Forum Discussion

ankit976's avatar
ankit976
Copper Contributor
Dec 28, 2021

Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

Want to create one use case  if IDS/IPS turned off on firewall ( In azure sentinel ). Can any one help with Kusto query for this. 

  • You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
    • ankit976's avatar
      ankit976
      Copper Contributor
      But by this we can not find whether IDS turnoff or not.........there is field msg_s in that i guess we will get "off". so query can be
      AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog" | where msg_s contains "off"

      Now i am in doubt about that off things
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        I was thinking if you have data returned by that Query then IDS must be "ON", you could then test to see when data was last sent?

Share

Resources