docs: fix metadata, stale language, product names, code block, style edits

duongau · duongau · commit 6fcc5acca606 · 2026-03-28T15:31:08.000-07:00
diff --git a/articles/firewall/detect-malware-with-sentinel.md b/articles/firewall/detect-malware-with-sentinel.md
@@ -1,135 +1,123 @@
 ---
 title: Detect malware with Microsoft Sentinel for Azure Firewall
-description: This article shows you how you can detect malware with the Azure Firewall solution for Microsoft Sentinel.
+description: Learn how to detect and respond to common malware threats such as Coinminer, Cl0p, and Sunburst using KQL detection queries in Microsoft Sentinel with Azure Firewall logs.
 author: duongau
 ms.author: duau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 01/23/2024
+ms.date: 03/28/2026
 # Customer intent: "As a security analyst, I want to implement malware detection using Azure Firewall logs with Microsoft Sentinel, so that I can proactively identify and respond to threats like Coinminer, Cl0p, and Sunburst to protect our network from potential attacks."
 ---
 
 # Detect malware with Microsoft Sentinel for Azure Firewall
 
-Malware is any software that is designed to cause damage, disruption, or compromise the security and functionality of computer systems, networks, or devices. It includes diverse types of threats, such as viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Malware can have various negative impacts, such as stealing sensitive data, encrypting, or deleting files, displaying unwanted ads, slowing down performance, or even taking control of the device.
+Malware is any software designed to cause damage, disruption, or compromise the security and functionality of computer systems, networks, or devices. It includes diverse types of threats, such as viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Malware can have various negative impacts, such as stealing sensitive data, encrypting or deleting files, displaying unwanted ads, slowing down performance, or even taking control of the device.
 
-It's important to identify and eliminate malware from a system or network, which you can do by employing various detection techniques, such as signature-based, behavior-based, heuristic-based, or machine learning-based techniques. Malware detection is vital for protecting the security and privacy of users, as well as the integrity and availability of systems and networks.
+It's important to identify and eliminate malware from a system or network. You can do this by employing various detection techniques, such as signature-based, behavior-based, heuristic-based, or machine learning-based techniques. Malware detection is vital for protecting the security and privacy of users, as well as the integrity and availability of systems and networks.
 
-The Azure Firewall IDPS feature automatically detects and denies malware by default and can prevent the cloud workloads from being infected. You can further enhance this capability by employing automated detection and response using prebuilt detection queries and Microsoft Sentinel. In this article, you explore how to detect some common malware found in Azure Firewall logs such as `Coinminer`, `Cl0p` and `Sunburst` using predefined KQL detection queries for Azure Firewall.
+The Azure Firewall IDPS feature automatically detects and denies malware by default and can prevent the cloud workloads from being infected. You can further enhance this capability by employing automated detection and response by using prebuilt detection queries and Microsoft Sentinel. You can detect some common malware found in Azure Firewall logs such as `Coinminer`, `Cl0p`, and `Sunburst` using predefined KQL detection queries for Azure Firewall.
 
-These detections enable security teams to receive Sentinel alerts when machines on the internal network request connections to domain names or IP addresses on the Internet that are linked to known Indicators of Compromise (IOCs), as defined in the detection rule query. True positive detections should be regarded as Indicators of Compromise (IOCs). Then, security incident response teams can initiate a response and implement appropriate custom remediation actions based on these detection signals.
+These detections enable security teams to receive Microsoft Sentinel alerts when machines on the internal network request connections to domain names or IP addresses on the Internet that are linked to known Indicators of Compromise (IOCs), as defined in the detection rule query. True positive detections should be regarded as IOCs. Then, security incident response teams can initiate a response and implement appropriate custom remediation actions based on these detection signals.
 
-
-
-For instructions to deploy the analytic rules using the following queries, see [Detect new threats using Microsoft Sentinel with Azure Web Application Firewall](../web-application-firewall/waf-new-threat-detection.md).
+For instructions to deploy the analytic rules by using the following queries, see [Detect new threats using Microsoft Sentinel with Azure Web Application Firewall](../web-application-firewall/waf-new-threat-detection.md).
 
