Cloud NGFW for Azure by Palo Alto Networks is a Native ISV service that enables advanced protection for applications and workloads running in Azure. It offers application-level control, intrusion prevention, URL filtering, and more. Cloud NGFW can identify and control network traffic based on applications, users, content, and other deep packet inspection methods helping secure inbound, outbound, and lateral traffic flows. It is built to provide first-party experience in Microsoft Azure by natively integrating into Azure Portal leveraging Entra ID and Azure Resource Manager. Cloud NGFW resources and its attributes can be accessed using Azure APIs including AzureRM Terraform provider, Azure CLI, and PowerShell.
For logging and monitoring, Cloud NGFW supports forwarding the firewall logs to Log Analytics Workspace. This enables operators to store TRAFFIC, THREAT, and DECRYPTION logs and leverage them within Azure and external systems. Logs can be exported to Azure Storage for backup or to keep longer-term data that doesn’t need to be in Log Analytics. Logs can also be exported to third-party Security Information and Event Management (SIEM) tools for further analysis if you are using a solution outside of Azure.
Azure offers its own cloud-native SIEM Sentinel which takes full advantage of cloud scalability, flexibility, and integration with other Microsoft and third-party services.
Sentinel can ingest data from various network security devices such as firewalls, IDS/IPS systems, VPN logs, and proxy servers. It analyzes traffic patterns and network activities to detect suspicious behaviors (e.g., unusual inbound/outbound traffic, and malware communication attempts).
Sentinel uses built-in analytics to detect threats like brute-force attacks, port scans, DDoS attempts, and network anomalies. It combines this with intelligence from both Microsoft and third-party threat feeds to improve detection capabilities.
Cloud NGFW for Azure integration is included in Sentinel Solutions allowing operators to map the Log Analytics Workspace containing the firewall logs and ingest them into Sentinel.
Customers who are looking to use Sentinel for incident management and response and have deployed Cloud NGFW to secure applications and workloads deployed within Microsoft Azure environments.
The solution offers native ingestion of Cloud NGFW firewall logs into Sentinel and enables operators to easily use and build workbooks, hunting queries, and analytics rules to improve incident investigation and proactive threat hunting.
The solution can be found in the Azure Marketplace and includes the following:
The Overview workbook helps gain insights and comprehensive monitoring into Azure Cloud NGFW by Palo Alto Networks by analyzing traffic and activities. This workbook correlates all Palo Alto data with threat events to identify suspicious entities and relationships. You can learn about trends across user and data traffic, drill down into threat logs, and filter results.
Vulnerability events over time:
Traffic events and actions:
URL Filtering summaries:
Network Threats Workbook includes multiple dashboards analyzing threat events. It correlates data between threats, applications, and time. It allows for easy tracking of malware, vulnerability, and virus activity detected and recorded by Cloud NGFW.
Network threats by type and severity:
Vulnerability events:
Threat events:
The offer includes the following analytics rules.
Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful TCP server resets from one or more Destination IPs which results in an "app = incomplete" designation. The server resets coupled with an "Incomplete" app designation can be an indication of internal to external port scanning or probing attack. Once the rule threshold is met an incident will be created automatically.
Users may also configure an automated response triggered by the alert.
Potential beaconing
Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.
The query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.
This outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.
Reference Blog:
Threats from unusual IPs
Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen.
This detection is also leveraged and required for MDE and PAN Fusion scenario
High-risk ports
Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.
Consider updating the firewall policies to block the connections.
Potential beaconing
Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.
Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-re...
