Azure Azure Firewall Capability Group

This control can detect DHCP spoofing by monitoring network traffic.

This control can detect exfiltration attempts to text storage sites.

This capability can detect some traffic related to adversary command and control behavior.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery but such activity originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.

This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.

This control provides partial protection for this technique's sub-techniques and some of its procedure examples resulting in an overall Partial score.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control can filter network traffic on ports associated with this technique.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score. Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.

This control can limit access to external remote services to the minimum necessary.

This control provides partial protection for this technique.

This control can prevent malicious downloads associated with this technique.

This control provides partial protection for this technique's sub-techniques and procedure examples resulting in a Partial score.

This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.

This control can protect against some variations of this technique.

This control can be used to limit outgoing traffic to only sites and services used by authorized remote access tools. This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity.

This control can protect from exfiltration to text storage site by blocking unauthorized sites.

This control can prevent the gathering of victim network information via scanning methods but is not effective against methods such as Phishing resulting in a Partial coverage score and an overall Partial score.

This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.

This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.

This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.

This control provides Partial protection for its sub-techniques resulting in an overall Partial score.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.

This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.

This control can protect against DHCP spoofing by restricting DHCP traffic to trusted DHCP servers.

This control can limit access to the minimum required ports and therefore protect against adversaries attempting to use non-standard ports for C2 traffic.