Merge pull request Azure#13022 from Azure/v-sabiraj-Azurefirewallrules

v-atulyadav · web-flow · commit f33ca10def96 · 2025-10-31T15:39:54.000+05:30
Update analytic rule for TI destination detection
diff --git a/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml b/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
@@ -36,6 +36,7 @@ query: |
   | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int  "." * "Action: Deny. " ThreatDescription),
   (AZFWThreatIntel
   | where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
+  | extend Fqdn = DestinationIp
   | summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
   | where array_length(AffectedIps) > MinAffectedThreshold
   | mv-expand SourceIp = AffectedIps
@@ -49,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Fqdn
-version: 1.1.3
+version: 1.1.4
 kind: Scheduled
diff --git a/Solutions/Azure Firewall/Package/3.0.5.zip b/Solutions/Azure Firewall/Package/3.0.5.zip
diff --git a/Solutions/Azure Firewall/Package/mainTemplate.json b/Solutions/Azure Firewall/Package/mainTemplate.json
@@ -154,11 +154,11 @@
       "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c5907b-1040-4692-9802-9946031017e8','-', '1.1.2')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "1.1.3",
+      "analyticRuleVersion4": "1.1.4",
       "_analyticRulecontentId4": "4644baf7-3464-45dd-bd9d-e07687e25f81",
       "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4644baf7-3464-45dd-bd9d-e07687e25f81')]",
       "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4644baf7-3464-45dd-bd9d-e07687e25f81')))]",
-      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.3')))]"
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.4')))]"
     },
     "analyticRuleObject5": {
       "analyticRuleVersion5": "1.1.3",
@@ -4003,7 +4003,7 @@
           ],
           "metadata": {
             "comments": "This Azure Firewall connector uses Firewall, IP Groups and Firewall Policies APIs to perform different actions on the Firewall, IP Groups and Firewall Policies.",
-            "lastUpdateTime": "2025-08-28T17:57:43.001Z",
+            "lastUpdateTime": "2025-10-28T17:31:27.068Z",
             "releaseNotes": {
               "version": "1.0",
               "title": "[variables('blanks')]",
@@ -6497,14 +6497,14 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWApplicationRule",
                       "AZFWNetworkRule",
                       "AZFWFlowTrace",
                       "AZFWIdpsSignature"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -6521,17 +6521,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
@@ -6618,12 +6618,12 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWApplicationRule",
                       "AZFWNetworkRule"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -6636,17 +6636,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
@@ -6733,12 +6733,12 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWApplicationRule",
                       "AZFWNetworkRule"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -6751,17 +6751,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
@@ -6837,7 +6837,7 @@
                 "description": "Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.",
                 "displayName": "Multiple Sources Affected by the Same TI Destination",
                 "enabled": false,
-                "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int  \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
+                "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int  \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| extend Fqdn = DestinationIp\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
                 "queryFrequency": "P1D",
                 "queryPeriod": "P1D",
                 "severity": "Medium",
