-
Notifications
You must be signed in to change notification settings - Fork 2
/
Top Azure Firewall Hunting KQL Queries.kql
293 lines (244 loc) · 9.33 KB
/
Top Azure Firewall Hunting KQL Queries.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
// List of Unique Firewall Rules Triggered
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by ruleName_s
// List of Source IPs That Triggered Firewall Rules Most Often:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerIpAddress_s
| top 10 by count_
// Traffic Destinations:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by destinationIp_s
| order by count_ desc
// Count of Firewall Events Over Time:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
// Detected Threats by Severity:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatSeverity_s
| render piechart
// Detected Threats by Category:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatCategory_s
| render piechart
// List of Detected Threats by Source IP:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatType_s, callerIpAddress_s
| order by count_ desc
// Detected Traffic From Non-Standard Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and destinationPort_s !in ("80", "443")
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// Number of Allowed and Denied Connections:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by action_s
| render barchart
// Suspicious ASN Activities:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerASN_s
| top 10 by count_
// List of Top 10 Threat Types:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatType_s
| top 10 by count_ desc
// Top Destination Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by destinationPort_s
| top 10 by count_ desc
// Connections by Protocol:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by protocol_s
| render piechart
// Geographical Locations of Source IPs:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerGeoLocation_s
| render worldmap
// Traffic from Known Malicious IPs:
let malicious_ips = dynamic(["1.2.3.4", "2.3.4.5"]); // Replace with your // List of known malicious IPs
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and callerIpAddress_s in (malicious_ips)
| project TimeGenerated, callerIpAddress_s, destinationIp_s, action_s
// Unusual Volume of Firewall Events:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize EventCount = count() by bin(TimeGenerated, 1h)
| sort by EventCount desc
| project TimeGenerated, EventCount
| render timechart
// Top Blocked Traffic Types:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny"
| summarize count() by ruleName_s
| top 10 by count_ desc
// Traffic by Rule Collection Type (Application, Network, NAT):
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by ruleCollectionType_s
| render barchart
// List of Unique Source and Destination IP Pairs:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerIpAddress_s, destinationIp_s
| order by count_ desc
// Traffic Destinations by Rule Type:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by ruleType_s, destinationIp_s
| order by count_ desc
// Traffic From Non-Standard High Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and toint(destinationPort_s) > 1024
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// Ratio of Denied vs Allowed Traffic:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize TrafficCount=count() by action_s
| extend TotalTraffic=sum(TrafficCount)
| project action_s, TrafficRatio = TrafficCount / todouble(TotalTraffic)
| render barchart
// Top 10 Source Countries:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerCountry_s
| top 10 by count_ desc
// All Blocked Traffic to Critical Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and destinationPort_s in ("22", "3389")
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// Blocked Traffic with High Severity Threats:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and threatSeverity_s == "High"
| project TimeGenerated, callerIpAddress_s, destinationIp_s, threatType_s
// Unexpected Outbound Traffic:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and direction_s == "Outbound" and destinationIp_s !in ("8.8.8.8", "8.8.4.4")
| project TimeGenerated, callerIpAddress_s, destinationIp_s
// Traffic To Uncommon Destinations:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by destinationIp_s
| where count_ < 5
// Spike in Firewall Rule Triggers:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize EventCount=count() by bin(TimeGenerated, 1h), ruleName_s
| sort by EventCount desc
| project TimeGenerated, ruleName_s, EventCount
| render timechart
// Top Application Rules Triggered:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and ruleCollectionType_s == "ApplicationRule"
| summarize count() by ruleName_s
| top 10 by count_ desc
// List of Unique User Agents:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize by httpUserAgent_s
// Top 10 Threats Detected:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatName_s
| top 10 by count_ desc
// Connection Attempts to Non-Standard Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and toint(destinationPort_s) > 1024
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// Suspicious User Agent Strings:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and httpUserAgent_s contains "curl" or httpUserAgent_s contains "wget"
| project TimeGenerated, callerIpAddress_s, httpUserAgent_s
// Denied Connections Over Time:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
// Successful Outbound Connections Over Time:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Allow" and direction_s == "Outbound"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
// Traffic Volume Per Protocol:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by protocol_s
| render piechart
// Detected Threats By Destination IP:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatType_s, destinationIp_s
| order by count_ desc
// Number of Allowed Connections from Specific Countries:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Allow"
| summarize count() by callerCountry_s
| render barchart
// Distribution of Network Traffic over Time:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
// Top Destination IPs for Outbound Traffic:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and direction_s == "Outbound"
| summarize count() by destinationIp_s
| top 10 by count_ desc
// Top 10 Threat Categories Detected:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatCategory_s
| top 10 by count_ desc
// Most Frequently Denied Outbound Connections:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and direction_s == "Outbound"
| summarize count() by callerIpAddress_s, destinationIp_s
| order by count_ desc
// List of Threats Detected from a Specific Country:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and callerCountry_s == "Russia"
| summarize count() by threatName_s
| order by count_ desc
// Detected Threats by Country:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by threatName_s, callerCountry_s
| order by count_ desc
// Traffic from Tor Exit Nodes:
let tor_exit_nodes = dynamic(["1.2.3.4", "2.3.4.5"]); // Replace with your // List of known Tor exit node IPs
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and callerIpAddress_s in (tor_exit_nodes)
| project TimeGenerated, callerIpAddress_s, destinationIp_s
// Frequency of Traffic by Source IP and Port:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerIpAddress_s, sourcePort_s
| order by count_ desc
// Connection Attempts to Specific Service Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and destinationPort_s in ("22", "3389")
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// All Blocked Traffic from a Specific Source IP:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and action_s == "Deny" and callerIpAddress_s == "1.2.3.4"
| project TimeGenerated, callerIpAddress_s, destinationIp_s
// Outbound Traffic to Non-Standard Ports:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and direction_s == "Outbound" and toint(destinationPort_s) > 1024
| project TimeGenerated, callerIpAddress_s, destinationIp_s, destinationPort_s
// Top 10 ASN of Caller IP:
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by callerASN_s
| top 10 by count_ desc