Azure Firewall Solution for Sentinel

Solution: Azure Firewall

Azure Firewall Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.5
Author	Microsoft - support@microsoft.com
First Published	2022-05-23
Last Updated	2026-02-16
Solution Folder	Azure Firewall
Marketplace	Azure Marketplace · Popularity: 🟢 High (89%)

The Azure Firewall solution for Microsoft Sentinel enables ingestion of DNS Proxy, Application Rule and Network Rule logs from Azure Firewalls.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor Resource Diagnostics

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Azure Firewall 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 10 table(s):

Table	Used By Connectors	Used By Content
`AZFWApplicationRule`	Azure Firewall	Analytics, Hunting, Workbooks
`AZFWDnsQuery`	Azure Firewall	Workbooks
`AZFWFatFlow`	Azure Firewall	-
`AZFWFlowTrace`	Azure Firewall	Analytics
`AZFWIdpsSignature`	Azure Firewall	Analytics, Workbooks
`AZFWInternalFqdnResolutionFailure`	Azure Firewall	-
`AZFWNatRule`	Azure Firewall	Workbooks
`AZFWNetworkRule`	Azure Firewall	Analytics, Hunting, Workbooks
`AZFWThreatIntel`	Azure Firewall	Analytics, Workbooks
`AzureDiagnostics` 🔶	Azure Firewall	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 23 content item(s):

Content Type	Count
Analytic Rules	11
Hunting Queries	5
Playbooks	5
Workbooks	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Abnormal Deny Rate for Source IP	Medium	InitialAccess, Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWFlowTrace` `AZFWIdpsSignature` `AZFWNetworkRule` `AzureDiagnostics`
Abnormal Port to Protocol	Medium	Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
DDoS attack detected	High	Impact	`AZFWIdpsSignature`
Elevation of Privilege attempt detected	High	InitialAccess, CredentialAccess	`AZFWIdpsSignature`
High severity malicious activity detected	High	InitialAccess, Exfiltration, CredentialAccess, CommandAndControl, Execution	`AZFWIdpsSignature`
Medium severity malicious activity detected	Medium	InitialAccess, Execution, DefenseEvasion, Impact	`AZFWIdpsSignature`
Multiple Sources Affected by the Same TI Destination	Medium	Exfiltration, CommandAndControl	`AZFWThreatIntel` `AzureDiagnostics`
Port Scan	Medium	Discovery	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
Port Sweep	Medium	Discovery	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
Several deny actions registered	Medium	Discovery, LateralMovement, CommandAndControl	`AZFWApplicationRule` `AZFWFlowTrace` `AZFWIdpsSignature` `AZFWNetworkRule` `AzureDiagnostics`
Web Application attack detected	High	InitialAccess	`AZFWIdpsSignature`

Hunting Queries

Name	Tactics	Tables Used
First Time Source IP to Destination	Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
First Time Source IP to Destination Using Port	Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
Source IP Abnormally Connects to Multiple Destinations	Execution, LateralMovement	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
Uncommon Port for Organization	Defense Evasion, Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`
Uncommon Port to IP	Exfiltration, CommandAndControl	`AZFWApplicationRule` `AZFWNetworkRule` `AzureDiagnostics`

Workbooks

Name	Tables Used
AzureFirewallWorkbook	`AzureDiagnostics`
AzureFirewallWorkbook-StructuredLogs	`AZFWApplicationRule` `AZFWDnsQuery` `AZFWIdpsSignature` `AZFWNatRule` `AZFWNetworkRule` `AZFWThreatIntel`

Playbooks

Name	Description	Tables Used
Azure Firewall - Add IP Address to Threat Intel Allow list	This playbook allows the SOC to automatically response to Microsoft Sentinel incidents which include...	-
Block IP - Azure Firewall IP groups	This playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups...	-
Block IP - Azure Firewall IP groups - Entity trigger	This playbook interacts with relevant stackholders, such incident response team, to approve blocking...	-
BlockIP-Azure Firewall New Rule	This playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collecti...	-
BlockIP-Azure Firewall New Rule - Entity trigger	This playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collecti...	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.5	13-02-2026	Updated Analytic Rule to cover missing TTPs. Extended detection for FQDN and Destination IP across multiple sources and added new Analytic Rule for improved TI destination coverage.
3.0.4	12-02-2024	Updated Analytical Rule
3.0.3	17-01-2024	Updated Azure Firewall Data Connector to support resource specific logs.
3.0.2	15-12-2023	Updated query in Analytical Rule (Port Scan)
3.0.1	21-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.
3.0.0	20-07-2023	Updated Workbook template to remove unused variables.