Microsoft Azure Firewall Integration Guide🔗
The following instructions are for configuring an integration of Azure Firewall to facilitate ingestion into Secureworks® Taegis™ XDR from Azure Event Hubs.
Configure Azure Monitor Diagnostic Settings🔗
Follow one of the following Microsoft instructions to enable Azure Monitor diagnostic settings:
- (Recommended) Structured logs
- (Legacy) Diagnostic logs
XDR supports the following diagnostic categories for data normalization:
Optimized Structured Logs Categories🔗
- Azure Firewall Application Rule
- Azure Firewall Threat Intelligence
- Azure Firewall IDPS Signature
- Azure Firewall DNS query
- Azure Firewall Network Rule
- Azure Firewall Nat Rule
- Azure Firewall Flow Trace Log
Optimized Diagnostic Logs (legacy) Categories🔗
Note
All other logs will normalize to the Generic schema. A custom parser may be needed to enable normalization of other data sources beyond the Generic schema. It is not recommended to forward metric data to XDR as it will be treated as all other log data and not metrics.
Note
It is recommended to not enable both legacy and structured logs, as this will create logical duplication of some activities.
Forward to Event Hub and Enable Integration with XDR🔗
- Once the desired log categories are selected, choose to Stream to an event hub and enter the desired event hub destination.
- Follow the integration instructions for an event hub to complete the integration with XDR and to begin data ingestion.
Data Provided from Integration🔗
Normalized data from Azure Firewall will be available in the following schemas.
Azure Firewall🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| MS Azure Firewall | DNS, HTTP, Netflow |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.