Azure Firewall and WAF integrations in Microsoft Copilot for Security
Azure Firewall and WAF are critical security services that many Microsoft Azure customers use to protect their network and applications from threats and attacks. Azure Firewall is a fully managed, cloud-native network security service that safeguards your Azure resources. It ensures high availability and scalability while filtering both inbound and outbound traffic, catching threats and only allowing legitimate traffic. Azure WAF is a cloud-native service that protects your web applications from common web-hacking techniques such as SQL injection and cross-site scripting. It offers centralized protection for web applications hosted behind Azure Application Gateway and Azure Front Door.
The Azure Firewall integration in Copilot for Security enables analysts to perform detailed investigations of malicious traffic intercepted by the IDPS [Intrusion Detection and Prevention System] feature of their firewalls across their entire fleet. Analysts can use natural language queries in the Copilot for Security standalone experience for threat investigation. With the Azure WAF integration, security and IT teams can operate more efficiently, focusing on high-value tasks. Copilot summarizes data and generates in-depth contextual insights into the WAF threat landscape. Both integrations simplify complex tasks, allowing analysts to ask questions in natural language instead of writing complex KQL queries.
In this blog, we will focus on setting up and leveraging the integration of Network Security services with Copilot for Security for hunting and troubleshooting malicious traffic.
Network Security Capabilities Available today in Copilot:
Azure Firewall:
- Retrieve the top IDPS signature hits for an Azure Firewall
- Get additional details to enrich the threat profile of an IDPS signature beyond log information
- Look for a given IDPS signature across your tenant, subscription or resource group
- Generate recommendations to secure your environment using Azure Firewall’s IDPS feature
Azure WAF:
- Retrieve contextual details about WAF detections and the top rules triggered
- Retrieve the top malicious IPs in the environment along with related WAF rules and patterns triggering the attack
- Get information on SQL Injection attacks blocked by Azure WAF
- Get information on XSS attacks blocked by Azure WAF
Prerequisites for enabling the integration:
In case you haven’t used Copilot for Security for other products, you need to onboard to Copilot for Security by following the process below:
- Provision Capacity
- This can be done through either signing in to Copilot for Security (https://securitycopilot.microsoft.com) or through the Azure Portal, as shown below:
- More details about the detailed setup process for Copilot for Security can be found here.
- The details around pricing for Copilot for Security can be found here.
- Setup the default environment using the instructions mentioned here.
- Enable Plugins:
- For Firewall, only the plugin needs to be enabled as shown in the image below.
- For WAF, along with enabling the plugin, we also need to ensure the WAF Log Analytics workspace name, Log Analytics resource group name and Log Analytics subscription ID are configured.
Once the Security Compute Units (SCUs) are provisioned as specified, the Azure WAF and Firewall logs are present in the Azure Log Analytics workspace, and the respective plugins are enabled, the capabilities will be ready for use.
Investigation of Threats in Azure Firewall using Copilot for Security:
- Retrieving IDPS hits in Azure Firewall using Natural Language prompts:
- Get additional details to enrich the threat profile of an IDPS signature beyond log information
- Look for a given IDPS signature across your tenant, subscription or resource group
Investigation of Threats in Azure WAF using Copilot for Security:
- Retrieve contextual details, top IP offenders and WAF rule matches using Natural Language prompts
- Here, Regional WAF refers to App Gateway WAF and Global WAF refers to Front Door WAF.
- Get information on SQL Injection attacks blocked by Azure WAF
- Get information on XSS attacks blocked by Azure WAF
Recommendations for Network Security:
- Copilot for Security also provides recommendations on using Azure Firewall's capabilities to secure your environment as shown below:
For more details on all the available prompts that can be used with this integration, refer to the respective documentation here for Firewall and WAF.
Integrating Microsoft Azure’s robust network security services with Copilot for Security offers a powerful solution for enhancing your security posture. By leveraging Azure Firewall and Azure Web Application Firewall (WAF) within Copilot, security analysts can efficiently investigate and mitigate threats using natural language queries. This integration not only simplifies complex security tasks but also provides comprehensive protection for your applications and data, allowing your security and IT teams to focus on high-value activities.
Published on:
Learn moreRelated posts
Unified Routing – Diagnostics in Azure
You may (or may not) be aware that the diagnostics option in Unified Routing has been deprecated. It is being replaced by diagnostics in Azure...
Service health and Message center: Azure Information Protection consolidation
This post is about the consolidation of Azure Information Protection communications under Microsoft Purview in Service Health and Message Cent...
Microsoft Teams apps and Microsoft Copilot extensions: New security and certification information
Admins responsible for deploying Microsoft Teams apps and Microsoft Copilot for Microsoft 365 extensions will soon have access to new security...
Switch to Azure Business Continuity Center for your at scale BCDR management needs
In response to the evolving customer requirements and environments since COVID-19, including the shift towards hybrid work models and the incr...
Optimizing Azure Table Storage: Automated Data Cleanup using a PowerShell script with Azure Automate
Scenario This blog’s aim is to manage Table Storage data efficiently. Imagine you have a large Azure Table Storage that accumulates logs from ...
Microsoft Fabric: Resolving Capacity Admin Permission Issues in Automate Capacity Scaling with Azure LogicApps
A while back, I published a blogpost explaining how to use Azure LogicApps to automate scaling Microsoft Fabric F capacities under the PAYG (P...
The Azure Storage product group is heading to the SNIA Developer Conference 2024
The Azure Storage product group is heading to the SNIA Developer Conference (SDC) 2024 in Santa Clara, California, USA from September 16th thr...
ISSUE RESOLVED: Azure Lab Services - lab plan outage - September 12, 2024
Hello, Azure Lab Services is currently experiencing an outage affecting customers using Lab Plans for their service. Customers using Lab Accou...