Add KQL query for high severity malicious activity

shabaz-github · web-flow · commit ff688127d65e · 2026-02-09T13:26:27.000+05:30
diff --git a/Azure Firewall/Alerts - Queries and Alerts/Detection - AZFW IDPS Threat Category based Detections/High severity malicious activity detected.kql b/Azure Firewall/Alerts - Queries and Alerts/Detection - AZFW IDPS Threat Category based Detections/High severity malicious activity detected.kql
@@ -0,0 +1,39 @@
+let TimeWindow   = 90d;    // How far back to look
+let HitThreshold = 10;     // Minimum hits to alert per SourceIp + Category
+let MinSeverity  = 1;      // Set Minimum Severity
+let EnableCategoryFilter    = true;  // Filter 1: Change to true for filtering based on Categoriesofinterest defined below
+let EnableDescriptionFilter = false;  // Filter 2: Change to true for filtering based on Descriptionsofinterest defined below
+let EnableActionFilter      = false;  // Filter 3: Change to true for filtering based on a MatchActions defined below
+let CategoriesOfInterest    = dynamic(["Targeted Malicious Activity was Detected", "Exploit Kit Activity Detected", "Domain Observed Used for C2 Detected", "Successful Credential Theft Detected", "Malware Command and Control Activity Detected", "Executable code was detected", "A Network Trojan was detected"]); // Filter 1
+let DescriptionsOfInterest  = dynamic(["targeted-activity", "exploit-kit", "domain-c2", "credential-theft", "command-and-control", "shellcode-detect", "trojan-activity"]); // Filter 2
+let MatchActions            = dynamic(["Deny", "alert"]);   // Filter 3 
+AZFWIdpsSignature
+| where TimeGenerated >= ago(TimeWindow)
+| where Severity >= MinSeverity
+// Filter 1: Category filter (optional)
+| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
+// Filter 2: Description filter (optional)
+| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
+// Filter 3: Action filter (optional)
+| where (EnableActionFilter == false) or (Action in~ (MatchActions))
+| summarize
+    StartTime = min(TimeGenerated),
+    EndTime = max(TimeGenerated),
+    TotalHits = count(),
+    MaxSeverity  = max(Severity),
+    Actions = make_set(Action, 5),
+    Signatures   = make_set(SignatureId, 20),
+    Description  = make_set(substring(tostring(Description), 0, 120), 3)
+    by SourceIp, ThreatCategory = Category
+| where TotalHits >= HitThreshold
+| project
+    StartTime,
+    EndTime,
+    SourceIp,
+    ThreatCategory,
+    TotalHits,
+    MaxSeverity,
+    Actions,
+    Signatures,
+    Description
+| order by MaxSeverity desc, TotalHits desc
