Azure Firewall and WAF integrations in Microsoft Security Copilot

Azure Firewall and WAF are critical security services that many Microsoft Azure customers use to protect their network and applications from threats and attacks. Azure Firewall is a fully managed, cloud-native network security service that safeguards your Azure resources. It ensures high availability and scalability while filtering both inbound and outbound traffic, catching threats and only allowing legitimate traffic. Azure WAF is a cloud-native service that protects your web applications from common web-hacking techniques such as SQL injection and cross-site scripting. It offers centralized protection for web applications hosted behind Azure Application Gateway and Azure Front Door.

 

The Azure Firewall integration in Security Copilot enables analysts to perform detailed investigations of malicious traffic intercepted by the IDPS [Intrusion Detection and Prevention System] feature of their firewalls across their entire fleet. Analysts can use natural language queries in the Security Copilot standalone experience for threat investigation. With the Azure WAF integration, security and IT teams can operate more efficiently, focusing on high-value tasks. Copilot summarizes data and generates in-depth contextual insights into the WAF threat landscape. Both integrations simplify complex tasks, allowing analysts to ask questions in natural language instead of writing complex KQL queries.

 

In this blog, we will focus on setting up and leveraging the integration of Network Security services with Security Copilot for hunting and troubleshooting malicious traffic.

 

Network Security Capabilities Available today in Copilot:

Azure Firewall:

• Retrieve the top IDPS signature hits for an Azure Firewall
• Get additional details to enrich the threat profile of an IDPS signature beyond log information
• Look for a given IDPS signature across your tenant, subscription or resource group
• Generate recommendations to secure your environment using Azure Firewall’s IDPS feature

 

Azure WAF:

• Retrieve contextual details about WAF detections and the top rules triggered
• Retrieve the top malicious IPs in the environment along with related WAF rules and patterns triggering the attack
• Get information on SQL Injection attacks blocked by Azure WAF
• Get information on XSS attacks blocked by Azure WAF

 

Prerequisites for enabling the integration:

In case you haven’t used Security Copilot for other products, you need to onboard to Security Copilot by following the process below:

• Provision Capacity
  • This can be done through either signing in to Security Copilot (https://securitycopilot.microsoft.com) or through the Azure Portal, as shown below:
  • More details about the detailed setup process for Security Copilot can be found here.
  • The details around pricing for Security Copilot can be found here.

 

 

 

 

• Setup the default environment using the instructions mentioned here.

 

 

 

• Enable Plugins:
  • For Firewall, only the plugin needs to be enabled as shown in the image below.

 

 

 

• For WAF, along with enabling the plugin, we also need to ensure the WAF Log Analytics workspace name, Log Analytics resource group name and Log Analytics subscription ID are configured.

 

 

 

Once the Security Compute Units (SCUs) are provisioned as specified, the Azure WAF and Firewall logs are present in the Azure Log Analytics workspace, and the respective plugins are enabled, the capabilities will be ready for use.

 

Investigation of Threats in Azure Firewall using Security Copilot:

 

• Retrieving IDPS hits in Azure Firewall using Natural Language prompts:

 

 

• Get additional details to enrich the threat profile of an IDPS signature beyond log information

 

• Look for a given IDPS signature across your tenant, subscription or resource group

 

Investigation of Threats in Azure WAF using Security Copilot:

 

• Retrieve contextual details, top IP offenders and WAF rule matches using Natural Language prompts
• Here, Regional WAF refers to App Gateway WAF and Global WAF refers to Front Door WAF.

 

 

• Get information on SQL Injection attacks blocked by Azure WAF

 

• Get information on XSS attacks blocked by Azure WAF

 

Recommendations for Network Security:

• Security Copilot also provides recommendations on using Azure Firewall's capabilities to secure your environment as shown below:

 

 

For more details on all the available prompts that can be used with this integration, refer to the respective documentation here for Firewall and WAF.

 

Integrating Microsoft Azure’s robust network security services with Security Copilot offers a powerful solution for enhancing your security posture. By leveraging Azure Firewall and Azure Web Application Firewall (WAF) within Copilot, security analysts can efficiently investigate and mitigate threats using natural language queries. This integration not only simplifies complex security tasks but also provides comprehensive protection for your applications and data, allowing your security and IT teams to focus on high-value activities.