Azure Firewall¶
About¶
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. The stateful firewall service has built-in high availability and unrestricted cloud scalability to help you create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Product Details¶
Vendor URL: Microsoft Azure Firewall
Product Type: SAAS
Product Tier: Tier III
Integration Method: Custom
Integration URL: Azure - Cyderes Documentation
Log Guide: Azure Monitor Reference
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Above 90%
Data Label: AZURE_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AZUREFIREWALLS | observer.hostname |
| Action | security_result.action |
| ActionReason | security_result.action_details |
| Category | metadata.product_event_type |
| DestinationIp | target.ip |
| DestinationPort | target.port |
| PROVIDERS | observer.cloud.environment |
| Policy | security_result.ruleset_category_display_name |
| Protocol | network.ip_protocol, network.application_protocol |
| RESOURCEGROUPS | observer.group.group_display_name |
| Rule | security_result.rule_name |
| RuleCollection | security_result.rule_set |
| RuleCollectionGroup | security_result.rule_set_display_name |
| SUBSCRIPTIONS | observer.resource.product_object_id |
| Source Ip | principal.ip |
| Source Port | principal.port |
| Time | metadata.event_timestamp |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| hard-coded: default | GENERIC_EVENT |
| AZFWApplicationRule | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
| AZFWDnsQuery | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
| AZFWNetworkRule | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
| AZUREFIREWALLApplicationRule | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
| AZUREFIREWALLDnsProxy | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
| AZUREFIREWALLNetworkRule | NETWORK_CONNECTION, NETWORK_UNCATEGORIZED |
Log Sample¶
{"category":"AZFWNetworkRule","properties":{"Action":"Allow","ActionReason":"","DestinationIp":"xxx.xxx.xxx.xxx","DestinationPort":xxx,"Policy":"sample-firewall-policy","Protocol":"TCP","Rule":"Sample-Rule-Name","RuleCollection":"Sample-RuleCollection","RuleCollectionGroup":"Sample-CollectionGroup","SourceIp":"xxx.xxx.xxx.xxx","SourcePort":xxx},"resourceId":"/SUBSCRIPTIONS/Sample-Subscription-Id/RESOURCEGROUPS/Sample-Group/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/Firewall-Hostname","time":"2024-06-20T18:45:19.209353+00:00"}
Sample Parsing¶
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "AZFWNetworkRule"
network.ip_protocol = "TCP"
observer.cloud.availability_zone = "MICROSOFT.NETWORK"
observer.cloud.environment = "MICROSOFT_AZURE"
observer.group.group_display_name = "Sample-Group"
observer.hostname = "Firewall-Hostname"
observer.resource.product_object_id = "Sample-Subscription-Id"
observer.resource.resource_subtype = "Subscription ID"
observer.resource.resource_type = "CLOUD_ORGANIZATION"
principal.ip = "xxx.xxx.xxx.xxx"
principal.port = xxx
security_result.action = "ALLOW"
security_result.rule_name = "Sample-Rule-Name"
security_result.rule_set = "Sample-RuleCollection"
security_result.rule_set_display_name = "Sample-CollectionGroup"
security_result.ruleset_category_display_name = "Sample-Firewall-Policy"
target.ip = "xx.xxx.xxx.xxx"
target.port = xxx
Rules¶
Coming Soon