Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Updating Detection queries with Resource Specific logs for Azure Firewall

Open shabaz-github opened this issue 2 years ago • 14 comments

Required items, please complete

Change(s):

  • Updated following queries with Resource specific logs for Azure firewall

ActiniumFeb2022.yaml IridiumIOCs.yaml SOURGUM_IOC.yaml ZincJan272021IOCs.yaml PHOSPHORUSMarch2019IOCs.yaml KnownPHOSPHORUSDomainsIP-October2020.yaml POLONIUMIPIoC.yaml GalliumIOCs.yaml NICKELIOCsNov2021.yaml STRONTIUMJuly2019IOCs.yaml ChiaCryptoMining.yaml DEV-0322_SolarWinds_Serv-U_IOC.yaml Dev-0530_July2022.yaml BariumDomainIOC112020.yaml BariumIPIOC112020.yaml CERIUMOct292020IOCs.yaml Mercury_Log4j_August2022.yaml NOBELIUM_DomainIOCsMarch2021.yaml NOBELIUM_IOCsMay2021.yaml Solorigate-Network-Beacon.yaml ThalliumIOCs.yaml WSLMalwareCorrelation.yaml

Reason for Change(s):

  • Updates the queries to support new resource specific logs on Azure Firewall

Version Updated:

  • Yes
  • All files have been updated with new version.

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

shabaz-github avatar Dec 06 '22 14:12 shabaz-github

@aprakash13 : Please review the detections and provide your comments. Thanks!

v-spadarthi avatar Dec 08 '22 12:12 v-spadarthi

Hi @shabaz-github, Can you please take latest from master to fix codeQL validation issue. Thanks

v-mchatla avatar Dec 12 '22 13:12 v-mchatla

Hello Meena,

This has now been fixed. All checks have passed again. Please help with merging.

@.***

Thanks,

Shabaz Shaik Program Manager II @.@.>

Azure Network Security CxE Team

[MSFT_logo]

Learn more about Azure Network Security: AzNetSecNinjahttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSecNinja&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7pX1ClCd%2FxOdsAQBURWqHZffzwhjpDwKaIOa8mSR0I%3D&reserved=0 | Blogshttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Faznetsecblog&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ds2PZxqSrv%2BhZP6KWQtEnpez4e5Fk2%2Bp93regtpzgQA%3D&reserved=0 | GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSec&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BzgI6B%2BKn71zLl90yOz%2FDHWad9GPxTE6InKhOaN1Os%3D&reserved=0 | Portalhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSecSPO&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jU6AA%2BHwwTCpvsvjTvUBDygg2ILHKpbojHjLrcNMAf8%3D&reserved=0 | Private Communityhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.office.com%2Fpages%2Fresponsepage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgiQFR3bi0kg%2Br8qDn41RdT9TLFV12junCJ%2BoQIajZY%3D&reserved=0

From: Meena Kumari Chatla @.> Sent: Monday, December 12, 2022 7:18 PM To: Azure/Azure-Sentinel @.> Cc: Shabaz Shaik @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Updating Detection queries with Resource Specific logs for Azure Firewall (PR #6826)

Hi @shabaz-githubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fshabaz-github&data=05%7C01%7Cshabazshaik%40microsoft.com%7C5f96560f16a3410d0a4b08dadc476b4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064496577830957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0PAULE6Saosv3Ji8ieF2YxON6cDIQm0xVVQZeUxjXiE%3D&reserved=0, Can you please take latest from master to fix codeQL validation issue. Thanks

Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fpull%2F6826%23issuecomment-1346544636&data=05%7C01%7Cshabazshaik%40microsoft.com%7C5f96560f16a3410d0a4b08dadc476b4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064496577830957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Qd%2FYTLOrYPj9qNqcFDEM%2Brg%2F%2FUrwqTioSscaNHcr0Ws%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAY4TPHXEHJZ76FY5736RWZTWM4UHJANCNFSM6AAAAAASVTDVKM&data=05%7C01%7Cshabazshaik%40microsoft.com%7C5f96560f16a3410d0a4b08dadc476b4f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638064496577830957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HJRsq0DjpbnuNEEuAaot9lwQJj1FJcJeKyjM2sHNg3E%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.@.>>

shabaz-github avatar Dec 13 '22 07:12 shabaz-github

Hi @shabaz-github, Please resolve the conflicts. Thanks

v-mchatla avatar Dec 15 '22 05:12 v-mchatla

Hello Meena,

All conflicts have been resolved.

