techcommunity.microsoft.com
Open in
urlscan Pro
2a02:26f0:3500:88d::207e
Public Scan
URL:
https://techcommunity.microsoft.com/t5/azure-network-security-blog/intrusion-detection-and-prevention-system-idps-based-on/ba-p/3921330
Submission: On October 01 via manual from IN — Scanned from DE
Submission: On October 01 via manual from IN — Scanned from DE
Form analysis 2 forms found in the DOM
Name: form_a1d8bb590017e — POST https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form" method="post" id="form_a1d8bb590017e" name="form_a1d8bb590017e">
<div class="t-invisible"><input value="blog-id/AzureNetworkSecurityBlog/article-id/285" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="YLCOUbZXrkDNy1eJ0VHs7JtUEXgCEU8kwbjbGsaSBFw3PZtV0x-FAK_SYprFb-wwapltdCfvbZjT782wSptASOJ0HaPUVGajwEpYfFe_ALI2C8pHWoc5XdbE1y4suVNINGJRZBn7uI4JcuJaDOSbCCDOHniGETFl9VfNrysVJFa6M0J_WnfYi0omiSGxvTZ18QKLqXkAbm5lWAER-O978-zFgGQc66XZWmOe9jZSfuSf0xUGvZoYcHwz5mfsz9BrdbWI9F3C1u_0FZcmp5wOWMuvVC9dJdShD3-5ntUxMJwwh4QBInOiNe3vHALcQDy8JoD5ZfYhAc1aaLzL7ihsuYqoCqj5Fg__AbZ-VVaidpC2JgSRWE4OSJPC4T7vOP55BKB7rxIuV6OpcdmkESAC9VszgJcb_I6GhJQcKYlIRz3O79U1iAK3qYAdZC3Ft8KD7g49XMRsSFnOyX0bz0VoFJ0h2gji5CVVvJ8l4PQWR10ci5rR1XQLhn2528CK6IKvQorHZAO5tZVtX6ojB7jbx-_6ijD46KIiiFoONVWtg7PfhJFn6-Rq5j-gaBYYim1I801LYG5FRN0IzMCntbd95DXCmtLXfzmh3P74jlJKcMbM_aNh7_gqf1U36dHjAECJY2TBDkOdRbRIJ9JIbQdNmSIed_HdKEHnqK_Y3aNnwO5k1jvI04ofUf1aKohmXIa2y3jFmWhJplfnFjRuwSgOyAT_qoGM7GdhrSc_6-rXEmayXrTSdoYwscSsGEm7VoKmCXjD46XAZGjHWLLaIIxwXhvI9olzI2oLkL_cxZc93GSAfaSw6YUEK7LjX6bY8jaUvNkpjCN8-JiPMrYpzTl7e2CtG6iChYQcwedOzC8AXLYCvoTDbSDPJm1gAEdXdDMAOuizMPTFSKvzyCxNyLTXrb1aJrM3s12564iTOb3_AegeBI3KlBVnpd0sPUU9ffCX6rshZPKUaNoQ2P_K6Yf20dI2eq3OyYhrcU2YO9LcZCzDo2VpiYfiidT2mNQ9CQC2dMGP1UYTo79oORsSPOvhHk7_XNl5jgDINs8g5hMuICl0weYN_KsEYoqiExkGX9gQyyFtmb5fjIaStCK6Mfk7EHGNeEaRZCKwbveV9tdsGwZdQqfkjskTkl4DdvxEZxT25jghAqKLG-lBkimtDvcDjNqmcpHJv5eVk5OWmFwNlgCGXmQohs4DokdW2P0UoLRxo7JsCP7S7rImgyHaiiancKM0gTYC9lxVvoFzCBPnojDBzslU3F-E6Ma_s9sOFf-IrQfux-yy4kfbYypQpNblaQ.."
