Forum Discussion
ankit976
Dec 28, 2021Copper Contributor
Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure
Want to create one use case if IDS/IPS turned off on firewall ( In azure sentinel ). Can any one help with Kusto query for this.
- You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
- Clive_WatsonBronze ContributorYou don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
- ankit976Copper ContributorBut by this we can not find whether IDS turnoff or not.........there is field msg_s in that i guess we will get "off". so query can be
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog" | where msg_s contains "off"
Now i am in doubt about that off things- Clive_WatsonBronze ContributorI was thinking if you have data returned by that Query then IDS must be "ON", you could then test to see when data was last sent?