Blog Post

Azure Network Security Blog
5 MIN READ

Copilot in Azure embedded experience for Azure Firewall integration in Security Copilot

abhinavsriram's avatar
abhinavsriram
Icon for Microsoft rankMicrosoft
Nov 19, 2024

Today, at Microsoft Ignite, we are excited to announce that we are building on our announcement at RSA and Microsoft Build earlier this year and integrating Security Copilot even more closely with our Network Security products. These capabilities were launched on the Security Copilot portal (also called the standalone experience) earlier this year.

 

Azure Firewall integration in Security Copilot queried via Copilot in Azure on the Azure portal

The Security Copilot attack investigation capabilities for Azure Firewall can now be queried via the Copilot in Azure experience (also called the embedded experience) directly on the Azure portal where you regularly interact with your Azure Firewalls, bringing interactive, generative AI-powered capabilities even closer to where you work.

To learn more about the user journey and value that Copilot can deliver, see Bringing generative AI to Azure network security with new Microsoft Copilot integrations | Microsoft Azure Blog.

Investigating Azure Firewall IDPS attacks using Copilot

As a member of your organization’s network security team, it is imperative that you understand the kinds of threats your network security devices are intercepting. Azure Firewall intercepts and blocks malicious traffic using a deep-packet inspection technology called IDPS (Intrusion Detection and Prevention System) today.

However, when you need to perform a deeper investigation of the threats that Firewall catches using IDPS, you need to do this manually - which is a non-trivial and time-consuming task. The Azure Firewall integration in Security Copilot helps analysts perform these investigations with the speed and scale of AI.

Retrieve the top IDPS signature hits for an Azure Firewall

The first step in an investigation is to pick a specific Azure Firewall and see the threats it has intercepted. Analysts today spend hours writing custom queries or navigating through several manual steps to retrieve threat information from Log Analytics workspaces. With Copilot, you just need to ask about the threats you'd like to see, and Copilot will present you with the requested information.

 

"Get top IDPS signature hits" capability invoked via Copilot in Azure

Copilot presents the top 5 IDPS signatures flagged in the requested time period along with a brief summary of why each signature is a threat and volumetric information on the number of flows associated with each signature.

Enrich the threat profile of an IDPS signature beyond log information

The next step in an investigation is to better understand the nature and impact of these threats. Today, analysts must retrieve additional contextual information such as geographical location of IPs, threat rating of a fully qualified domain name (FQDN), details of common vulnerabilities and exposures (CVEs) associated with an IDPS signature and more, manually from various sources. This process is slow and involves a lot of effort. Copilot pulls information from the relevant sources to enrich your threat data in a fraction of the time.

 

"Get details on an IDPS signature" capability invoked via Copilot in Azure

Copilot provides a brief summary of both the attacks as well as a comparison between the two, emphasizing the differing severities and why it is crucial to respond to these threats quickly. You can drill deeper if you’d like by asking follow up questions or by asking the same question again to get Copilot to reinforce or substantiate any of its answers. For example, reinforcing that you’d like to understand how much of a threat an attack is, even though Copilot may have already provided an answer to that question, is a great way for junior analysts, or anyone operating outside of their normal area of focus to truly understand what is happening.

Look for a given IDPS signature across your environment

Once a detailed investigation has been performed for a single Azure Firewall and single threat, analysts would like to determine if these threats were seen elsewhere in their environment. All the manual work you performed for an investigation for a single Azure Firewall is something you would have to repeat fleet wide. Copilot can do this at machine speed and help correlate this information with other security products to better understand how attackers are targeting your entire infrastructure.

 

"Search across firewalls for an IDPS signature" capability invoked via Copilot in Azure

Copilot searches across your entire tenant and finds that another Firewall also saw one of the attacks over the timespan you defined. Your suspicions are unfortunately confirmed. This is a threat that is targeting multiple points of entry in your environment. You can ask a follow up question to search for another high severity threat as well, now that you know that at least one threat was not contained to a single Firewall and has proliferated across your environment.

Secure your environment using IDPS

Now that you are convinced this attack warrants attention from your organization, as a first step, you can ask Copilot for some recommendations on how to better use your Firewall to protect against these kinds of attacks.

 

"Secure your environment using IDPS" capability invoked via Copilot in Azure

Copilot produces a response that combines contextual information from your conversation alongside general network security best practices and specific guidance from Azure Firewall documentation to produce a response that is informative.

Looking forward

In addition to the open prompting experience covered in this blog. We are also working on embedding Copilot directly into the Firewall portal so that you can simply click buttons with suggested prompts that automatically pull relevant information from context and generate helpful responses – making it easy to invoke Copilot when contextually relevant while still giving you complete control over its usage.

 

Contextually relevant embedded experiences on the Azure portal

We are also excited to share a sneak peek of upcoming capabilities like Natural language to KQL for IDPS that are currently being tested by a small group of customers. This capability can act as a query assistant helping you craft complex queries but can also help find answers to questions you have by running automatically generated queries on the appropriate Log Analytics workspaces to retrieve the relevant data.

Sneak peek of upcoming "Natural language to KQL for IDPS" capability

This is only the start of our journey toward infusing AI into every aspect of our Network Security offerings making it easier for our customers to be more productive and quickly analyze threats and mitigate vulnerabilities to stay ahead of their adversaries. These capabilities are in preview and over the coming weeks we look forward to adding new capabilities and making improvements based on your feedback.

Get started

Learn more in our documentation about these capabilities and how to use them today!

Updated Nov 19, 2024
Version 1.0
No CommentsBe the first to comment