Azure Firewall Detection Quality Overhaul: Enhanced Alert Context and Reduced Query Costs

What Changed

Version 3.0.6 of the Azure Firewall solution delivers quality improvements across 11 Analytic Rules and 5 Hunting Queries. The changes focus on three core areas: enhanced alert context through entity mappings and custom details, query performance optimizations to prevent full-table scans, and expanded MITRE ATT&CK coverage.

Detection Logic

The improved rules target Azure Firewall logs (AzureDiagnostics, AZFWNetworkRule, AZFWApplicationRule, AZFWFlowTrace, AZFWIdpsSignature, AZFWThreatIntel) with these key enhancements:

Query Performance:

• Time range restrictions added to unioned tables via TimeGenerated between (FullWindowStart .. FullWindowEnd) to avoid full-table scans
• Explicit project statements replace project-away to preserve key fields for incident investigation
• Configurable thresholds for common ports in port scan detection to reduce benign scanner noise

Alert Context:

• Entity mappings added for IP addresses and URLs across all rules
• Custom details now surface critical fields like AlertCount, Threshold, NetworkProtocol, and ThreatDescription
• Alert display name and description override templates provide incident-specific context

Detection Coverage:

• Trigger thresholds standardized from 1 to 0 for immediate alerting
• Additional tactics (Discovery, Reconnaissance, DefenseEvasion) and MITRE techniques added
• Known scanner IP exclusion capability added to port scan rules

MITRE Mapping

Expanded coverage includes:

• T1046 (Network Service Discovery) — port scan/sweep detection
• T1071 (Application Layer Protocol) — abnormal protocol usage
• T1568.001/.002 (Dynamic Resolution: Fast Flux DNS/DGA) — abnormal deny rates
• T1571/T1572 (Non-Standard Port) — port to protocol anomalies
• T1595.001 (Active Scanning: Scanning IP Blocks) — reconnaissance activities

Affected Files

Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Port to Protocol.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - DDoS attack detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Elevation of Privilege attempt detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - High severity malicious activity detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Medium severity malicious activity detected.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Web Application attack detected.yaml
Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First Time Source IP to Destination Using Port.yaml
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First time source IP to Destination.yaml
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Source IP Abnormally Connects to Multiple Destinations.yaml
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port for Organization.yaml
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port to IP.yaml
(packaging artefacts: 3.0.6.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)