 ## Common malware exploits
 
 The following malware exploits are common on today's networks.
 
-### `Coinminer`
+### Coinminer
 
-Due to the recent surge in cryptocurrency mining, there's an increasing need for high-performance network processing units. Distributed computing is expanding and the widespread availability of mining software, both in legal and illegal contexts. 
+Due to the recent surge in cryptocurrency mining, there's an increasing need for high-performance network processing units. Distributed computing is expanding and the widespread availability of mining software, both in legal and illegal contexts.
 
-`Coinminer` represents a type of malware that uses the hardware resources of an unwitting victim's computer for cryptocurrency mining. The graphics processing unit (GPU) of the unsuspecting user's PC is used to run various scripts aimed at mining cryptocurrencies and calculating transaction block hashes. 
+`Coinminer` represents a type of malware that uses the hardware resources of an unwitting victim's computer for cryptocurrency mining. The graphics processing unit (GPU) of the unsuspecting user's PC is used to run various scripts aimed at mining cryptocurrencies and calculating transaction block hashes.
 
-To mitigate the risk of these threats, proactive measures should be implemented at the typical entry points. This includes ensuring that Jupyter software is deployed with proper authentication, configuring, and updating web applications to minimize vulnerabilities, controlling external access to Docker, and following extra Zero Trust principles.
+To mitigate the risk of these threats, implement proactive measures at the typical entry points. This approach includes ensuring that Jupyter software is deployed with proper authentication, configuring and updating web applications to minimize vulnerabilities, controlling external access to Docker, and following extra Zero Trust principles.
 
-The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+Use the following detection query to create an analytics rule in Microsoft Sentinel that automatically detects and responds to this malware by using Azure Firewall logs.
 