@@ -6848,11 +6848,11 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWThreatIntel"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -6867,17 +6867,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
@@ -6964,12 +6964,12 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWApplicationRule",
                       "AZFWNetworkRule"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -6984,17 +6984,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
@@ -7081,14 +7081,14 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureFirewall",
                     "dataTypes": [
                       "AzureDiagnostics",
                       "AZFWApplicationRule",
                       "AZFWNetworkRule",
                       "AZFWFlowTrace",
                       "AZFWIdpsSignature"
-                    ]
+                    ],
+                    "connectorId": "AzureFirewall"
                   }
                 ],
                 "tactics": [
@@ -7105,17 +7105,17 @@
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "SourceIp"
+                        "columnName": "SourceIp",
+                        "identifier": "Address"
                       }
                     ],
                     "entityType": "IP"
                   },
                   {
                     "fieldMappings": [
                       {
-                        "identifier": "Url",
-                        "columnName": "Fqdn"
+                        "columnName": "Fqdn",
+                        "identifier": "Url"
                       }
                     ],
                     "entityType": "URL"
diff --git a/Solutions/Azure Firewall/ReleaseNotes.md b/Solutions/Azure Firewall/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                       |
 |-------------|--------------------------------|------------------------------------------------------------------------------------------|
+| 3.0.6       | 28-10-2025                     | Enhanced the Azure Firewall analytic rule to extend Fqdn from DestinationIp for improved detection of Multiple Sources Affected by the Same TI Destination. |
 | 3.0.5       | 26-07-2024                     | Updated **Analytical Rule** for missing TTP	                                          |
 | 3.0.4       | 12-02-2024                     | Updated **Analytical Rule**	                                          |
 | 3.0.3       | 17-01-2024                     | Updated Azure Firewall **Data Connector**  to support resource specific logs.            |

Original file line number	Diff line number	Diff line change
`@@ -154,11 +154,11 @@`
`154`	`154`	`"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c5907b-1040-4692-9802-9946031017e8','-', '1.1.2')))]"`
`155`	`155`	`},`
`156`	`156`	`"analyticRuleObject4": {`
`157`		`- "analyticRuleVersion4": "1.1.3",`
	`157`	`+ "analyticRuleVersion4": "1.1.4",`
`158`	`158`	`"_analyticRulecontentId4": "4644baf7-3464-45dd-bd9d-e07687e25f81",`
`159`	`159`	`"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4644baf7-3464-45dd-bd9d-e07687e25f81')]",`
`160`	`160`	`"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4644baf7-3464-45dd-bd9d-e07687e25f81')))]",`
`161`		`- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.3')))]"`
	`161`	`+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4644baf7-3464-45dd-bd9d-e07687e25f81','-', '1.1.4')))]"`
`162`	`162`	`},`
`163`	`163`	`"analyticRuleObject5": {`
`164`	`164`	`"analyticRuleVersion5": "1.1.3",`
`@@ -4003,7 +4003,7 @@`
`4003`	`4003`	`],`
`4004`	`4004`	`"metadata": {`
`4005`	`4005`	`"comments": "This Azure Firewall connector uses Firewall, IP Groups and Firewall Policies APIs to perform different actions on the Firewall, IP Groups and Firewall Policies.",`
`4006`		`- "lastUpdateTime": "2025-08-28T17:57:43.001Z",`
	`4006`	`+ "lastUpdateTime": "2025-10-28T17:31:27.068Z",`
`4007`	`4007`	`"releaseNotes": {`
`4008`	`4008`	`"version": "1.0",`
`4009`	`4009`	`"title": "[variables('blanks')]",`
`@@ -6497,14 +6497,14 @@`
