Moonshotbook

In the example test setup depicted above, we have a Hub VNET with an Azure Firewall and 2 Spoke VNETs; Client Spoke which has a Kali Linux VM and a Server Spoke which has a Windows Server 2019 VM.  The 2 Spoke VNETs do not have direct connectivity with each other however, both are peered with the Hub VNET and point to Azure Firewall for internet and VNET to VNET connectivity with a UDR (User Defined Route).  Azure Firewall has a Network Rule to allow all traffic from Client Spoke VNET to the Server Spoke VNET.  We have 2 Network rules in Azure Firewall:

Moonshotmakeup

This playbook allows the SOC to automatically respond to Azure Sentinel incidents which includes a destination IP address, by adding the specific IP to the Threat Intelligence (TI) Allow list in Azure Firewall

Identifies communication for a well-known protocol over a non-standard port based on machine learning done during an activity period.

We have deployed the Azure Firewall Solution to the Azure Sentinel Workspace and configured the Azure Firewall Connector + Playbooks in this environment.  As described in the previous section (Configuration Requirements in Example Scenario), we have enabled and configured the Port Scan detection rule along with an Automation Rule to trigger the AzureFirewall-BlockIP-addToIPGroup Playbook.  To start the automated detection and response process, we initiate a port scan from the Kali Linux VM in the Client Spoke VNET to the Windows 2019 VM in the Server Spoke VNET using the following command: nmap -Pn -p 1-65535 -v

The cloud native Azure Firewall provides protection against network-based threats.  Azure Sentinel is the cloud native SIEM and SOAR solution which provides threat detection, hunting, and automated response capabilities for Azure Firewall.  While this is great, customers must go through multiple blades and steps in Azure Sentinel to deploy and configure all the detections, hunting queries, workbooks, and automation, which can be an overhead.

Malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (SSH, HTTP) but don’t use the known protocol headers that match the port number.

Moonshotai

This playbook allows you to block an IP address by adding a new network rule with the specific IP to an existing Deny Network Rule Collection in Azure Firewall

Malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.

Now that the solution has been deployed and all components have been enabled/configured successfully, you can use the Firewall Workbook to visualize the Azure Firewall log data, use Hunting queries to identify uncommon/anomalous patterns and create incidents with the enabled detection rules.  You can also automate response for any Azure Firewall detections using the available Azure Sentinel Playbooks.

Helps to identify a common indication of an attack (IOA) when a new host or IP tries to communicate with a destination using a specific port.

The connector allows you to take many different actions against Azure Firewall, Firewall Policy, and IP Groups.  A full list of actions supported by the connector is available here

We will continue to enhance the firewall solution in the future with new detection and automation capabilities to meet your needs.  You can also contribute new connectors, playbooks, detections, workbooks, analytics and more for Azure Firewall in Azure Sentinel.  Get started now by joining the Azure Network Security plus Azure Sentinel Threat Hunters communities on GitHub and following the guidance.

MoonshotSolana

Before you can begin testing, please follow the instructions below to ensure Azure Firewall, Azure Firewall Connector and Playbooks (automation) and Azure Sentinel are ready:

2 Azure Sentinel Solutions announced in the RSA 2021 conference RSA Conference 2021: New innovations for Azure Sentinel and in the blog post Introducing Azure Sentinel Solutions!

Moonshotapp

Identifies multiple machines that are trying to reach out to the same destination blocked by threat intelligence (TI) in the Azure Firewall.

Identifies an abnormal deny rate for a specific source IP to a destination IP based on machine learning done during a configured period.

Readers of this post will hopefully be aware of the ever-growing integration between Azure Firewall and Azure Sentinel1.  At Microsoft, we continue to innovate best security detection and response experiences for you, and we are excited to present the Azure Firewall Solution for Azure Sentinel, as announced in the blog post Optimize security with Azure Firewall solution for Azure Sentinel2.  The Azure Firewall Solution provides Azure Firewall specific net new detections and hunting queries.  The solution also contains a new firewall workbook and automation components, which can now be deployed in a single, streamlined method.

The diagram below depicts the end-to-end process starting from the time a port scan is initiated, the Azure Firewall Playbook is triggered based on the detection rule and the IP Group used in the Deny Network Rule in Azure Firewall is updated with the IP address of the port scanner (Kali VM).  All the steps are called out in the diagram and explained below.

Moonshotcrypto

Please follow the instructions below to configure the Port Scan detection rule and create an automation rule in Azure Sentinel.

Malicious scanning of a port by an attacker trying to reveal IPs with specific vulnerable ports open in the organization.

