Azure 防火墙威胁情报配置Azure Firewall threat intelligence configuration

可以为 Azure 防火墙策略配置基于威胁情报的筛选,以针对来自和发往已知恶意 IP 地址和域的流量发出警报并将其拒绝。Threat intelligence-based filtering can be configured for your Azure Firewall policy to alert and deny traffic from and to known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph 为 Microsoft 威胁智能助力,它已得到 Azure 安全中心等多项服务的运用。Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Azure Security Center.

如果已配置了基于威胁情报的筛选,则会先处理关联的规则,然后再处理任何 NAT 规则、网络规则或应用程序规则。If you've configured threat intelligence-based filtering, the associated rules are processed before any of the NAT rules, network rules, or application rules.

威胁情报策略

威胁情报模式Threat intelligence Mode

可以选择在触发规则时仅记录警报,也可以选择“发出警报并拒绝”模式。You can choose to log only an alert when a rule is triggered, or you can choose alert and deny mode.

默认情况下,基于威胁情报的筛选将在警报模式下启用。By default, threat intelligence-based filtering is enabled in alert mode.

允许列表地址Allowed list addresses

可以配置允许的 IP 地址列表,使威胁情报不会筛选任何指定的地址、范围或子网。You can configure a list of allowed IP addresses so that threat intelligence won't filter any of the addresses, ranges, or subnets that you specify.

日志Logs

以下日志摘录显示了一个触发的规则:The following log excerpt shows a triggered rule:

{
    "category": "AzureFirewallNetworkRule",
    "time": "2018-04-16T23:45:04.8295030Z",
    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
    "operationName": "AzureFirewallThreatIntelLog",
    "properties": {
         "msg": "HTTP request from 10.0.0.5:54074 to somemaliciousdomain.com:80. Action: Alert. ThreatIntel: Bot Networks"
    }
}

测试Testing

  • 出站测试 - 出站流量警报应该比较罕见,因为这意味着环境已泄露。Outbound testing - Outbound traffic alerts should be a rare occurrence, as it means that your environment has been compromised. 为了帮助测试出站警报是否正常工作,已创建一个触发警报的测试 FQDN。To help test outbound alerts are working, a test FQDN has been created that triggers an alert. 使用 testmaliciousdomain.chinaeast.cloudapp.chinacloudapi.cn 进行出站测试。Use testmaliciousdomain.chinaeast.cloudapp.chinacloudapi.cn for your outbound tests.

  • 入站测试 - 如果在防火墙上配置了 DNAT 规则,则预计可以看到传入流量的警报。Inbound testing - You can expect to see alerts on incoming traffic if DNAT rules are configured on the firewall. 即使只允许在 DNAT 规则中使用特定源也是如此,否则流量会被拒绝。This is true even if only specific sources are allowed on the DNAT rule and traffic is otherwise denied. Azure 防火墙不会在所有已知的端口扫描仪上发出警报;仅在已知也会参与恶意活动的扫描仪上发出警报。Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.

后续步骤Next steps