-```
+```kusto
 // Coinminer Detection Rule
-// Detects suspicious traffic patterns associated with coinmining activity in Azure Firewall logs for Sentinel
-
-let coinminerPorts = dynamic(["2375", "2376", "2377", "4243", "4244"]); // List of known coinminer ports  
-//Assign the known domains to a variable
-let coinminerdomains = dynamic(["teamtnt.red", "kaiserfranz.cc", "45.9.148.123"]); // List of known coinminer domains  
-
-(union isfuzzy=true 
-
-(AzureDiagnostics  
-| where ResourceType == "AZUREFIREWALLS"  
-| where Category == "AzureFirewallApplicationRule" 
-| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action 
-| extend action_s = column_ifexists("action_s", ""), transactionId_g = column_ifexists("transactionId_g", "")  
-| where DestinationPort in (coinminerPorts) // Filter traffic on known coinminer ports  
-| summarize CoinminerAttempts = count() by DestinationHost, DestinationPort  
-| where CoinminerAttempts > 10 // Adjust threshold as needed  
-), 
-
-(AZFWIdpsSignature 
-| where DestinationPort in (coinminerPorts) 
-| summarize CoinminerAttempts = count() by DestinationIp, DestinationPort 
-| where CoinminerAttempts > 10 // Adjust threshold as needed   
-
-), 
-
-(AzureDiagnostics  
-| where ResourceType == "AZUREFIREWALLS"  
-| where Category == "AzureFirewallDnsProxy"  
-| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Response_Code " " Response_Flags " " Response_Size " " Response_Duration  
-| where Request_Name has_any(coinminerdomains)  
-| extend DNSName = Request_Name  
-| extend IPCustomEntity = ClientIP  
-
-),  
-
-(AzureDiagnostics  
-| where ResourceType == "AZUREFIREWALLS"  
-| where Category == "AzureFirewallApplicationRule"  
-| parse msg_s with Protocol ' request from ' SourceHost ':' SourcePort 'to' DestinationHost ':' DestinationPort '. Action:' Action  
-| where isnotempty(DestinationHost)  
-| where DestinationHost has_any(coinminerdomains)  
-| extend DNSName = DestinationHost  
-| extend IPCustomEntity = SourceHost), 
-
-(AZFWApplicationRule 
-| where isnotempty(Fqdn) 
-| where Fqdn has_any (coinminerdomains)   
-| extend DNSName = Fqdn  
-| extend IPCustomEntity = SourceIp), 
-
-(AZFWDnsQuery 
-| where isnotempty(QueryName) 
-| where QueryName has_any (coinminerdomains) 
-| extend DNSName = QueryName 
-| extend IPCustomEntity = SourceIp 
-
-), 
-
-(AZFWIdpsSignature 
-| where DestinationIp has_any (coinminerdomains) 
-| extend DNSName = DestinationIp 
-| extend IPCustomEntity = SourceIp 
-
-), 
-
-(AZFWIdpsSignature 
-| where Description contains "coinminer" 
-| extend DNSName = DestinationIp 
-| extend IPCustomEntity = SourceIp 
-) 
-
-)
+// Detects suspicious traffic patterns associated with coinmining activity in Azure Firewall logs
+
+// Known coinminer ports and domains
+let coinminerPorts = dynamic(["2375", "2376", "2377", "4243", "4244"]);
+let coinminerdomains = dynamic(["teamtnt.red", "kaiserfranz.cc", "45.9.148.123"]);
+
+union isfuzzy=true
+    // 1. Legacy diagnostics logs - port-based detection (Application rules)
+    (AzureDiagnostics
+    | where ResourceType == "AZUREFIREWALLS"
+    | where Category == "AzureFirewallApplicationRule"
+    | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
+    | extend action_s = column_ifexists("action_s", ""), transactionId_g = column_ifexists("transactionId_g", "")
+    | where DestinationPort in (coinminerPorts)
+    | summarize CoinminerAttempts = count() by DestinationHost, DestinationPort
+    | where CoinminerAttempts > 10 // Adjust threshold as needed
+    ),
+    // 2. Structured logs - port-based detection (IDPS signatures)
+    (AZFWIdpsSignature
+    | where DestinationPort in (coinminerPorts)
+    | summarize CoinminerAttempts = count() by DestinationIp, DestinationPort
+    | where CoinminerAttempts > 10 // Adjust threshold as needed
+    ),
+    // 3. Legacy diagnostics logs - domain-based detection (DNS proxy)
+    (AzureDiagnostics
+    | where ResourceType == "AZUREFIREWALLS"
+    | where Category == "AzureFirewallDnsProxy"
+    | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Response_Code " " Response_Flags " " Response_Size " " Response_Duration
+    | where Request_Name has_any(coinminerdomains)
+    | extend DNSName = Request_Name, IPCustomEntity = ClientIP
+    ),
+    // 4. Legacy diagnostics logs - domain-based detection (Application rules)
+    (AzureDiagnostics
+    | where ResourceType == "AZUREFIREWALLS"
+    | where Category == "AzureFirewallApplicationRule"
+    | parse msg_s with Protocol ' request from ' SourceHost ':' SourcePort 'to' DestinationHost ':' DestinationPort '. Action:' Action
+    | where isnotempty(DestinationHost)
+    | where DestinationHost has_any(coinminerdomains)
+    | extend DNSName = DestinationHost, IPCustomEntity = SourceHost
+    ),
+    // 5. Structured logs - domain-based detection (Application rules)
