# Azure Firewall integration with Microsoft Sentinel and Defender XDR ## Метаданные - **Канал:** Microsoft Azure - **YouTube:** https://www.youtube.com/watch?v=N5xPKtvBKuI ## Содержание ### [0:00](https://www.youtube.com/watch?v=N5xPKtvBKuI) Segment 1 (00:00 - 04:00) In this short walkthrough, I'll highlight how Azure Firewall integrates more deeply with Microsoft Sentinel and Defender XDR, bringing high-fidelity network signals directly into the security operations workflow before we jump into a live demo. Azure Firewall is Microsoft's Cloud-native network security service designed to protect workloads at scale without the complexity of managing infrastructure. It provides stateful network and application layer inspection, built-in Microsoft Threat Intelligence, and automatic scaling to meet demand. Azure Firewall inspects both North-South traffic entering or leaving Azure and East-West traffic moving between workloads, ensuring consistent enforcement across your environment. It also supports real-world enterprise needs like inbound DNAT, outbound SNAT, and multi-availability zone deployments with a 99. 99% SLA. What's new is the deeper integration between Azure Firewall and Microsoft Sentinel and Defender XDR, making network security signals immediately actionable for SecOps teams. This includes new intrusion detection and prevention system or IDPS-based detections and ASIM-based parsing for firewall logs. Within Microsoft Sentinel, Azure Firewall now appears as a first-class solution. You get built-in workbooks for visibility, automated playbooks to respond, such as blocking malicious IPs or notifying security teams. and analytic rules that continuously analyze traffic for suspicious behavior. With 5 new IDPS-based detections, rich network telemetry is transformed into alerts and incidents that fit naturally into existing SOC workflows. ASIM, the Advanced Security Information Model, normalizes firewall logs into a common schema. Without ASIM, every firewall vendor uses different field names, making detections harder to build and maintain. With ASIM, fields like source IP and destination port are consistent, so detections become reusable, vendor agnostic, and easier to scale across environments. With that context, let's jump into a quick demo to see these detections and workflows in action inside Microsoft Sentinel and Defender XDR. In this demo, we'll show how Azure Firewall, Microsoft Sentinel, and Automation work together to detect and automatically stop malicious outbound activity. We start with an Azure virtual machine that initiates an attack against a web application on the internet. All internet-bound traffic from this VM is routed through Azure Firewall Premium with IDPS enabled in alert and deny mode. On the security operation side, Microsoft Sentinel is configured with a malware detection rule based on Azure Firewall IDPS logs. When the firewall detects high severity malware activity, this tool automatically creates an incident in Sentinel. Attached to this detection rule is a response playbook. When the incident is created, the playbook is triggered and adds the source IP of attacking VM to a malicious IP group. This IP group is referenced in our Azure Firewall deny rule, which blocks all outbound traffic from known malicious sources. Now let's execute the attack script on the virtual machine against our Juice Shop website. Here we go. If we switch to Azure Firewall logs now, we can see IDPS detecting and denying the malicious traffic in real time. Moving to Microsoft Sentinel, we see the malware detection rule is enabled. The incident has been created, and the response playbook has executed successfully. If we now inspect the malicious IP group, we can see that the source IP 10. 0. 100. 20 has been automatically added here. And because this IP group is used in a firewall deny rule, all outbound access from the attacker VM is now blocked without any manual intervention. Next, let's look at how ASIM parsers simplify investigation. Azure Firewall now supports ASIM-based normalization, which allow analysts to query firewall data using consistent vendor-agnostic schema. There are three primary ASIM parsers for Azure Firewall: Network Session for network traffic, Web Session for HTTP and HTTPS traffic, and DNS for DNS activity. Using these parsers, analysts can quickly isolate Azure Firewall traffic. write reusable queries, and correlate firewall signals with other security data without worrying about vendor-specific field names. So in conclusion, this demo shows how Azure Firewall Network Signals flow directly into Microsoft Sentinel, where they drive high-fidelity detections and automated response. With IDPS-based detections, SOAR automation, and ASIM normalized logs, security teams can detect threats faster, respond automatically, and investigate at scale, turning network telemetry into actionable XDR outcomes. --- *Источник: https://ekstraktznaniy.ru/video/44728*