cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

ankit976
Copper Contributor

‎Dec 28 2021 03:07 AM - last edited on ‎Jan 04 2022 12:15 PM by

‎Dec 28 2021 03:07 AM - last edited on ‎Jan 04 2022 12:15 PM by

Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

Want to create one use case  if IDS/IPS turned off on firewall ( In azure sentinel ). Can any one help with Kusto query for this. 

1,530 Views
1 Like
3 Replies
Reply
3 Replies
best response confirmed by ankit976 (Copper Contributor)
Clive_Watson

‎Jan 05 2022 12:53 AM

‎Jan 05 2022 12:53 AM

Solution

RE: Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"
0 Likes
Reply
ankit976

‎Jan 07 2022 06:55 AM

‎Jan 07 2022 06:55 AM

RE: Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

But by this we can not find whether IDS turnoff or not.........there is field msg_s in that i guess we will get "off". so query can be
AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog" | where msg_s contains "off"

Now i am in doubt about that off things
0 Likes
Reply
Clive_Watson

‎Jan 07 2022 08:44 AM

‎Jan 07 2022 08:44 AM

RE: Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

I was thinking if you have data returned by that Query then IDS must be "ON", you could then test to see when data was last sent?
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ankit976 (Copper Contributor)
Clive_Watson

‎Jan 05 2022 12:53 AM

‎Jan 05 2022 12:53 AM

Solution

RE: Usecase if IDS/IPS turned off on firewall ( In azure sentinel ) @Azure

You don't mention which Firewall. Azure Firewall, logs IPS/IDS so you can start a query with AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where OperationName == "AzureFirewallIDSLog"

View solution in original post

0 Likes
Reply