Network-25537: Threat intelligence is Enabled in Deny Mode on Azure Firewall #736
Conversation
sandeepjha000
left a comment
sandeepjha000
left a comment
There was a problem hiding this comment.
I have added some comments that needs to be addressed. @ashwinikarke to assist Ksitiz for remainder
kshitiz-prog
changed the title
There was a problem hiding this comment.
Pull request overview
Adds a new Network assessment (ID 25537) to validate Azure Firewall Policy Threat Intelligence configuration and document remediation guidance.
Changes:
- Introduces a new PowerShell assessment test that enumerates Azure Firewall Policies and evaluates
ThreatIntelMode. - Generates markdown result output including a per-policy summary table.
- Adds accompanying markdown documentation with remediation link to Microsoft Learn.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| src/powershell/tests/Test-Assessment.25537.ps1 | Implements assessment logic for Threat Intelligence “Deny” mode on Azure Firewall Policies and emits markdown results. |
| src/powershell/tests/Test-Assessment.25537.md | Provides user-facing description and remediation guidance for the new assessment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Threat Intel Mode |`n" | ||
| $mdInfo += "| :--- | :--- | :--- | :--- | :---: |`n" | ||
|
|
||
| foreach ($item in $results | Sort-Object PolicyName) { | ||
| $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ThreatIntelMode) |`n" |
There was a problem hiding this comment.
The results table omits Resource Group (and per-policy pass/fail) even though you collect ResourceGroup/Status in $results. Without Resource Group it can be hard to uniquely identify a policy (names can repeat across RGs). Consider adding Resource Group (and optionally Status) columns to the markdown table.
| $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Threat Intel Mode |`n" | |
| $mdInfo += "| :--- | :--- | :--- | :--- | :---: |`n" | |
| foreach ($item in $results | Sort-Object PolicyName) { | |
| $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ThreatIntelMode) |`n" | |
| $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Resource group | Status | Threat Intel Mode |`n" | |
| $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :---: | :---: |`n" | |
| foreach ($item in $results | Sort-Object PolicyName) { | |
| $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ResourceGroup) | $($item.Status) | $($item.ThreatIntelMode) |`n" |
| @@ -0,0 +1,11 @@ | |||
| Azure Firewall Threat intelligence-based filtering alerts and denies traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains, and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team. When threat intelligence-based filtering is enabled, Azure Firewall evaluates traffic against the threat intelligence rules before applying NAT, network, or application rules. | |||
|
|
|||
| This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall. | |||
There was a problem hiding this comment.
The description says the check evaluates “the firewall policy attached to the firewall”, but the implementation evaluates all firewall policies in the subscription(s), including potentially unattached policies. Please either update the implementation to scope to policies actually associated with Azure Firewalls, or adjust this documentation to match the implemented scope.
| This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall. | |
| This check verifies that the Threat Intelligence feature is enabled in “Alert and Deny” mode on Azure Firewall policies in the subscription. The check will fail if Threat Intelligence is either “Disabled” or not configured in “Alert and Deny” mode on any evaluated firewall policy. |
| This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall. | ||
|
|
||
| **Remediation action** | ||
|
|
||
| Please check this article for guidance on how to enable Threat Intelligence in “Alert and Deny” mode in the Azure Firewall Policy: |
There was a problem hiding this comment.
This markdown uses smart quotes (“ ”) around mode names. The rest of the repo’s markdown files appear to use straight quotes; consider switching to standard ASCII quotes to avoid encoding/rendering inconsistencies across tooling.
| Validates Threat intelligence is Enabled in Deny Mode on Azure Firewall. | ||
| .DESCRIPTION | ||
| This test validates that Azure Firewall Policies have Threat Intelligence enabled in Deny mode. | ||
| Checks all firewall policies in the subscription and reports their threat intelligence status. |
There was a problem hiding this comment.
The comment-based help says this “checks all firewall policies in the subscription”, but the implementation enumerates all subscriptions via Get-AzSubscription and loops through each. Please align the description with the actual behavior (either scope to current subscription only, or update the comment to say it iterates all accessible subscriptions).
| Checks all firewall policies in the subscription and reports their threat intelligence status. | |
| Checks all firewall policies across all accessible subscriptions and reports their threat intelligence status. |
| $subscriptions = Get-AzSubscription | ||
| $results = @() | ||
| foreach ($sub in $subscriptions) { | ||
| Set-AzContext -SubscriptionId $sub.Id | Out-Null | ||
| # Get all firewall policies in the subscription | ||
| $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop | ||
|
|
There was a problem hiding this comment.
This test uses Az cmdlets (Get-AzSubscription/Set-AzContext/Get-AzResource) but doesn’t follow the repo’s established Azure-connection handling. If the user isn’t connected to Azure or lacks subscription access, this will error rather than producing a skipped result. Consider following the pattern used in src/powershell/tests/Test-Assessment.21788.ps1:27-55 and Test-Assessment.21860.ps1:33-60 (Get-AzAccessToken check + catch 403) and call Add-ZtTestResultDetail -SkippedBecause NotConnectedAzure/NoAzureAccess accordingly.
| Set-AzContext -SubscriptionId $sub.Id | Out-Null | ||
| # Get all firewall policies in the subscription | ||
| $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop |
There was a problem hiding this comment.
Set-AzContext is invoked without -ErrorAction Stop / error handling. If context switching fails, the loop may continue using a previous context and attribute results to the wrong subscription. Please make context switching a terminating operation and handle failures explicitly (e.g., try/catch per subscription and continue/skip as appropriate).
| Set-AzContext -SubscriptionId $sub.Id | Out-Null | |
| # Get all firewall policies in the subscription | |
| $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop | |
| try { | |
| Set-AzContext -SubscriptionId $sub.Id -ErrorAction Stop | Out-Null | |
| # Get all firewall policies in the subscription | |
| $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop | |
| } | |
| catch { | |
| Write-PSFMessage "Failed to set context or enumerate firewall policies for subscription '$($sub.Id)': $($_.Exception.Message)" -Tag Test -Level Error | |
| continue | |
| } |
|
|
||
| #region Assessment Logic Evaluation | ||
| if (-not $results) { | ||
| Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose |
There was a problem hiding this comment.
When no firewall policies are found, the function returns without calling Add-ZtTestResultDetail. Since results are collected via Add-ZtTestResultDetail, this test will produce no report entry in that case. Please emit an explicit result (pass/not-applicable or a skipped status via -SkippedBecause NotSupported) instead of returning silently.
| Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose | |
| Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose | |
| Add-ZtTestResultDetail -SkippedBecause NotSupported -Description 'No Azure Firewall policies found in any subscription.' |
| if ($uniqueModes.Count -eq 1 -and $uniqueModes -eq 'Deny') { | ||
|
|
||
| $passed = $true | ||
| $testResultMarkdown = 'Threat Intel is enabled in **Alert and Deny** mode.' | ||
|
|
||
| } | ||
| else { |
There was a problem hiding this comment.
The output messaging mixes “Deny mode” (test title/check name) with “Alert and Deny mode” (result text/title). Since the pass condition is ThreatIntelMode == 'Deny', consider standardizing the wording throughout (either consistently refer to the Azure enum value 'Deny' or consistently explain it as 'Alert and Deny') to avoid confusing users.
No description provided.