article Cloud NGFW for Azure and Sentinel Integration in Cloud NGFW for Azure Articles https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66170i96BAEDD72B3CB0D1/image-size/large?v=v2&amp;px=999" role="button" title="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>Background</STRONG></FONT></H2> <P>&nbsp;</P> <H3><STRONG>Cloud NGFW for Azure</STRONG></H3> <P><SPAN>Cloud NGFW for Azure by Palo Alto Networks is a Native ISV service that enables advanced protection for applications and workloads running in Azure. It offers application-level control, intrusion prevention, URL filtering, and more. Cloud NGFW can identify and control network traffic based on applications, users, content, and other deep packet inspection methods helping secure inbound, outbound, and lateral traffic flows. It is built to provide first-party experience in Microsoft Azure by natively integrating into Azure Portal leveraging Entra ID and Azure Resource Manager. Cloud NGFW resources and its attributes can be accessed using Azure APIs including AzureRM Terraform provider, Azure CLI, and PowerShell.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66157i10A39DB0E3A409F0/image-size/large?v=v2&amp;px=999" role="button" title="Fig 1_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 1_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>For logging and monitoring, Cloud NGFW supports forwarding the firewall logs to Log Analytics Workspace. This enables operators to store TRAFFIC, THREAT, and DECRYPTION logs and leverage them within Azure and external systems. Logs can be exported to </SPAN><STRONG>Azure Storage</STRONG><SPAN> for backup or to keep longer-term data that doesn’t need to be in Log Analytics. Logs can also be exported to third-party Security Information and Event Management (SIEM) tools for further analysis if you are using a solution outside of Azure.</SPAN></P> <P>&nbsp;</P> <H3><STRONG>Sentinel</STRONG></H3> <P><SPAN>Azure offers its own cloud-native SIEM</SPAN><STRONG> Sentinel</STRONG><SPAN> which takes full advantage of cloud scalability, flexibility, and integration with other Microsoft and third-party services.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Sentinel can ingest data from various network security devices such as firewalls, IDS/IPS systems, VPN logs, and proxy servers. It analyzes traffic patterns and network activities to detect suspicious behaviors (e.g., unusual inbound/outbound traffic, and malware communication attempts).</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66158iF66BD178DAEB4820/image-size/large?v=v2&amp;px=999" role="button" title="Fig 2_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 2_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Sentinel uses built-in analytics to detect threats like brute-force attacks, port scans, DDoS attempts, and network anomalies. It combines this with intelligence from both Microsoft and third-party threat feeds to improve detection capabilities.</SPAN></P> <P>&nbsp;</P> <H2><STRONG><FONT color="#FF6600">Cloud NGFW Integration with Sentinel</FONT></STRONG></H2> <P>&nbsp;</P> <P><SPAN>Cloud NGFW for Azure integration is included in </SPAN><A href="https://github.com/Azure/Azure-Sentinel/tree/master/Solutions" target="_blank"><SPAN>Sentinel Solutions</SPAN></A><SPAN> allowing operators to map the Log Analytics Workspace containing the firewall logs and ingest them into Sentinel.&nbsp;</SPAN></P> <P>&nbsp;</P> <H3><STRONG>Who is it for?</STRONG></H3> <P><SPAN>Customers who are looking to use Sentinel for incident management and response and have deployed Cloud NGFW to secure applications and workloads deployed within Microsoft Azure environments.</SPAN></P> <P>&nbsp;</P> <H3><STRONG>What are the benefits of this solution?</STRONG></H3> <P><SPAN>The solution offers native ingestion of Cloud NGFW firewall logs into Sentinel and enables operators to easily use and build workbooks, hunting queries, and analytics rules to improve incident investigation and proactive threat hunting.</SPAN></P> <P>&nbsp;</P> <H3><STRONG>How to get it?</STRONG></H3> <P><SPAN>The solution can be found in the </SPAN><A href="https://azuremarketplace.microsoft.com/en-us/marketplace/apps/paloaltonetworks.cloudngfw-sentinel-solution?tab=overview" target="_blank"><SPAN>Azure Marketplace</SPAN></A><SPAN> and includes the following:</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66159i4468C605A486296A/image-size/large?v=v2&amp;px=999" role="button" title="Fig 3_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 3_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <H3><STRONG>What does it include?</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>3 Analytic Rules for surfacing threats that are detected by CloudNGFW</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>2 Hunting Queries for identifying potential security issues that may not be classified as direct threats</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>And 2 Workbooks for visualizing the data that is processed by Cloud NGFW</SPAN></LI> </UL> <P>&nbsp;</P> <H3><STRONG>Workbooks</STRONG></H3> <P><SPAN>The </SPAN><STRONG>Overview</STRONG><SPAN> workbook helps gain insights and comprehensive monitoring into Azure Cloud NGFW by Palo Alto Networks by analyzing traffic and activities. This workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships. You can learn about trends across user and data traffic, drill down into threat logs, and filter results.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Vulnerability events over time:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 4_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66160i3F1FC9BF143B5DEA/image-size/large?v=v2&amp;px=999" role="button" title="Fig 4_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 4_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Traffic events and actions:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 5_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66161i1F2C62D5CDA34F67/image-size/large?v=v2&amp;px=999" role="button" title="Fig 5_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 5_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>URL Filtering summaries:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 6_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66162i48F2600A4D00328D/image-size/large?v=v2&amp;px=999" role="button" title="Fig 6_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 6_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><STRONG>Network Threats </STRONG><SPAN>Workbook includes multiple dashboards analyzing threat events. It correlates data between threats, applications, and time. It allows for easy tracking of malware, vulnerability, and virus activity detected and recorded by Cloud NGFW.