Jump to content

Azure Firewall and WAF integrations in Microsoft Copilot for Security

Guest ShabazShaik

By Guest ShabazShaik
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest ShabazShaik

Guest ShabazShaik

Posted
Posted

Azure Firewall and WAF are critical security services that many Microsoft Azure customers use to protect their network and applications from threats and attacks. Azure Firewall is a fully managed, cloud-native network security service that safeguards your Azure resources. It ensures high availability and scalability while filtering both inbound and outbound traffic, catching threats and only allowing legitimate traffic. Azure WAF is a cloud-native service that protects your web applications from common web-hacking techniques such as SQL injection and cross-site scripting. It offers centralized protection for web applications hosted behind Azure Application Gateway and Azure Front Door.

 

 

 

The Azure Firewall integration in Copilot for Security enables analysts to perform detailed investigations of malicious traffic intercepted by the IDPS [intrusion Detection and Prevention System] feature of their firewalls across their entire fleet. Analysts can use natural language queries in the Copilot for Security standalone experience for threat investigation. With the Azure WAF integration, security and IT teams can operate more efficiently, focusing on high-value tasks. Copilot summarizes data and generates in-depth contextual insights into the WAF threat landscape. Both integrations simplify complex tasks, allowing analysts to ask questions in natural language instead of writing complex KQL queries.

 

 

 

In this blog, we will focus on setting up and leveraging the integration of Network Security services with Copilot for Security for hunting and troubleshooting malicious traffic.

 

 

Network Security Capabilities Available today in Copilot:

 

Azure Firewall:

 

  • Retrieve the top IDPS signature hits for an Azure Firewall
  • Get additional details to enrich the threat profile of an IDPS signature beyond log information
  • Look for a given IDPS signature across your tenant, subscription or resource group
  • Generate recommendations to secure your environment using Azure Firewall’s IDPS feature

 

 

 

Azure WAF:

 

  • Retrieve contextual details about WAF detections and the top rules triggered
  • Retrieve the top malicious IPs in the environment along with related WAF rules and patterns triggering the attack
  • Get information on SQL Injection attacks blocked by Azure WAF
  • Get information on XSS attacks blocked by Azure WAF

 

 

 

Prerequisites for enabling the integration:

 

In case you haven’t used Copilot for Security for other products, you need to onboard to Copilot for Security by following the process below:

 

  • Provision Capacity
    • This can be done through either signing in to Copilot for Security (https://securitycopilot.microsoft.com) or through the Azure Portal, as shown below:
    • More details about the detailed setup process for Copilot for Security can be found here.
    • The details around pricing for Copilot for Security can be found here.

 

[ATTACH type=full" alt="ShabazShaik_0-1723479437667.png]62717[/ATTACH]

 

 

 

[ATTACH type=full" alt="ShabazShaik_1-1723479437676.png]62718[/ATTACH]

 

 

 

 

 

 

 

  • Setup the default environment using the instructions mentioned here.

 

 

 

[ATTACH type=full" alt="ShabazShaik_2-1723479437690.png]62719[/ATTACH]

 

 

 

 

 

  • Enable Plugins:
    • For Firewall, only the plugin needs to be enabled as shown in the image below.

 

[ATTACH type=full" alt="ShabazShaik_3-1723479437691.png]62720[/ATTACH]

 

 

 

[ATTACH type=full" alt="ShabazShaik_4-1723479437698.png]62721[/ATTACH]

 

 

 

 

 

  • For WAF, along with enabling the plugin, we also need to ensure the WAF Log Analytics workspace name, Log Analytics resource group name and Log Analytics subscription ID are configured.

 

[ATTACH type=full" alt="ShabazShaik_5-1723479437707.png]62722[/ATTACH]

 

 

 

 

 

 

 

Once the Security Compute Units (SCUs) are provisioned as specified, the Azure WAF and Firewall logs are present in the Azure Log Analytics workspace, and the respective plugins are enabled, the capabilities will be ready for use.

 

 

Investigation of Threats in Azure Firewall using Copilot for Security:

 

 

 

  • Retrieving IDPS hits in Azure Firewall using Natural Language prompts:

 

[ATTACH type=full" alt="ShabazShaik_6-1723479437712.jpeg]62723[/ATTACH]

 

 

 

[ATTACH type=full" alt="ShabazShaik_7-1723479437717.jpeg]62724[/ATTACH]

 

 

 

  • Get additional details to enrich the threat profile of an IDPS signature beyond log information

 

[ATTACH type=full" alt="ShabazShaik_8-1723479437724.jpeg]62725[/ATTACH]

 

 

 

  • Look for a given IDPS signature across your tenant, subscription or resource group

 

[ATTACH type=full" alt="ShabazShaik_9-1723479437727.jpeg]62726[/ATTACH]

 

 

 

Investigation of Threats in Azure WAF using Copilot for Security:

 

 

  • Retrieve contextual details, top IP offenders and WAF rule matches using Natural Language prompts
  • Here, Regional WAF refers to App Gateway WAF and Global WAF refers to Front Door WAF.

 

[ATTACH type=full" alt="ShabazShaik_10-1723479437734.png]62727[/ATTACH]

 

 

 

[ATTACH type=full" alt="ShabazShaik_11-1723479437739.png]62728[/ATTACH]

 

 

 

  • Get information on SQL Injection attacks blocked by Azure WAF

 

[ATTACH type=full" alt="ShabazShaik_12-1723479437746.png]62729[/ATTACH]

 

 

 

  • Get information on XSS attacks blocked by Azure WAF

 

[ATTACH type=full" alt="ShabazShaik_13-1723479437752.png]62730[/ATTACH]

 

 

 

Recommendations for Network Security:

 

  • Copilot for Security also provides recommendations on using Azure Firewall's capabilities to secure your environment as shown below:

 

[ATTACH type=full" alt="ShabazShaik_14-1723479437774.png]62731[/ATTACH]

 

 

 

 

 

For more details on all the available prompts that can be used with this integration, refer to the respective documentation here for Firewall and WAF.

 

 

Integrating Microsoft Azure’s robust network security services with Copilot for Security offers a powerful solution for enhancing your security posture. By leveraging Azure Firewall and Azure Web Application Firewall (WAF) within Copilot, security analysts can efficiently investigate and mitigate threats using natural language queries. This integration not only simplifies complex security tasks but also provides comprehensive protection for your applications and data, allowing your security and IT teams to focus on high-value activities.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...