Skip to content

Update analytic rule for TI destination detection #13022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 1 commit into from
Oct 31, 2025
Merged

Update analytic rule for TI destination detection #13022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ...Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ query: |
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
| extend Fqdn = DestinationIp
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
Expand All @@ -49,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Fqdn
version: 1.1.3
version: 1.1.4
kind: Scheduled
Binary file modified Solutions/Azure Firewall/Package/3.0.5.zip
View file
Open in desktop
Binary file not shown.
80 changes: 40 additions & 40 deletions Solutions/Azure Firewall/Package/mainTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,11 +154,11 @@
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c5907b-1040-4692-9802-9946031017e8','-', '1.1.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.1.3",
"analyticRuleVersion4": "1.1.4",
"_analyticRulecontentId4": "4644baf7-3464-45dd-bd9d-e07687e25f81",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4644baf7-3464-45dd-bd9d-e07687e25f81')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.3')))]"
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.4')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.1.3",
Expand Down Expand Up @@ -4003,7 +4003,7 @@
],
"metadata": {
"comments": "This Azure Firewall connector uses Firewall, IP Groups and Firewall Policies APIs to perform different actions on the Firewall, IP Groups and Firewall Policies.",
"lastUpdateTime": "2025-08-28T17:57:43.001Z",
"lastUpdateTime": "2025-10-28T17:31:27.068Z",
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
Expand Down Expand Up @@ -6497,14 +6497,14 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule",
"AZFWFlowTrace",
"AZFWIdpsSignature"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -6521,17 +6521,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down Expand Up @@ -6618,12 +6618,12 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -6636,17 +6636,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down Expand Up @@ -6733,12 +6733,12 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -6751,17 +6751,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down Expand Up @@ -6837,7 +6837,7 @@
"description": "Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.",
"displayName": "Multiple Sources Affected by the Same TI Destination",
"enabled": false,
"query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
"query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| extend Fqdn = DestinationIp\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
Expand All @@ -6848,11 +6848,11 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWThreatIntel"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -6867,17 +6867,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down Expand Up @@ -6964,12 +6964,12 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -6984,17 +6984,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down Expand Up @@ -7081,14 +7081,14 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics",
"AZFWApplicationRule",
"AZFWNetworkRule",
"AZFWFlowTrace",
"AZFWIdpsSignature"
]
],
"connectorId": "AzureFirewall"
}
],
"tactics": [
Expand All @@ -7105,17 +7105,17 @@
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
"columnName": "SourceIp",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
"columnName": "Fqdn",
"identifier": "Url"
}
],
"entityType": "URL"
Expand Down
1 change: 1 addition & 0 deletions Solutions/Azure Firewall/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------------------------------------------------|
| 3.0.6 | 28-10-2025 | Enhanced the Azure Firewall analytic rule to extend Fqdn from DestinationIp for improved detection of Multiple Sources Affected by the Same TI Destination. |
| 3.0.5 | 26-07-2024 | Updated **Analytical Rule** for missing TTP |
| 3.0.4 | 12-02-2024 | Updated **Analytical Rule** |
| 3.0.3 | 17-01-2024 | Updated Azure Firewall **Data Connector** to support resource specific logs. |
Expand Down