Microsoft Previews Azure Firewall Threat Tracking in Azure Sentinel

Microsoft this week announced a preview of Azure Firewall integration in its Azure Sentinel security information and event management (SIEM) solution.

The integration lets Azure Sentinel users see the activities of Azure Firewall, which can help with threat detections. A dashboard view of firewall activities gets enabled in Azure Sentinel via an Azure Firewall workbook component, which tracks activities "across URLs, ports, and addresses," the announcement explained.

The Azure Firewall integration also permits Azure Sentinel users to conduct investigations using "AI-assisted investigation capabilities." The firewall tracks potential issues based on the MITRE ATT&CK framework, a catalog of typical attack methods. Microsoft also includes various detection rules to aid these investigations, namely:

  • A port scan rule to track "malicious" port scan attempts
  • A port sweep rule to track attempts to find "specific vulnerable ports"
  • An "abnormal deny rate" rule to track potential access attempts, command and control center install attempts, and data exfiltration attempts
  • An "abnormal port to protocol" rule to track when attackers try to use ports to send data via untypical protocol headers
  • A multiple sources rule that tracks data exfiltration attempts across multiple machines

Microsoft also enables specific "hunting queries" with the Azure Firewall and Azure Sentinel integration. These built-in queries are used to check for indicators of compromise at the firewall level. They can track things such as irregular or first-time attempts to access specific ports, broad network access attempts, plus attempts to send data via uncommonly used ports.

Organizations can automate responses to such threats at the firewall level by using Azure Sentinel Playbooks, which offers a graphical user interface for specifying actions to take under certain conditions. The playbook also functions to send notifications to security teams when incidents gets detected, the announcement explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube