none
Azure firewall confirmed request deny RRS feed

  • Question

  • Hi, 

    I have the Azure firewall setup but in the logs i can see Brute forced credentials attempts, but I'm not seeing a deny against the log. 

    How do i confirm that the request was actually blocked/dropped/denied? 

    Im logging to Log Analytics fyi

    Thanks

    Tommy

    Friday, September 20, 2019 5:59 PM

Answers

  • Hi Tommy, 

    These are ThreatIntel logs and based on the configuration you have set, it will either alert or alert and deny. 

    Can you check the below configuration at your Azure Firewall?

    Regards, 

    Msrini

    Saturday, September 21, 2019 6:36 AM
    Moderator

All replies

  • Hi Tommy, 

    Can you share me the logs ? Which logs are you looking at ?(AzureFirewallApplicationRule or AzureFirewallNetworkRule)

    Regards, 

    Msrini


    Friday, September 20, 2019 6:06 PM
    Moderator
  • Hi msrini, 

    This is in the AzureFirewallNetworkRule

    TCP request from 128.14.133.58:52056 to ##.###.##.## Action: Alert. ThreatIntel: Port Scan

    I'm seeing some for brute force as well. 

    TCP request from 159.203.201.159:57565 to ###.##.##.##:443. Action: Alert. ThreatIntel: Brute forced credentials

    Thanks

    Tommy



    • Edited by TommyWebApp Friday, September 20, 2019 6:48 PM
    Friday, September 20, 2019 6:45 PM
  • Hi Tommy, 

    These are ThreatIntel logs and based on the configuration you have set, it will either alert or alert and deny. 

    Can you check the below configuration at your Azure Firewall?

    Regards, 

    Msrini

    Saturday, September 21, 2019 6:36 AM
    Moderator
  • Thanks msrini, 

    I know the logs are from the Threatnte, and i can see i have it set at alert only. What is the best way to deal with these alerts, should i be setting up manual rules to block these are should i just select alert and deny? 

    What i find a bit confusing is that i have locked down the firewall rules to source ip so they shouldn't be able to hit any of the ports i have created rules for, one being 3389 and 443. So is the firewall alerting against attacks aim at the firewall IP and not the rules if that makes sense?

    For now i will turn on deny, but if you could let me know what i should do that would be great. 

    Many thanks

    Saturday, September 21, 2019 7:17 AM
  • I would say you can go with alert and deny because port 3389 and port 443 are still open. 

    As you mentioned, even though the other ports are locked down by the firewall rules, you are still exposing port 3389 and port 443 to those malicious IP. 

    Regards, 

    Msrini

    Saturday, September 21, 2019 8:05 AM
    Moderator
  • When you say 443 and 3389 are still open its only to the source ip ive defined. But i suppose you are saying that the port is still being advertised but not accessible unless source ip is matched? 

    But then if that is the case why isnt the brute force attempt on 443 not being deny by the rule beucase the source address doesn't match?

    So this brings me back to the original question of why am i getting brute force attempt logs even when the rule doesn't match. Surly the attempt should of been dropped from the rule mismatch and logs alert beccause of know maticious IP?

    Saturday, September 21, 2019 8:30 AM
  • Actually, tracking the logs i can see the ThreatIntelAlert and then shortly after i can see the deny. 

    So actually this is pretty cool, so i will deny all dodgy known IPs and also alert. 

    Thanks msrini, again you have been really helpful

    Tommy

    Saturday, September 21, 2019 8:49 AM