Azure Firewall Quality improvements

[rahul0216]

Change(s):

• Updated multiple Azure Firewall analytic rules and hunting queries. Changes include: adding entityMappings for IP/URL entities, adding customDetails and alertDetailsOverride to improve alert display and include contextual fields, refining queries to restrict time ranges to avoid full-table scans and renaming time variables for clarity, adding relevant MITRE technique IDs, switching some project-away to explicit project to preserve key fields, expanding descriptions (and adding description_detailed), and bumping rule versions. These updates improve alert context, reduce query cost, and help reduce false positives (e.g. configurable allowed common ports).

Reason for Change(s):

• improve quality of rules

Version Updated:

• Yes

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[contentautomationbot]

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

[Copilot]

Pull request overview

Improves Azure Firewall hunting queries and analytic rules by enriching entity mapping and alert context, adding MITRE technique coverage, and reducing query cost via tighter time filtering and clearer query structure.

Changes:

• Added entityMappings, customDetails, and alertDetailsOverride across multiple detections to improve investigation context.
• Updated MITRE technique IDs/tactics and refined queries (time windows, projections) to reduce scan cost and noise.
• Bumped rule/query versions and expanded some descriptions.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port to IP.yaml	Expanded descriptions, added entity mappings and techniques, added version.
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Uncommon Port for Organization.yaml	Added techniques, entity mappings, version, and guidance comment for allowed ports.
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - Source IP Abnormally Connects to Multiple Destinations.yaml	Updated tactics/techniques, switched to explicit projection, added entity mappings and version.
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First time source IP to Destination.yaml	Added techniques, entity mappings, and version.
Solutions/Azure Firewall/Hunting Queries/Azure Firewall - First Time Source IP to Destination Using Port.yaml	Added techniques, entity mappings, and version.
Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml	Added custom details and alert overrides; bumped version.
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml	Added tactic/technique, custom details and alert overrides; bumped version.
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml	Added allowlist support, tactic/technique, alert overrides; bumped version.
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml	Simplified time window variables and added custom details; bumped version.
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Port to Protocol.yaml	Added tactic/technique, reordered filters, and added custom details/alert overrides; bumped version.
Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml	Tightened union time filtering, updated techniques, changed projection, added custom details and alert overrides; bumped version.