Automate Governance and Response for Firewall Threat Protection

Implementation Effort: Medium
User Impact: Low

Overview

Use Azure Policy to enforce that every deployed Azure Firewall is the Premium SKU with Threat Intelligence filtering and IDPS enabled, and that all necessary diagnostic settings (ThreatIntelLog and IDPS logs) stream into a centralized Log Analytics workspace. Then, in Azure Monitor, create Log Alert rules targeting high-severity events in the ThreatIntelLog and AzureFirewallIDPS categories—routing alerts to Action Groups or Azure Logic Apps to automatically block offending IPs, open tickets, or run remediation playbooks. Finally, ingest logs into Microsoft Sentinel via the built-in Azure Firewall connector and author Sentinel analytics rules and playbooks to drive AI-assisted investigations and maintain continuous compliance.

Reference

• Azure Policy for Azure Firewall
• Azure Policy Overviewl
• Create or edit a log search alert rule
• Azure Firewall connector for Microsoft Sentinel