+    (AZFWApplicationRule
+    | where isnotempty(Fqdn)
+    | where Fqdn has_any(coinminerdomains)
+    | extend DNSName = Fqdn, IPCustomEntity = SourceIp
+    ),
+    // 6. Structured logs - domain-based detection (DNS queries)
+    (AZFWDnsQuery
+    | where isnotempty(QueryName)
+    | where QueryName has_any(coinminerdomains)
+    | extend DNSName = QueryName, IPCustomEntity = SourceIp
+    ),
+    // 7. Structured logs - domain-based detection (IDPS signatures)
+    (AZFWIdpsSignature
+    | where DestinationIp has_any(coinminerdomains)
+    | extend DNSName = DestinationIp, IPCustomEntity = SourceIp
+    ),
+    // 8. Structured logs - signature description-based detection (IDPS)
+    (AZFWIdpsSignature
+    | where Description contains "coinminer"
+    | extend DNSName = DestinationIp, IPCustomEntity = SourceIp
+    )
 ```
 
-### `Cl0p`
+### Cl0p
 
-`Cl0p` is a ransomware that operates by applying distinctive encryption keys to the victim's files and then requesting a ransom for the files' decryption. It uses a vulnerability in the data transfer software MOVEit and sends spear phishing emails to numerous employees in the hope to deliver `cl0p`. Then it uses tools like `truebot` and `dewmode` to move laterally within the network and exfiltrate data. The ransomware encrypts files using the AES-256 encryption algorithm.
+`Cl0p` is ransomware that operates by applying distinctive encryption keys to the victim's files and then requesting a ransom for the files' decryption. It uses a vulnerability in the data transfer software MOVEit and sends spear phishing emails to numerous employees in the hope of delivering `cl0p`. Then it uses tools like `truebot` and `dewmode` to move laterally within the network and exfiltrate data. The ransomware encrypts files by using the AES-256 encryption algorithm.
 
- `Cl0p` vulnerabilities include CVE-2023-35036, CVE-2023-34362 and CVE-2023-35708. In June 2023, the FBI and CISA published a press release about this exploitation. The effects of `cl0p` ransomware are registered across several universities in the US Midwest and government organizations. Airlines, TV networks, and UK based retail stores are the latest victims of the `cl0p` ransomware gang.
+ `Cl0p` vulnerabilities include CVE-2023-35036, CVE-2023-34362, and CVE-2023-35708. In June 2023, the FBI and CISA published a press release about this exploitation. The effects of `cl0p` ransomware are registered across several universities in the US Midwest and government organizations. Airlines, TV networks, and UK-based retail stores are the latest victims of the `cl0p` ransomware gang.
 
-The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+Use the following detection query to create an analytics rule in Microsoft Sentinel that automatically detects and responds to this malware by using Azure Firewall logs.
 
 Detection Query for `Cl0p`: [Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Cl0p.json](https://github.com/Azure/Azure-Network-Security/blob/master/Azure%20Firewall/Playbook%20-%20Firewall%20Malware%20Detections%20for%20Sentinel/Detection%20-%20Analytic%20rule%20query%20for%20Cl0p.json)
 
-## `Sunburst`
+## Sunburst malware
 
-This malware targets victims by using domain generation algorithm (DGA) strings to evade detection and establish a command-and-control backdoor attack. The DGA strings are often difficult for security tools to identify the domains used by the malware due to the pattern used in the syntax and their constant changing of the domain information.
+This malware uses a domain generation algorithm (DGA) to evade detection and establish a command-and-control backdoor attack. The pattern used in the syntax and constant changing of the domain information make it difficult for security tools to identify the domains used by the malware.
 
-The following detection query can be used to create an analytics rule in Sentinel to automatically detect and respond to this malware using Azure Firewall logs.
+Use the following detection query to create an analytics rule in Microsoft Sentinel that automatically detects and responds to this malware by using Azure Firewall logs.
 
-Detection Query for `Sunburst` Malware: [Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Sunburst.json](https://github.com/Azure/Azure-Network-Security/blob/master/Azure%20Firewall/Playbook%20-%20Firewall%20Malware%20Detections%20for%20Sentinel/Detection%20-%20Analytic%20rule%20query%20for%20Sunburst.json)
+Detection query for `Sunburst` malware: [Firewall Malware Detections for Sentinel/Detection - Analytic rule query for Sunburst.json](https://github.com/Azure/Azure-Network-Security/blob/master/Azure%20Firewall/Playbook%20-%20Firewall%20Malware%20Detections%20for%20Sentinel/Detection%20-%20Analytic%20rule%20query%20for%20Sunburst.json)
 
 ## Related content
 
