| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_firewall | Azure Firewall | protect | partial | T1590 | Gather Victim Network Information |
Comments
This control can prevent the gathering of victim network information via scanning methods but is not effective against methods such as Phishing resulting in a Partial coverage score and an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1590.004 | Network Topology |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1590.005 | IP Addresses |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1590.006 | Network Security Appliances |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1595 | Active Scanning |
Comments
This control provides Partial protection for its sub-techniques resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1595.001 | Scanning IP Blocks |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1595.002 | Vulnerability Scanning |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1133 | External Remote Services |
Comments
This control can limit access to external remote services to the minimum necessary.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1205 | Traffic Signaling |
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in a Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1205.001 | Port Knocking |
Comments
This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1046 | Network Service Scanning |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1018 | Remote System Discovery |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery but such activity originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1008 | Fallback Channels |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1095 | Non-Application Layer Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.
References
|
| azure_firewall | Azure Firewall | protect | significant | T1571 | Non-Standard Port |
Comments
This control can limit access to the minimum required ports and therefore protect against adversaries attempting to use non-standard ports for C2 traffic.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1219 | Remote Access Software |
Comments
This control can be used to limit outgoing traffic to only sites and services used by authorized remote access tools. This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial protection for this technique's sub-techniques and some of its procedure examples resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
| azure_firewall | Azure Firewall | protect | partial | T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|