Azure-Sentinel Updating the Analytics Rules and Hunting Queries for Azure Firewall Solution to support Resource Specific logs.

Updating the Analytics Rules and Hunting Queries for Azure Firewall Solution to support Resource Specific logs.

Open shabaz-github opened this issue 1 year ago • 3 comments

Required items, please complete

Change(s):

Updated the below Hunting Queries to support Resource Specific Logs: - Azure Firewall - First Time Source IP to Destination Using Port.yml - Azure Firewall - First time source IP to Destination.yml - Azure Firewall - Source IP Abnormally Connects to Multiple Destinations.yml - Azure Firewall - Uncommon Port for Organization.yml - Azure Firewall - Uncommon Port to IP
Updated the below Analytic Rules to support Resource Specific Logs: - Azure Firewall - Abnormal Deny Rate for Source IP.yml - Azure Firewall - Abnormal Port to Protocol.yml - Azure Firewall - Multiple Sources Affected by the Same TI Destination.yml - Azure Firewall - Port Scan.yml - Azure Firewall - Port Sweep.yml - SeveralDenyActionsRegistered.yml
Added a new workbook for Azure Firewall Solution to support Resource Specific Logs

Reason for Change(s):

Version Updated:

Testing Completed:

Checked that the validations are passing and have addressed any issues that are present:

Apr 20 '23 15:04 shabaz-github

Hi @shabaz-github, please check the above comments. Thanks

Apr 27 '23 12:04 v-atulyadav

@v-atulyadav Metadata has been added for both the templates. Please help merging this PR. Thank you.

Apr 28 '23 07:04 shabaz-github

Hi @shabaz-github, please take a look at @devikamehra's comments. Thanks

May 04 '23 13:05 v-atulyadav

Hi @devikamehra, please check fixes from @shabaz-github. Thanks

May 10 '23 04:05 v-atulyadav

@devikamehra All the comments are addressed. Please help with merging. Thanks

Jun 08 '23 14:06 shabaz-github