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Network threats by type and severity:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 7_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66163i36F440F9936F00CF/image-size/large?v=v2&amp;px=999" role="button" title="Fig 7_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 7_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 8_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66164i4A505BF856B23083/image-size/large?v=v2&amp;px=999" role="button" title="Fig 8_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 8_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Vulnerability events:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 9_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 872px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66165iFFEE3C550279C88B/image-size/large?v=v2&amp;px=999" role="button" title="Fig 9_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 9_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Threat events:</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 10_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66166i77F9A4C5A079B4E2/image-size/large?v=v2&amp;px=999" role="button" title="Fig 10_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 10_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <H3><STRONG>Analytics Rules</STRONG></H3> <P><SPAN>The offer includes the following analytics rules.</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 11_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66167iC9E927D280E2EE6A/image-size/large?v=v2&amp;px=999" role="button" title="Fig 11_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 11_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <H3><STRONG>Possible internal to external port scanning</STRONG></H3> <P><SPAN>Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful TCP server resets from one or more Destination IPs which results in an "app = incomplete" designation. The server resets coupled with an "Incomplete" app designation can be an indication of internal to external port scanning or probing attack. Once the rule threshold is met an incident will be created automatically.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 12_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66168iE97C962169C23EC0/image-size/large?v=v2&amp;px=999" role="button" title="Fig 12_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 12_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Users may also configure an automated response triggered by the alert.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Potential beaconing</STRONG></P> <P><SPAN>Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Reference Blog:</STRONG></P> <P><SPAN><A href="http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/" target="_blank">http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/</A></SPAN></P> <P><SPAN><A href="https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586</A></SPAN></P> <P>&nbsp;</P> <P><STRONG>Threats from unusual IPs</STRONG></P> <P><SPAN>Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>This detection is also leveraged and required for MDE and PAN Fusion scenario</SPAN></P> <P><SPAN><A href="https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall" target="_blank">https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall</A></SPAN></P> <P>&nbsp;</P> <H3><STRONG>Hunting Queries</STRONG></H3> <P><STRONG>High-risk ports</STRONG></P> <P><SPAN>Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.</SPAN></P> <P><SPAN>Consider updating the firewall policies to block the connections.</SPAN></P> <P>&nbsp;</P> <P><STRONG>Potential beaconing</STRONG></P> <P><SPAN>Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.</SPAN></P> <P><SPAN>Reference Blog:</SPAN><SPAN><A href="https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586" target="_blank">https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586</A></SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 13_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66169i3668D1E40B6B05DC/image-size/large?v=v2&amp;px=999" role="button" title="Fig 13_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Fig 13_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> </DIV> Mon, 24 Feb 2025 17:31:31 GMT abudilovskiy 2025-02-24T17:31:31Z Cloud NGFW for Azure and Sentinel Integration https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654 <P><SPAN>Cloud NGFW for Azure by Palo Alto Networks is a Native ISV service that enables advanced protection for applications and workloads running in Azure. It offers application-level control, intrusion prevention, URL filtering, and more. </SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66172i52DA2D60743378E3/image-size/large?v=v2&amp;px=999" role="button" title="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" alt="Title_CNGFW Azure and Sentinel Integration_palo-alto-networks.jpg" /></span></SPAN></P> Mon, 24 Feb 2025 17:31:31 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/ta-p/1221654 abudilovskiy 2025-02-24T17:31:31Z Re: Cloud NGFW for Azure and Sentinel Integration https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/tac-p/1243382#M26 <P>Is this sloution applicable when the Cloud NGFW is managed by SCM?&nbsp;</P> Mon, 08 Dec 2025 23:54:12 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cloud-ngfw-for-azure-and-sentinel-integration/tac-p/1243382#M26 A.Hwang 2025-12-08T23:54:12Z