Azure Firewall Documentation

What is Threat Intelligence?

Threat intelligence refers to information about existing or emerging threats or hazards to security, which can be used to inform decisions about how the subject of the information is best managed or prevented.

In Azure Firewall, threat intelligence provides a set of indicators of compromise (IOCs) that identify known malicious IP addresses, URLs, and fully qualified domain names (FQDNs). This allows Azure Firewall to block traffic to and from these identified threats.

How Azure Firewall Uses Threat Intelligence

Azure Firewall integrates with Microsoft's Threat Intelligence Platform (TIP) to automatically receive and update threat intelligence feeds. This integration allows for:

• Automated Protection: Firewall rules are dynamically updated to block traffic associated with known threats.
• Real-time Monitoring: Logs provide visibility into blocked traffic, helping security teams analyze and respond to potential incidents.
• Customizable Policies: You can configure Azure Firewall to act on threat intelligence in different modes:
• Deny: Block all traffic from and to the threat intelligence feed IPs/FQDNs/URLs. This is the default and most secure mode.
• Warn: Log traffic from and to the threat intelligence feed IPs/FQDNs/URLs but do not block it. This is useful for monitoring and analysis.

Threat intelligence capabilities are part of the Azure Firewall Premium SKU for advanced features and richer threat feeds.

Enabling and Configuring Threat Intelligence

Threat intelligence is enabled by default when you create an Azure Firewall policy. You can manage these settings within the Azure portal:

1. Navigate to your Azure Firewall instance in the Azure portal.
2. Under "Settings", select "Firewall policy".
3. Open the associated policy.
4. Under "Settings", select "Threat intelligence-based filtering".
5. Choose your desired mode: Deny or Warn.
6. (Optional) You can also create custom threat intelligence tags to associate with specific rules or groups of indicators.

For command-line management, you can use Azure CLI or PowerShell:

az network firewall policy rule-collection-group collection add \
    --policy-name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --collection-name ThreatIntelCollection \
    --collection-priority 200 \
    --rule-type NetworkRule \
    --action Deny \
    --rule-name BlockMaliciousIPs \
    --source-addresses '*' \
    --destination-addresses 'ThreatIntel' \
    --protocols Any \
    --destination-ports '*'
            

Add-AzFirewallPolicyNetworkRule \
    -FirewallPolicy $firewallPolicy \
    -Name BlockMaliciousIPs \
    -Priority 200 \
    -Protocol Any \
    -SourceAddress '*' \
    -DestinationAddress 'ThreatIntel' \
    -DestinationPort '*' \
    -Action Deny
            

Note: The ThreatIntel keyword is a special indicator used to refer to the built-in threat intelligence feed.

Threat Intelligence Feeds

Azure Firewall leverages multiple threat intelligence feeds from Microsoft. These feeds are continuously updated to reflect the latest known threats. For Azure Firewall Premium, additional feeds are available, including:

• Malicious IP addresses: Blocks communication with known command-and-control servers, botnets, and other malicious infrastructure.
• Malicious FQDNs/URLs: Prevents users from accessing known phishing sites, malware distribution points, and other malicious web destinations.

By default, Azure Firewall uses a curated set of high-fidelity threat indicators. You can also integrate your own custom threat intelligence feeds for more targeted protection.

Monitoring and Logging

All threat intelligence filtering events are logged in Azure Firewall logs. These logs can be sent to Log Analytics, Event Hubs, or a storage account for analysis, auditing, and integration with SIEM systems.

Key log categories to monitor include:

• NetworkRule: For traffic that matches network rules, including threat intelligence.
• ApplicationRule: For traffic that matches application rules.

Using Azure Monitor, you can create alerts based on threat intelligence logs to be notified of potential security events in real-time.