`6497`	`6497`	`"status": "Available",`
`6498`	`6498`	`"requiredDataConnectors": [`
`6499`	`6499`	`{`
`6500`		`- "connectorId": "AzureFirewall",`
`6501`	`6500`	`"dataTypes": [`
`6502`	`6501`	`"AzureDiagnostics",`
`6503`	`6502`	`"AZFWApplicationRule",`
`6504`	`6503`	`"AZFWNetworkRule",`
`6505`	`6504`	`"AZFWFlowTrace",`
`6506`	`6505`	`"AZFWIdpsSignature"`
`6507`		`- ]`
	`6506`	`+ ],`
	`6507`	`+ "connectorId": "AzureFirewall"`
`6508`	`6508`	`}`
`6509`	`6509`	`],`
`6510`	`6510`	`"tactics": [`
`@@ -6521,17 +6521,17 @@`
`6521`	`6521`	`{`
`6522`	`6522`	`"fieldMappings": [`
`6523`	`6523`	`{`
`6524`		`- "identifier": "Address",`
`6525`		`- "columnName": "SourceIp"`
	`6524`	`+ "columnName": "SourceIp",`
	`6525`	`+ "identifier": "Address"`
`6526`	`6526`	`}`
`6527`	`6527`	`],`
`6528`	`6528`	`"entityType": "IP"`
`6529`	`6529`	`},`
`6530`	`6530`	`{`
`6531`	`6531`	`"fieldMappings": [`
`6532`	`6532`	`{`
`6533`		`- "identifier": "Url",`
`6534`		`- "columnName": "Fqdn"`
	`6533`	`+ "columnName": "Fqdn",`
	`6534`	`+ "identifier": "Url"`
`6535`	`6535`	`}`
`6536`	`6536`	`],`
`6537`	`6537`	`"entityType": "URL"`
`@@ -6618,12 +6618,12 @@`
`6618`	`6618`	`"status": "Available",`
`6619`	`6619`	`"requiredDataConnectors": [`
`6620`	`6620`	`{`
`6621`		`- "connectorId": "AzureFirewall",`
`6622`	`6621`	`"dataTypes": [`
`6623`	`6622`	`"AzureDiagnostics",`
`6624`	`6623`	`"AZFWApplicationRule",`
`6625`	`6624`	`"AZFWNetworkRule"`
`6626`		`- ]`
	`6625`	`+ ],`
	`6626`	`+ "connectorId": "AzureFirewall"`
`6627`	`6627`	`}`
`6628`	`6628`	`],`
`6629`	`6629`	`"tactics": [`
`@@ -6636,17 +6636,17 @@`
`6636`	`6636`	`{`
`6637`	`6637`	`"fieldMappings": [`
`6638`	`6638`	`{`
`6639`		`- "identifier": "Address",`
`6640`		`- "columnName": "SourceIp"`
	`6639`	`+ "columnName": "SourceIp",`
	`6640`	`+ "identifier": "Address"`
`6641`	`6641`	`}`
`6642`	`6642`	`],`
`6643`	`6643`	`"entityType": "IP"`
`6644`	`6644`	`},`
`6645`	`6645`	`{`
`6646`	`6646`	`"fieldMappings": [`
`6647`	`6647`	`{`
`6648`		`- "identifier": "Url",`
`6649`		`- "columnName": "Fqdn"`
	`6648`	`+ "columnName": "Fqdn",`
	`6649`	`+ "identifier": "Url"`
`6650`	`6650`	`}`
`6651`	`6651`	`],`
`6652`	`6652`	`"entityType": "URL"`
`@@ -6733,12 +6733,12 @@`
`6733`	`6733`	`"status": "Available",`
`6734`	`6734`	`"requiredDataConnectors": [`
`6735`	`6735`	`{`
`6736`		`- "connectorId": "AzureFirewall",`
`6737`	`6736`	`"dataTypes": [`
`6738`	`6737`	`"AzureDiagnostics",`
`6739`	`6738`	`"AZFWApplicationRule",`
`6740`	`6739`	`"AZFWNetworkRule"`
`6741`		`- ]`
	`6740`	`+ ],`
	`6741`	`+ "connectorId": "AzureFirewall"`
`6742`	`6742`	`}`
`6743`	`6743`	`],`
`6744`	`6744`	`"tactics": [`
`@@ -6751,17 +6751,17 @@`
`6751`	`6751`	`{`
`6752`	`6752`	`"fieldMappings": [`
`6753`	`6753`	`{`
`6754`		`- "identifier": "Address",`
`6755`		`- "columnName": "SourceIp"`
	`6754`	`+ "columnName": "SourceIp",`
	`6755`	`+ "identifier": "Address"`
`6756`	`6756`	`}`
`6757`	`6757`	`],`
`6758`	`6758`	`"entityType": "IP"`
`6759`	`6759`	`},`
`6760`	`6760`	`{`
`6761`	`6761`	`"fieldMappings": [`
`6762`	`6762`	`{`
`6763`		`- "identifier": "Url",`
`6764`		`- "columnName": "Fqdn"`
	`6763`	`+ "columnName": "Fqdn",`
	`6764`	`+ "identifier": "Url"`
`6765`	`6765`	`}`
`6766`	`6766`	`],`
`6767`	`6767`	`"entityType": "URL"`
`@@ -6837,7 +6837,7 @@`
`6837`	`6837`	`"description": "Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.",`
`6838`	`6838`	`"displayName": "Multiple Sources Affected by the Same TI Destination",`
`6839`	`6839`	`"enabled": false,`
`6840`		- "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n\| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n\| where OperationName == \"AzureFirewallThreatIntelLog\"\n\| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n\| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n\| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n\| where array_length(AffectedIps) > MinAffectedThreshold\n\| mv-expand SourceIp = AffectedIps\n\| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