The Azure Firewall Solution provides net new detections, hunting queries, workbook and response automation which allow you to detect prevalent techniques used by attackers and malware.  The Solution provides a streamlined method to deploy all packaged components at once with minimal overhead and start utilizing them in your environment.  We encourage all customers to utilize these new detection and automation capabilities to help improve your overall security posture.

Potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by the Azure Firewall rules.

In this video, we go over the demo environment setup, configuration of Azure Firewall and Azure Sentinel in the demo environment and provide end-to-end demonstration for triggering the automated detection and response process described in the previous section.

The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content.  This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.

This playbook allows you to block IP addresses in Azure Firewall by adding them to IP Groups based on analyst decision.  It allows you to make changes on IP Groups, which are attached to firewall rules, instead of making changes directly to the Azure Firewall.  The target IP Group could be associated with policy/rules used in one or more firewalls

Moonshotmoney

An attacker can bypass monitored ports and send data through uncommon ports. This can also indicate an exfiltration attack from machines in the organization by using a port that has never been used on the machine for communication.

An attacker can bypass monitored ports and send data through uncommon ports. This allows the attackers to evade detection from routine detection systems.

Note: You may skip configuration of the Azure Firewall Connector and Playbooks pre-requisites, if you are not planning to use the response automation features at the time of deploying the Firewall Solution

Please ensure that the Azure Firewall Custom Logic App Connector and Playbooks Templates are configured correctly as described in the detailed step by step guide available here Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks.

Indicates initial access attempts by attackers trying to jump between different machines in the organization, exploiting lateral movement path or the same vulnerability on different machines to find vulnerable machines to access.

The Azure Firewall solution can be deployed quickly from the Solutions (Preview) gallery in Azure Sentinel.  There are no other prerequisites to deploy and start using the Analytic Rule based detections, Hunting Queries, and the Firewall Workbook included in the solution package.  Please see the screen capture below for a step-by-step process to deploy the firewall solution.

Recent breaches surface the need for all organizations to adopt an assume breach mindset to security.  While organizations continue to invest heavily in the products and technology to prevent breaches, having automated threat detection and response capabilities to identify malicious actors and actions in your environment has become the need of the hour.  To enable these capabilities at scale, organizations need to have cutting-edge monitoring and response tools along with the detection logic to identify threats.

You must have Azure Firewall Standard or Premium with Firewall Policy or Classic Rules, and Azure Sentinel deployed in your environment to use the solution.  In order to use the response automation capabilities provided by the Azure Firewall Logic App Connector and Playbooks included in the solution, prior to deploying the solution, you must complete the pre-requisites provided in the detailed step by step guide is available here Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks.

Please watch the prerecorded demo below, which shows how to simulate a port scan and walks you through the automated detection and response process in our example scenario.

In this section, we will use an example scenario to walk you through the steps involved in configuring and testing one of the detections included in the Azure Firewall Solution and respond to it by making the desired update to the Azure Firewall configuration automatically, with one of the Playbooks also included in the solution.  To provide learning aid, a prerecorded end to end demonstration for the scenario is also available at end of this section.  The instructions preceding the demo video are to assist you in setting up and configuring your environment so you can follow along and perform testing based on the scenario outlined below.  We encourage you to follow the step by step process in this section to gain familiarity with key concepts and configuration requirements.

In the following Example Scenario, you will use the Port Scan rule provided in the solution to detect scanning activity and respond to it automatically using the AzureFirewall-BlockIP-addToIPGroup Playbook.  In this scenario, upon successful detection of a port scan, an incident will be created in Azure Sentinel.  The Playbook will be triggered by the Azure Sentinel Automation Rule which will allow you to add the IP address of the port scanner (source host) to an IP Group used in a deny network rule on Azure Firewall to block traffic from the port scanner.

Moonshotcompany

Please see the screen capture below for a step-by-step process to modify the Port Scan detection rule and create an Automation rule in Azure Sentinel.

To see detailed results of a query run, click to select the query and click the View results button in the right pane.  This will open the Log Analytics workspace where you can modify the query to drill deeper into the logs.  The query logic can be modified and saved for future use.

In case of an attack from an external adversary or malicious activity in a trusted network, the traffic representing the anomaly must inevitably flow through the network where it will be processed and logged by network devices such as Azure Firewall.  While real time threat detection and prevention features such as IDPS etc. can enable you to take actions for the traffic patterns in question ahead of time, there will be scenarios which require a fine gained evaluation before making decisions to block traffic.  This is where Azure Firewall detections and hunting queries in Azure Sentinel provide you with a method to detect threats and respond to them automatically.

After you have successfully deployed the Azure Firewall solution, please use the instructions below to enable and configure the different components of the solution.

Helps to identify an IOA when malicious communication is done for the first time from machines that never accessed the destination before.