Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

New Blog | Malware Detection in Sentinel for Azure Firewall


Malware refers to any software that is designed to cause damage, disruption, or compromise the security and functionality of computer systems, networks, or devices. It includes diverse types of threats, such as viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Malware can have various negative impacts, such as stealing sensitive data, encrypting, or deleting files, displaying unwanted ads, slowing down performance, or even taking control of the device.


Azure Firewall IDPS feature automatically detects and denies Malware by default and can prevent the cloud workloads from being infected. We can further enhance this capability by employing automated detection and response using prebuilt detection queries and Sentinel. In this blog, we will explore how to detect some common malware found in Azure Firewall logs like Coin-miner, Cl0p and Sunburst using predefined KQL detection queries for Azure Firewall.


These detections enable security teams to receive Sentinel alerts when machines on the internal network request connections to domain names or IP addresses on the internet that are linked to known Indicators of Compromise (IOCs), as defined in the detection rule query. True positive detections should be regarded as Indicators of Compromise (IOCs). Subsequently, security incident response teams can initiate a response and implement appropriate custom remediation actions based on these detection signals.


Instructions for implementing the analytic rules using the queries below may be found in the blog.

0 Replies