Azure Firewall Threat Intelligence

Azure Firewall provides threat intelligence-based filtering to identify and block known malicious IP addresses and domains. This feature helps protect your network resources from a wide range of cyber threats.

How Threat Intelligence Works

Azure Firewall Threat Intelligence integrates with Microsoft's threat intelligence feeds. These feeds are constantly updated with information about emerging threats, including:

  • Malicious IP addresses associated with command-and-control servers.
  • Malicious domains used for phishing or malware distribution.
  • Known botnet infrastructure.

When enabled, Azure Firewall inspects outbound traffic against these threat intelligence lists. If a connection attempt matches an entry in the threat intelligence feed, the traffic is blocked, and an alert can be generated.

Enabling Threat Intelligence-Based Filtering

You can configure threat intelligence-based filtering directly within your Azure Firewall policies. Here's how:

  1. Navigate to your Azure Firewall resource in the Azure portal.
  2. In the left-hand menu, select Policies.
  3. Under Threat Intelligence, choose your preferred mode:
    • Off: Threat intelligence is disabled.
    • Alert: Logs all threat intelligence matches but does not block them.
    • Deny: Blocks all threat intelligence matches and logs them.
    • Deny and Alert: Blocks all threat intelligence matches and logs them.
  4. Optionally, you can enable HIPS (Host Intrusion Prevention System) for more granular protection, which includes signatures to detect known exploits.
  5. Select the desired Threat Intelligence Feed (e.g., Microsoft Threat Intelligence).
  6. Click Save to apply the changes.

Important Considerations:

Enabling threat intelligence-based filtering can increase the load on your firewall and may impact performance for high-throughput environments. Always test changes in a non-production environment first.

Configuring Custom Threat Intelligence Feeds

In addition to Microsoft's feeds, you can also integrate your own custom threat intelligence lists. This allows you to block specific indicators of compromise (IOCs) relevant to your organization.

To add custom IP addresses or FQDNs (Fully Qualified Domain Names) to block:

  1. Navigate to your Azure Firewall Policies.
  2. Go to the Threat Intelligence section.
  3. Click on Add custom IP/FQDNs.
  4. Enter the IP addresses or FQDNs you wish to block, one per line.
  5. Select the appropriate Threat Intelligence Mode for these custom entries.
  6. Click Add and then Save.

Example: Azure CLI to enable Threat Intelligence

az network firewall policy update \
    --resource-group MyResourceGroup \
    --name MyFirewallPolicy \
    --threat-intelligence-mode Deny \
    --threat-intelligence-allowlist-ips "10.0.0.5" \
    --threat-intelligence-allowlist-fqdns "internal.contoso.com"

Monitoring Threat Intelligence Events

Azure Firewall logs threat intelligence matches in Azure Monitor. You can create diagnostic settings to send these logs to Log Analytics, Storage Accounts, or Event Hubs. This allows you to:

  • Monitor blocked connections.
  • Analyze security events.
  • Investigate potential threats.
  • Integrate with SIEM (Security Information and Event Management) solutions.

Queries in Log Analytics can help you identify blocked traffic related to threat intelligence. For example:

Log Analytics Query Example

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "AzureFirewallNetworkRule"
| where RuleCollectionGroup == "ThreatIntelligenceRuleCollectionGroup"
| project TimeGenerated, ruleCollection, rule, action, src_ip, dest_ip, dest_port

Best Practices

  • Start with the Alert mode to understand potential impacts before enforcing Deny.
  • Regularly review and update your custom threat intelligence lists.
  • Integrate Azure Firewall logs with your SIEM for comprehensive security monitoring.
  • Consider using Azure Security Center for advanced threat detection and management.