microsoft · ashwinikarke · Dec 29, 2025 · Dec 31, 2025 · Dec 31, 2025 · Copilot
diff --git a/src/powershell/tests/Test-Assessment.25537.md b/src/powershell/tests/Test-Assessment.25537.md
@@ -0,0 +1,11 @@
+Azure Firewall Threat intelligence-based filtering alerts and denies traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains, and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team. When threat intelligence-based filtering is enabled, Azure Firewall evaluates traffic against the threat intelligence rules before applying NAT, network, or application rules.
+
+This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall.
-This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall.
+This check verifies that the Threat Intelligence feature is enabled in “Alert and Deny” mode on Azure Firewall policies in the subscription. The check will fail if Threat Intelligence is either “Disabled” or not configured in “Alert and Deny” mode on any evaluated firewall policy.
-This check verifies that Threat Intelligence feature is enabled in “Alert and Deny” mode in the Azure Firewall policy configuration. The check will fail if Threat Intelligence is either “Disabled” or if it is not configured in “Alert and Deny” mode, in the firewall policy attached to the firewall.
+This check verifies that the Threat Intelligence feature is enabled in “Alert and Deny” mode on Azure Firewall policies in the subscription. The check will fail if Threat Intelligence is either “Disabled” or not configured in “Alert and Deny” mode on any evaluated firewall policy.
+
+**Remediation action**
+
+Please check this article for guidance on how to enable Threat Intelligence in “Alert and Deny” mode in the Azure Firewall Policy:
+- [Azure Firewall threat intelligence configuration | Microsoft Learn](https://learn.microsoft.com/en-us/azure/firewall-manager/threat-intelligence-settings)
+
+<!--- Results --->
+%TestResult%
diff --git a/src/powershell/tests/Test-Assessment.25537.ps1 b/src/powershell/tests/Test-Assessment.25537.ps1
@@ -0,0 +1,140 @@
+<#
+.SYNOPSIS
+    Validates Threat intelligence is Enabled in Deny Mode on Azure Firewall.
+.DESCRIPTION
+    This test validates that Azure Firewall Policies have Threat Intelligence enabled in Deny mode.
+    Checks all firewall policies in the subscription and reports their threat intelligence status.
-    Checks all firewall policies in the subscription and reports their threat intelligence status.
+    Checks all firewall policies across all accessible subscriptions and reports their threat intelligence status.
-    Checks all firewall policies in the subscription and reports their threat intelligence status.
+    Checks all firewall policies across all accessible subscriptions and reports their threat intelligence status.
+.NOTES
+    Test ID: 25537
+    Category: Azure Network Security
+    Required API: Azure Firewall Policies
+#>
+
+function Test-Assessment-25537 {
+    [ZtTest(
+        Category = 'Azure Network Security',
+        ImplementationCost = 'Low',
+        MinimumLicense = ('Azure_Firewall_Standard', 'Azure_Firewall_Premium'),
+        Pillar = 'Network',
+        RiskLevel = 'High',
+        SfiPillar = 'Protect networks',
+        TenantType = ('Workforce'),
+        TestId = 25537,
+        Title = 'Threat intelligence is Enabled in Deny Mode on Azure Firewall',
+        UserImpact = 'Low'
+    )]
+    [CmdletBinding()]
+    param()
+
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+
+    #region Data Collection
+    Write-ZtProgress `
+        -Activity 'Azure Firewall Threat Intelligence' `
+        -Status 'Enumerating Firewall Policies'
+
+    $subscriptions = Get-AzSubscription
+    $results = @()
+    foreach ($sub in $subscriptions) {
+        Set-AzContext -SubscriptionId $sub.Id | Out-Null
+        # Get all firewall policies in the subscription
+        $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop
-        Set-AzContext -SubscriptionId $sub.Id | Out-Null
-        # Get all firewall policies in the subscription
-        $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop
+        try {
+            Set-AzContext -SubscriptionId $sub.Id -ErrorAction Stop | Out-Null
+            # Get all firewall policies in the subscription
+            $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop
+        }
+        catch {
+            Write-PSFMessage "Failed to set context or enumerate firewall policies for subscription '$($sub.Id)': $($_.Exception.Message)" -Tag Test -Level Error
+            continue
+        }
-        Set-AzContext -SubscriptionId $sub.Id | Out-Null
-        # Get all firewall policies in the subscription
-        $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop
+        try {
+            Set-AzContext -SubscriptionId $sub.Id -ErrorAction Stop | Out-Null
+            # Get all firewall policies in the subscription
+            $policies = Get-AzResource -ResourceType 'Microsoft.Network/firewallPolicies' -ErrorAction Stop
+        }
+        catch {
+            Write-PSFMessage "Failed to set context or enumerate firewall policies for subscription '$($sub.Id)': $($_.Exception.Message)" -Tag Test -Level Error
+            continue
+        }
+
+        if (-not $policies) {
+            continue
+        }
+
+        #endregion Data Collection
+        #region Assessment Logic
+
+        foreach ($policyResource in $policies) {
+            $policy = Get-AzFirewallPolicy `
+                -Name $policyResource.Name `
+                -ResourceGroupName $policyResource.ResourceGroupName `
+                -ErrorAction SilentlyContinue
+
+            if (-not $policy) {
+                continue
+            }
+
+            $subContext = Get-AzContext
+            $status = if ($policy.ThreatIntelMode -eq 'Deny') {
+                'Pass'
+            }
+            else {
+                'Fail'
+            }
+
+            $results += [PSCustomObject]@{
+                CheckName        = 'Threat intelligence is Enabled in Deny Mode on Azure Firewall'
+                PolicyName       = $policy.Name
+                ResourceGroup    = $policy.ResourceGroupName
+                SubscriptionName = $subContext.Subscription.Name
+                SubscriptionId   = $subContext.Subscription.Id
+                ThreatIntelMode  = $policy.ThreatIntelMode
+                Status           = $status
+            }
+        }
+    }
+    #endregion Assessment Logic
+
+    #region Assessment Logic Evaluation
+    if (-not $results) {
+        Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose
-        Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose
+        Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose
+        Add-ZtTestResultDetail -SkippedBecause NotSupported -Description 'No Azure Firewall policies found in any subscription.'
