Today, we are launching the public preview of Azure Web Application Firewall (WAF) integration in Microsoft Security Copilot. Azure WAF capabilities available in the standalone Security Copilot experience are: Get Top Rules Triggered, Get Top Blocks By IP, Get SQLi Blocks By WAF, and Get XSS Blocks By WAF
Azure WAF network security analysts face many challenges. A lot of their time goes into research and understanding why certain WAF requests were blocked, which is a very time-consuming and manual task.
With the Azure WAF in Security Copilot integration, security and IT teams can move faster, and focus on high value tasks. The Copilot summarizes data and generates in-depth contextual insights into the WAF threat landscape. This enables analysts to determine if the WAF policy is blocking a request it should not have blocked, or if their WAF policy needs to be fine-tuned. It results in time and cost savings since Copilot can reason over terabytes of data in a matter of minutes, not hours or days.
Another gain in productivity is simplifying the complex, analysts don’t have to write complex KQL queries. Instead, they can simply ask questions in natural language and Security Copilot understands the context and generates the response. This results in time savings and unlocks new skills for junior analysts while Tier1 analysts can now complete more complex tasks focusing on strategic rather than tactical work.
Let's take a closer look at what each of these new Azure WAF Skills in Security Copilot do to help network security professionals investigate logs via natural language prompts.
Azure WAF Skills in Security Copilot
The four WAF Skills available are:
- Get Top Rules Triggered: Retrieve contextual details about WAF detections.
- Get Top Blocks By IP: Retrieve the top malicious IPs in the environment along with related WAF rules and patterns triggering the attack.
- Get SQLi Blocks By WAF: Explain why Azure WAF blocks SQL Injection (SQLi) attacks. Analyze Azure WAF diagnostic logs and connect related logs over a specific time period to generate a summary of the attack.
- Get XSS Blocks By WAF: Explain why Azure WAF blocks Cross-site Scripting (XSS) attacks. Analyze Azure WAF diagnostic logs and connect related logs over a specific time period to generate a summary of the attack.
Using the Get Top Rules Triggered Skill
This Copilot Skill summarizes in natural language the overall threat landscape in the WAF environment. The Skill reasons over terabytes of WAF logs and generates a list of top WAF rules triggered, detection logic information used for detections, malicious client IPs triggering the WAF rules. The list is ordered based on the number of times rules are hit and rules with the greatest number of hits are displayed at the top.
The screenshot below describes the response generated when a prompt is issued for top WAF rules in a regional WAF over the last one day.
The default timespan for any of the WAF Skills is 24 hours but prompts can be tailored specific to a request.
Using the top WAF rules triggered Skill, it is possible for analyst to get details on any of the WAF rule sets – Default Rule Set, Bot Rule Set, or Custom rule set.
The screenshot given below looks for details of the bot rules triggered.
Furthermore, it is possible to use this Skill to obtain details of a specific vulnerability. In the following example, an analyst is trying to see if any Remote Code Execution (RCE) is seen by WAF and receives details about an RCE including the Log4J CVE details. The analyst can use other Security Copilot products such as Microsoft Defender for Threat Intelligence to obtain further details about the CVE.
Using the Get Top Blocks By IP Skill
This Skill generates a list of most frequently triggered offending IPs along with related WAF contextual information.
By using the response from this Skill, analysts can get a holistic picture of WAF rules triggered by the offending IPs and overall exposure of the WAF policy to the IPs.
Furthermore, the malicious IPs discovered by this WAF Skill can be searched in other Security Copilot products such as the Microsoft Defender for Threat Intelligence to get other attack vectors associated with the IPs.
Using the Get SQLi Blocks By WAF Skill
This Skill provides contextual insights into WAF detections of SQL Injection (SQLi) attacks. This helps analysts understand the details of the SQLi attack such as WAF resources under attack, attack pattens such as query parameters triggering the attack.
Using the Get XSS Blocks By WAF Skill
This Skill provides contextual insights into WAF detections of cross-site scripting (XSS) attacks. This helps analysts understand the details of the attack such as WAF resources under attack, attack pattens such as query parameters triggering the attack.
How to use Azure WAF integration in Security Copilot
Security Copilot is accessible to organizations as a pay-as-you-go consumption model. After the Security Compute Units (SCU) are provisioned and Azure WAF logs are present in Azure Log Analytics, the WAF Skills will be ready for use.
Select “sources” in the prompt bar and ensure the Azure Web Application Firewall plugin is enabled for use. Ensure the WAF Log Analytics workspace name, Log Analytics resource group name and Log Analytics subscription ID are configured.
With the Azure WAF in Security Copilot integration, security and IT teams can move faster, upskill and transition into the age of AI. The integration announced today combine Microsoft's expertise in security with Gen AI, packaged together to empower network security analysts to outpace adversaries with the speed and scale of AI.
Sowmya Mahadevaiah
Principal Product Manager, Azure Networking