README.md

AzFirewallIDPSSentinel

This repository provides Analytics Rule of Microsoft Sentinel for Azure Firewall IDPS Alert.

Screenshot of Microsoft Sentinel Incident

When you imported exported json file from Sentinel, Analytics Rule will trigger Azure Firewall IDPS alert to Microsoft Sentinel.

Preparations

You should enable Structured format of Diagnostic setting from Azure Firewall.

Analytics Rule

Created three analytics rules for Azure Firewall IDPS Alert

Severity	Rule Title	Description
High	Detect High Severity from IDS Event of Azure Firewall	Detected High Severity Non-blocked alert event from Azure Firewall IDPS.
Medium	Detect Alert Event from IDS Events of Azure Firewall	Detected Non-blocked alert event from Azure Firewall IDPS.
Low	Detect Blocked Event from IPS Events of Azure Firewall	Detected Blocked Event from Azure Firewall IDPS.