Microsoft has launched a new integration between Azure Firewall and Security Copilot, using generative AI to streamline threat investigations for cloud security teams.
This enhancement allows analysts to query malicious traffic data in natural language, reducing the need for complex manual searches.
By combining Azure Firewall’s intrusion detection and prevention system (IDPS) with Security Copilot’s AI capabilities, organizations can respond to threats faster and at scale.
The integration builds on Azure Firewall’s role as a cloud-native, stateful firewall service that protects Azure workloads with high availability and scalability.
It filters inbound and outbound traffic using application rules, network rules, and FQDN tags, while blocking known malicious IPs through built-in threat intelligence.
Security Copilot, an AI assistant for security operations, now pulls data from Azure Firewall’s structured logs stored in Log Analytics workspaces to provide insights without writing Kusto Query Language (KQL) scripts.
This setup requires proper configuration, including resource-specific IDPS logs and role-based access control (RBAC) permissions for users to access firewalls and logs.
Azure Firewall Integration In Microsoft Security Copilot
Security Copilot operates through two interfaces: the standalone portal at securitycopilot.microsoft.com or the embedded Azure Copilot in the Azure portal.
Analysts can enable the Azure Firewall plugin via the sources menu, ensuring no additional setup beyond logging and permissions.
Once activated, it leverages security compute units (SCUs) to process queries, with usage tied to the subscription’s allocated capacity.
For example, a prompt like “What are the top 20 IDPS hits from the last seven days for Firewall [name] in resource group [name]?” retrieves tabular log data on intercepted threats, including signature IDs, severity levels, and attack details.
Beyond basic retrieval, the integration enriches threat profiles by cross-referencing IDPS signatures with Microsoft Threat Intelligence.
Users can ask, “Explain why IDPS flagged this signature as high severity,” to get context on associated CVEs, attacker tactics, and related exploits.
Fleet-wide searches are also possible, such as “Was signature ID [number] seen by any other firewall in subscription [name] over the past week?” This scans across tenants, subscriptions, or resource groups to identify patterns in malicious traffic.
Technical details include IDPS modes alert-only for monitoring or alert-and-block for prevention each with different risk levels based on false positives and coverage.
Recommendations for securing environments come directly from documentation integration.
Prompts like “How do I protect against future attacks from this attacker?” suggest enabling IDPS alerts, updating policies, or applying global rules across firewalls.
Privacy is maintained by processing prompts, retrieved data, and outputs within the service, in accordance with Microsoft’s data security standards and to prevent external exposure.
Feedback mechanisms, like thumbs up/down in Azure Copilot, help refine the AI’s accuracy.
This AI-driven approach addresses the challenges of hyperscale data in cloud environments, where manual triage of IDPS alerts can overwhelm teams.
By enabling natural language interactions, Microsoft empowers security professionals to focus on strategy rather than syntax, enhancing overall posture management and incident response.
Early adopters at Microsoft Ignite 2025 highlighted its role in accelerating threat hunting.
As cyber threats evolve, this integration positions Azure as a leader in intelligent network security.