-        Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose
+        Write-PSFMessage 'No Azure Firewall policies found. Skipping test.' -Tag Firewall -Level Verbose
+        Add-ZtTestResultDetail -SkippedBecause NotSupported -Description 'No Azure Firewall policies found in any subscription.'
+        return
+    }
+    else {
+        $allModes = $results.ThreatIntelMode
+        $uniqueModes = $allModes | Select-Object -Unique
+
+        if ($uniqueModes.Count -eq 1 -and $uniqueModes -eq 'Deny') {
+
+            $passed = $true
+            $testResultMarkdown = 'Threat Intel is enabled in **Alert and Deny** mode.'
+
+        }
+        else {
+
+            $passed = $false
+
+            if ($uniqueModes.Count -eq 1) {
+
+                switch ($uniqueModes) {
+                    'Alert' {
+                        $testResultMarkdown = 'Threat Intel is enabled in **Alert** mode.'
+                    }
+                    'Off' {
+                        $testResultMarkdown = 'Threat Intel is **disabled**.'
+                    }
+                    default {
+                        $testResultMarkdown = 'Threat Intel is not enabled in **Alert and Deny** mode for all Firewall policies.'
+                    }
+                }
+            }
+            else {
+                $testResultMarkdown = 'Threat Intel is not enabled in **Alert and Deny** mode for all Firewall policies.'
+            }
+        }
+
+        # --- Markdown Table ---
+        $mdInfo = "`n`n## Firewall Policies`n`n"
+        $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Threat Intel Mode |`n"
+        $mdInfo += "| :--- | :--- | :--- | :--- | :---: |`n"
+
+        foreach ($item in $results | Sort-Object PolicyName) {
+            $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ThreatIntelMode) |`n"
-        $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Threat Intel Mode |`n"
-        $mdInfo += "| :--- | :--- | :--- | :--- | :---: |`n"
-
-        foreach ($item in $results | Sort-Object PolicyName) {
-            $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ThreatIntelMode) |`n"
+        $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Resource group | Status | Threat Intel Mode |`n"
+        $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :---: | :---: |`n"
+
+        foreach ($item in $results | Sort-Object PolicyName) {
+            $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ResourceGroup) | $($item.Status) | $($item.ThreatIntelMode) |`n"
-        $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Threat Intel Mode |`n"
-        $mdInfo += "| :--- | :--- | :--- | :--- | :---: |`n"
-
-        foreach ($item in $results | Sort-Object PolicyName) {
-            $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ThreatIntelMode) |`n"
+        $mdInfo += "| Check name | Policy name | Subscription name | Subscription id | Resource group | Status | Threat Intel Mode |`n"
+        $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :---: | :---: |`n"
+
+        foreach ($item in $results | Sort-Object PolicyName) {
+            $mdInfo += "| $($item.CheckName) | $($item.PolicyName) | $($item.SubscriptionName) | $($item.SubscriptionId) | $($item.ResourceGroup) | $($item.Status) | $($item.ThreatIntelMode) |`n"
+        }
+
+        $testResultMarkdown += $mdInfo
+
+        #endregion Assessment Logic Evaluation
+
+        #region Report Generation
+        Add-ZtTestResultDetail `
+            -TestId '25537' `
+            -Title 'Azure Firewall Threat Intelligence is enabled in Alert and Deny mode' `
+            -Status $passed `
+            -Result $testResultMarkdown
+        #endregion Report Generation
+    }
+}