Bringing generative AI to Azure network security with new Microsoft Copilot integrations

Today we are excited to announce the Azure Web Application Firewall (WAF) and Azure Firewall integrations in the Microsoft Copilot for Security standalone experience. This is the first step we are taking toward bringing interactive, generative AI-powered capabilities to Azure network security.

Copilot empowers teams to protect at the speed and scale of AI by turning global threat intelligence (78 trillion or more security signals), industry best practices, and organizations’ security data into tailored insights. With the growing cost of security breaches, organizations need every advantage to protect against skilled and coordinated cyber threats. To see more and move faster, they need generative AI technology that complements human ingenuity and refocuses teams on what matters. A recent study shows that:

  • Experienced security analysts were 22% faster with Copilot.
  • They were 7% more accurate across all tasks when using Copilot.
  • And, most notably, 97% said they want to use Copilot the next time they do the same task.

Azure network security

Protect your applications and cloud workloads with network security services

Generative AI for Azure network security

Azure WAF and Azure Firewall are critical security services that many Microsoft Azure customers use to protect their network and applications from threats and attacks. These services offer advanced threat protection using default rule sets as well as detection and protection against sophisticated attacks using rich Microsoft threat intelligence and automatic patching against zero-day vulnerabilities. These systems process huge volumes of packets, analyze signals from numerous network resources, and generate vast amounts of logs. To reason over terabytes of data and cut through the noise to detect threats, analysts spend several hours if not days performing manual tasks. In addition to the scale of data there is a real shortage of security expertise. It is difficult to find and train cybersecurity talent and these staff shortages slow down responses to security incidents and limit proactive posture management. 

With our announcement of Azure WAF and Azure Firewall integrations in Copilot for Security, organizations can empower their analysts to triage and investigate hyperscale data sets seamlessly to find detailed, actionable insights and solutions at machine speeds using a natural language interface with no additional training. Copilot automates manual tasks and helps upskill Tier 1 and Tier 2 analysts to perform tasks that would otherwise be reserved for more experienced Tier 3 or Tier 4 professionals, redirecting expert staff to the hardest challenges, thus elevating the proficiency of the entire team. Copilot can also easily translate threat insights and investigations into natural language summaries to quickly inform colleagues or leadership. The organizational efficiency gained by Copilot summarizing vast data signals to generate key insights into the threat landscape enables analysts to outpace adversaries in a matter of minutes instead of hours or days.

graphical user interface
How Copilot for Security works with the Azure Firewall and Azure WAF plugins.

Azure Web Application Firewall integration in Copilot

Today, Azure WAF generates detections for a variety of web application and API security attacks. These detections generate terabytes of logs that are ingested into Log Analytics. While the logs give insights into the Azure WAF actions, it is a non-trivial and time-consuming activity for an analyst to understand the logs and gain actionable insights.

The Azure WAF integration in Copilot for Security helps analysts perform contextual analysis of the data in minutes. Specifically, it synthesizes data from Azure Diagnostics logs to generate summarization of Azure WAF detections tailored to each customer’s environment. The key capabilities include investigation of security threats—including analyzing WAF rules triggered, investigating malicious IP addresses, analyzing SQL Injection (SQLi) and Cross-site scripting (XSS) attacks blocked by WAF, and natural language explanations for each detection.

By asking a natural-language question about these attacks, the analyst receives a summarized response that includes details about why that attack occurred and equips the analyst with enough information to investigate the issue further. In addition, with the assistance of Copilot, analysts can retrieve information on the most frequently offending IP addresses, identify top malicious bot attacks, and pinpoint the managed and custom Azure WAF rules that have been triggered most frequently within their environment.

graphical user interface, text, application
A sneak peek at the Azure WAF integration in Copilot for Security.

Azure Firewall integration in Copilot

Azure Firewall intercepts and blocks malicious traffic using the intrusion detection and prevention system (IDPS) feature today. However, when analysts need to perform a deeper investigation of the threats that Azure Firewall catches using this feature, they need to do this manually—which is a non-trivial and time-consuming task. The Azure Firewall integration in Copilot helps analysts perform these investigations with the speed and scale of AI.

The first step in an investigation is to pick a specific Azure Firewall and see the threats it has intercepted. Analysts today spend hours writing custom queries or navigating through several manual steps to retrieve threat information from Log Analytics workspaces. With Copilot, analysts just need to ask about the threats they’d like to see, and Copilot will present them with the requested information.

The next step is to better understand the nature and impact of these threats. Today, analysts must retrieve additional contextual information such as geographical location of IPs, threat rating of a fully qualified domain name (FQDN), details of common vulnerabilities and exposures (CVEs) associated with an IDPS signature, and more manually from various sources. This process is slow and involves a lot of effort. Copilot pulls information from the relevant sources to enrich your threat data in a fraction of the time.

Once a detailed investigation has been performed for a single Azure Firewall and single threat, analysts would like to determine if these threats were seen elsewhere in their environment. All the manual work they performed for an investigation for a single Azure Firewall is something they would have to repeat fleet wide. Copilot can do this at machine speed and help correlate this information with other security products integrated with Copilot to better understand how attackers are targeting their entire infrastructure.

graphical user interface, text, website
A sneak peek at the Azure Firewall integration in Copilot for Security.

Looking forward

The future of technology is here, and users will increasingly expect their network security products to be AI enabled; and Copilot positions organizations to fully leverage the opportunities presented by the emerging era of generative AI. The integrations announced today combine Microsoft’s expertise in security with state-of-the-art generative AI packaged together in a solution built with security, privacy, and compliance at its heart to help organizations better defend themselves from attackers while keeping their data completely private.

Getting access

We look forward to continuing to integrate Azure network security into Copilot to make it easier for our customers to be more productive and be able to quickly analyze threats and mitigate vulnerabilities ahead of their adversaries. These new capabilities in Copilot for Security are already being used internally by Microsoft and a small group of customers. Today, we’re excited to announce the upcoming public preview. We expect to launch the preview for all customers for Azure WAF and Azure Firewall at Microsoft Build on May 21, 2024. In the coming weeks, we’ll continuously add new capabilities and make improvements based on your feedback.

Please stop by the Copilot for Security booth at RSA 2024 to see a demo of these capabilities today, express interest for early access, and read about additional Microsoft announcements at RSA.