworkRule" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -6984,8 +6984,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -6993,8 +6993,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" @@ -7081,14 +7081,14 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureFirewall", "dataTypes": [ "AzureDiagnostics", "AZFWApplicationRule", "AZFWNetworkRule", "AZFWFlowTrace", "AZFWIdpsSignature" - ] + ], + "connectorId": "AzureFirewall" } ], "tactics": [ @@ -7105,8 +7105,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ], "entityType": "IP" @@ -7114,8 +7114,8 @@ { "fieldMappings": [ { - "identifier": "Url", - "columnName": "Fqdn" + "columnName": "Fqdn", + "identifier": "Url" } ], "entityType": "URL" diff --git a/Solutions/Azure Firewall/ReleaseNotes.md b/Solutions/Azure Firewall/ReleaseNotes.md index 01ed4854878..f6a11f2caef 100644 --- a/Solutions/Azure Firewall/ReleaseNotes.md +++ b/Solutions/Azure Firewall/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------------------------| +| 3.0.6 | 28-10-2025 | Enhanced the Azure Firewall analytic rule to extend Fqdn from DestinationIp for improved detection of Multiple Sources Affected by the Same TI Destination. | | 3.0.5 | 26-07-2024 | Updated **Analytical Rule** for missing TTP | | 3.0.4 | 12-02-2024 | Updated **Analytical Rule** | | 3.0.3 | 17-01-2024 | Updated Azure Firewall **Data Connector** to support resource specific logs. |