What Changed
Azure Firewall Abnormal Port to Protocol detection rule updated from version 1.1.2 to 1.1.3 with improved time range handling and alignment between query frequency and runtime parameters.
Detection Logic
Primary data source: AzureDiagnostics, AZFWNetworkRule, AZFWApplicationRule tables. Core logic performs learning-based anomaly detection on port-to-protocol mappings, identifying traffic patterns that deviate from 7-day baseline behavior. The rule now uses consistent 1-hour detection windows aligned with query frequency to prevent overlapping evaluations.
MITRE Mapping
T1571 (Non-Standard Port)
Security Impact (Visibility & Fidelity)
The previous implementation used brittle time calculations (EndRunTime = RunTime - 1d) that only worked when RunTime = 1d. Any modification to the runtime parameter broke the detection window calculation, preventing alerts from being generated. Additionally, the mismatch between queryFrequency (1h) and RunTime (1d) caused overlapping detection windows and duplicate alerts for the same anomalous activity.
Affected Files
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Port to Protocol.yaml
(packaging artefacts updated: mainTemplate.json, createUiDefinition.json, Package/*.zip)