What Changed

Added 5 comprehensive analytic rules to the Azure Firewall solution targeting Azure Firewall IDPS signature data (AZFWIdpsSignature table):

  1. High severity malicious activity detected - Targets exploit kits, C2 domains, credential theft, and trojans
  2. Medium severity malicious activity detected - Detects PUPs, social engineering, cryptomining, and suspicious files
  3. Web Application attack detected - Identifies web application exploitation attempts
  4. DDoS attack detected - Monitors for denial of service attack patterns
  5. Elevation of Privilege attempt detected - Detects privilege escalation attempts

Detection Logic

All rules query AZFWIdpsSignature with:

  • 90-day lookback window for comprehensive threat hunting
  • Configurable severity thresholds and category filters
  • Aggregation by SourceIP with 10+ hit threshold to reduce noise
  • Flexible filtering system with toggleable category/description/action filters

MITRE Coverage Expansion

The new rules significantly expand MITRE ATT&CK coverage:

  • T1190 (Exploit Public-Facing Application) - Web app attacks
  • T1498 (Network Denial of Service) - DDoS detection
  • T1078 (Valid Accounts), T1110 (Brute Force) - Privilege escalation
  • T1041 (Exfiltration Over C2), T1003 (OS Credential Dumping) - High severity threats
  • T1496 (Resource Hijacking), T1036 (Masquerading) - Medium severity threats

Security Impact (Detection Coverage)

These rules transform Azure Firewall from primarily network filtering to comprehensive threat detection:

  • Attack surface visibility: Web application attacks, DDoS attempts, C2 communications
  • Threat intelligence integration: IDPS signature correlation with known attack patterns
  • Behavioral analysis: Multi-stage attack detection through aggregated source IP analysis
  • Reduced false positives: Threshold-based detection (10+ hits per source) minimizes alert fatigue

Affected Files

Solutions/Azure Firewall/Analytic Rules/Azure Firewall - DDoS attack detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Elevation of Privilege attempt detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Web Application attack detected.yaml
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, Solution_AzureFirewall.json, createUiDefinition.json, mainTemplate.json)