Thanks,

Shabaz Shaik Program Manager II @.@.>

Azure Network Security CxE Team

[MSFT_logo]

Learn more about Azure Network Security: AzNetSecNinjahttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSecNinja&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7pX1ClCd%2FxOdsAQBURWqHZffzwhjpDwKaIOa8mSR0I%3D&reserved=0 | Blogshttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Faznetsecblog&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ds2PZxqSrv%2BhZP6KWQtEnpez4e5Fk2%2Bp93regtpzgQA%3D&reserved=0 | GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSec&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BzgI6B%2BKn71zLl90yOz%2FDHWad9GPxTE6InKhOaN1Os%3D&reserved=0 | Portalhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAzNetSecSPO&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jU6AA%2BHwwTCpvsvjTvUBDygg2ILHKpbojHjLrcNMAf8%3D&reserved=0 | Private Communityhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.office.com%2Fpages%2Fresponsepage.aspx%3Fid%3Dv4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u&data=05%7C01%7Cshabazshaik%40microsoft.com%7C1a5733189e9f46acbaf108da3a84f027%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637886639913152705%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgiQFR3bi0kg%2Br8qDn41RdT9TLFV12junCJ%2BoQIajZY%3D&reserved=0

From: Meena Kumari Chatla @.> Sent: Thursday, December 15, 2022 10:44 AM To: Azure/Azure-Sentinel @.> Cc: Shabaz Shaik @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Updating Detection queries with Resource Specific logs for Azure Firewall (PR #6826)

Hi @shabaz-githubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fshabaz-github&data=05%7C01%7Cshabazshaik%40microsoft.com%7Cc941331edc5a46a0b95308dade5b35fc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638066780606708944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UJi6zjF7bnXo6KP6mcTHvpzwl1XO4H1fpbZRF6YV03A%3D&reserved=0, Please resolve the conflicts. Thanks

Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fpull%2F6826%23issuecomment-1352570275&data=05%7C01%7Cshabazshaik%40microsoft.com%7Cc941331edc5a46a0b95308dade5b35fc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638066780606708944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M%2FkYsj4j9%2BJaHDL5kDDC15gKFBDd32PT0nSSkkBlh%2Bc%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAY4TPHRL54OHXQLGCGYCKMDWNKSKNANCNFSM6AAAAAASVTDVKM&data=05%7C01%7Cshabazshaik%40microsoft.com%7Cc941331edc5a46a0b95308dade5b35fc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638066780606708944%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2z47sqc5CmaMBUs%2BUJ%2BaemsWsN8fROB1Q9LJQpnXX2o%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.@.>>

shabaz-github avatar Dec 15 '22 06:12 shabaz-github

We will check with concern team let you know the update.

v-spadarthi avatar Dec 21 '22 05:12 v-spadarthi

We are checking with team and let you know the update.

v-spadarthi avatar Dec 23 '22 05:12 v-spadarthi

Ajit Prakash approved these changes previously

v-spadarthi avatar Dec 28 '22 05:12 v-spadarthi

@shabaz-github : Please resolve the conflicts. Thanks!

v-spadarthi avatar Dec 29 '22 09:12 v-spadarthi

@v-spadarthi All conflicts have been resolved. Yes, this has already been reviewed and approved before. Please help with merging.

shabaz-github avatar Dec 29 '22 17:12 shabaz-github

@shabaz-github :Still we could see conflicts please resolve. Thanks image

v-spadarthi avatar Jan 02 '23 11:01 v-spadarthi

@shabaz-github : Please resolve the conflicts. Thanks

v-spadarthi avatar Jan 06 '23 04:01 v-spadarthi

Hi @shabaz-github, there are still conflicts, could you please resolve them. Thanks

v-atulyadav avatar Jan 11 '23 04:01 v-atulyadav

Hey @shabaz-github, this is regarding the conflicts that are there in the branch. Actually the Analytic rules are moved to particular solution folders and the query changes should be done at that location from solution folder. Please check and let us know if you face any difficulties, thanks.

v-sabiraj avatar Jan 13 '23 06:01 v-sabiraj

@v-sabiraj @v-spadarthi @v-atulyadav All conflicts have been resolved now as well as the detections have been updated in the new location (solutions). Please help with merging this PR as the changes were already approved.

shabaz-github avatar Jan 13 '23 19:01 shabaz-github

Hi @shabaz-github, thank you for this fix. We will check and update you soon.

v-atulyadav avatar Jan 18 '23 05:01 v-atulyadav

@v-atulyadav Please feel free to merge if the detections are in the right solutions. Thanks.

aprakash13 avatar Jan 20 '23 02:01 aprakash13