Forum Discussion
ankit976
Dec 28, 2021Copper Contributor
Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure
Want to create one use case if IDS/IPS turned off on firewall ( In azure sentinel ). Can any one help with Kusto query for this.
- Jan 05, 2022You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
Clive_Watson
Bronze Contributor
You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
ankit976
Jan 07, 2022Copper Contributor
But by this we can not find whether IDS turnoff or not.........there is field msg_s in that i guess we will get "off". so query can be
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog" | where msg_s contains "off"
Now i am in doubt about that off things
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog" | where msg_s contains "off"
Now i am in doubt about that off things
- Clive_WatsonJan 07, 2022Bronze ContributorI was thinking if you have data returned by that Query then IDS must be "ON", you could then test to see when data was last sent?