	`6840`	+ "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n\| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n\| where OperationName == \"AzureFirewallThreatIntelLog\"\n\| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n\| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n\| extend Fqdn = DestinationIp\n\| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n\| where array_length(AffectedIps) > MinAffectedThreshold\n\| mv-expand SourceIp = AffectedIps\n\| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
`6841`	`6841`	`"queryFrequency": "P1D",`
`6842`	`6842`	`"queryPeriod": "P1D",`
`6843`	`6843`	`"severity": "Medium",`
`@@ -6848,11 +6848,11 @@`
`6848`	`6848`	`"status": "Available",`
`6849`	`6849`	`"requiredDataConnectors": [`
`6850`	`6850`	`{`
`6851`		`- "connectorId": "AzureFirewall",`
`6852`	`6851`	`"dataTypes": [`
`6853`	`6852`	`"AzureDiagnostics",`
`6854`	`6853`	`"AZFWThreatIntel"`
`6855`		`- ]`
	`6854`	`+ ],`
	`6855`	`+ "connectorId": "AzureFirewall"`
`6856`	`6856`	`}`
`6857`	`6857`	`],`
`6858`	`6858`	`"tactics": [`
`@@ -6867,17 +6867,17 @@`
`6867`	`6867`	`{`
`6868`	`6868`	`"fieldMappings": [`
`6869`	`6869`	`{`
`6870`		`- "identifier": "Address",`
`6871`		`- "columnName": "SourceIp"`
	`6870`	`+ "columnName": "SourceIp",`
	`6871`	`+ "identifier": "Address"`
`6872`	`6872`	`}`
`6873`	`6873`	`],`
`6874`	`6874`	`"entityType": "IP"`
`6875`	`6875`	`},`
`6876`	`6876`	`{`
`6877`	`6877`	`"fieldMappings": [`
`6878`	`6878`	`{`
`6879`		`- "identifier": "Url",`
`6880`		`- "columnName": "Fqdn"`
	`6879`	`+ "columnName": "Fqdn",`
	`6880`	`+ "identifier": "Url"`
`6881`	`6881`	`}`
`6882`	`6882`	`],`
`6883`	`6883`	`"entityType": "URL"`
`@@ -6964,12 +6964,12 @@`
`6964`	`6964`	`"status": "Available",`
`6965`	`6965`	`"requiredDataConnectors": [`
`6966`	`6966`	`{`
`6967`		`- "connectorId": "AzureFirewall",`
`6968`	`6967`	`"dataTypes": [`
`6969`	`6968`	`"AzureDiagnostics",`
`6970`	`6969`	`"AZFWApplicationRule",`
`6971`	`6970`	`"AZFWNetworkRule"`
`6972`		`- ]`
	`6971`	`+ ],`
	`6972`	`+ "connectorId": "AzureFirewall"`
`6973`	`6973`	`}`
`6974`	`6974`	`],`
`6975`	`6975`	`"tactics": [`
`@@ -6984,17 +6984,17 @@`
`6984`	`6984`	`{`
`6985`	`6985`	`"fieldMappings": [`
`6986`	`6986`	`{`
`6987`		`- "identifier": "Address",`
`6988`		`- "columnName": "SourceIp"`
	`6987`	`+ "columnName": "SourceIp",`
	`6988`	`+ "identifier": "Address"`
`6989`	`6989`	`}`
`6990`	`6990`	`],`
`6991`	`6991`	`"entityType": "IP"`
`6992`	`6992`	`},`
`6993`	`6993`	`{`
`6994`	`6994`	`"fieldMappings": [`
`6995`	`6995`	`{`
`6996`		`- "identifier": "Url",`
`6997`		`- "columnName": "Fqdn"`
	`6996`	`+ "columnName": "Fqdn",`
	`6997`	`+ "identifier": "Url"`
`6998`	`6998`	`}`
`6999`	`6999`	`],`
`7000`	`7000`	`"entityType": "URL"`
`@@ -7081,14 +7081,14 @@`
`7081`	`7081`	`"status": "Available",`
`7082`	`7082`	`"requiredDataConnectors": [`
`7083`	`7083`	`{`
`7084`		`- "connectorId": "AzureFirewall",`
`7085`	`7084`	`"dataTypes": [`
`7086`	`7085`	`"AzureDiagnostics",`
`7087`	`7086`	`"AZFWApplicationRule",`
`7088`	`7087`	`"AZFWNetworkRule",`
`7089`	`7088`	`"AZFWFlowTrace",`
`7090`	`7089`	`"AZFWIdpsSignature"`
`7091`		`- ]`
	`7090`	`+ ],`
	`7091`	`+ "connectorId": "AzureFirewall"`
`7092`	`7092`	`}`
`7093`	`7093`	`],`
`7094`	`7094`	`"tactics": [`
`@@ -7105,17 +7105,17 @@`
`7105`	`7105`	`{`
`7106`	`7106`	`"fieldMappings": [`
`7107`	`7107`	`{`
`7108`		`- "identifier": "Address",`
`7109`		`- "columnName": "SourceIp"`
	`7108`	`+ "columnName": "SourceIp",`
	`7109`	`+ "identifier": "Address"`
`7110`	`7110`	`}`
`7111`	`7111`	`],`
`7112`	`7112`	`"entityType": "IP"`
`7113`	`7113`	`},`
`7114`	`7114`	`{`
`7115`	`7115`	`"fieldMappings": [`
`7116`	`7116`	`{`
`7117`		`- "identifier": "Url",`
`7118`		`- "columnName": "Fqdn"`
	`7117`	`+ "columnName": "Fqdn",`
	`7118`	`+ "identifier": "Url"`
`7119`	`7119`	`}`
`7120`	`7120`	`],`
`7121`	`7121`	`"entityType": "URL"`