name="lia-form-context" type="hidden"><input value="BlogArticlePage:blog-id/AzureNetworkSecurityBlog/article-id/285:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="yDZKQFNI0U/sd9X4pbUemqvQQZw=:H4sIAAAAAAAAALWSzUrDQBSFr4Wuigiib6DbiajdqAhFUISqweBaZibTNJpk4sxNEzc+ik8gvkQX7nwHH8CtKxfmzxJbwaTUVZhzw/nOmblP79COD+FAC6r40OAyQOWyCF0ZaMOkjtgrJgOp/NHONtER810sP9nfIkGtoCuVQ2hI+VAQpKHQqO67hEslPJcRRrUgPZaKlOOxKzx7wxIYhZtX487b+stnC5b60MnZ0junvkBY7d/QETU8GjiGlUYKnP0kRFguwEcFeAHBe02Dm0pyobWV+Wid0sbP9u7g4/G1BZCE8QWc1U3kpzapWoqZ+S+SvoMHgPQ+ypGVj/IoC2dlqHZ8CWZdV7xljUqszZa43voPYNHkFE7qGkdaqKrl1Pm7wEqmV59gcYjGkQOJP25h6jyJnOlzRv4DUURusIWhknbEsWo5K002vhzNufG1WHmDLwdzh8gDBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback_a1d8bb590017e"></div>
</div>
<input value="6QIv5VBts6nwZv-dphixELqC7ZghPXNstISLzKMu3t4." name="lia-action-token" type="hidden">
<input value="form_a1d8bb590017e" id="form_UIDform_a1d8bb590017e" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform_a1d8bb590017e" name="form_instance_key" type="hidden">
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext_a1d8bb590017e" name="submitContext" type="submit" tabindex="-1"></span>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_a1d8bb590017e_0" name="messageSearchField"
type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="26CwHxIaQGQFrmc67KlILoLsPXUarcImawXMRXLs6DI." rel="nofollow" id="disableAutoComplete_a1d8bb5b15d77" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_a1d8bb590017e_1"
name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="cT2cr3WwBvW-fmvmNYWfJF_4NwhT4fmN9a6RCgNQqAQ." rel="nofollow" id="disableAutoComplete_a1d8bb618e006" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the users" ng-non-bindable="" title="Enter a user name or rank" class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a user name or rank" value="" id="userSearchField_a1d8bb590017e" name="userSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="tP017xUXo-niy7_YH117K0firX25QvijQuu_zy_nn5E." rel="nofollow" id="disableAutoComplete_a1d8bb63cd134" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the private messages" title="Enter a search word" class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a search word" value="" id="noteSearchField_a1d8bb590017e_0" name="noteSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="hkxyk3IQ61vdOM7D8dHQgPHoDy6jE-8ZeQV5tXwxyCo." rel="nofollow" id="disableAutoComplete_a1d8bb65ff484" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input title="Enter a search word" class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField_a1d8bb590017e"
name="productSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="kZIVRNO8UtEAwk7zi0u-6KXzOc_ggBCz4HZMjb6B9zk." rel="nofollow" id="disableAutoComplete_a1d8bb681eb1f" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search" tabindex="0">cancel</span>
</form>Name: form — POST https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form" method="post" id="form" name="form">
<div class="t-invisible"><input value="blog-id/AzureNetworkSecurityBlog/article-id/285" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="4OXH5SL3nxJu5YuWkdg8kBCGfMuvyPxkzOib7HuUa78EFa3pq8SreO4fwT6Gb4Lae0Zarp8HpGs3KYnbP7_KzbeTBypwVbq5X_ngAiX7Q6FgTrGqf_fqeG10GbVIiGpPHHJC84Vgvg8QQfypBsZbR_x25TfQbaey84KLtBu1I3m4LFPQd08aTLD9qU3jf5ABtzUqgnJLzfvJ23IrKR4ysny89HMj2Y2mg0umYzJSFJpl4bD6HqLnbFKny6MHTBmuotjdSlLwqhTupDMN4yOfRXNXsxZYIuToSm-ULa-fMHqKo2qt0YnLBvQ0sC5mpnQrGxPmsNlWXNDtKab3v2zFwzufbRguV89y2czsgd01lMVX0rQRst37CuNBoZBjMdspWDSuVbYI-N93QvVMQdC0OtJ--GTJkzYocOzg9kOjq52BeA1_gLjQSHM5ezAxlOVvNZmVAyiuYYUegztNGvGOP4v__l7VjE88H9injU1UiNfi7AHxpJEIdDlC4_EaxwpeE32FvqyS_ge4cQlvOBMwek_62KWN4vGFDXCD585e1jgHzJoEf1BxC2GvqERwV1TFZ0tKFOPnqqOPHL7og0pvYYSbw5IVkFG6SZvEJd4ByD0ZfBN6ELO9zvAxgn42l5bvBr6rj3ihzHli3UJ8PxfY0eWxC1pyI3kIddGb7vyzKmtfG2WCgDJNKcwSmZWIlF9zEaSJzV6aK8PuhS21zPdWf2JaN-k1BK2cASqAPq0Tcrlqi-JM9N_yhH7NujCNja6GfP5Q7MNELPnJ-NqXjybwV4NokMz_XdFYm-woUIym_3KKjP36_yooSGqhd2tZ9xLxMdZHE4dAjt2MkhPzM5LCP2tJ34MaNQFKu_HKjyayDqJjKkJOca5bcdfEIUhBoJh1lWGSpv8itoDtxua6Q44hOpJfSKauidC4BX-pD2cF4UtnvKjPUarvAi5xwwlTjtAZtA4ZaMG2VPxFIfBCXFHh-Fe2s8f1PNYap4LgdYWGeSBQVvVLHDqOAfNvl5Uf24HY_Gp1YltZ2YFMRiO7oiPIGGKbsXQrY3fgR6q-c5QPYfCQfC7d40f_p0i9R6xNvGChKNST9uY_LES4lBHRuw5-PknyErpQFObuaDbf2dtWQFnbe4v1An46pIGL6sCZrF5VwIq3aoKGGfbKsRs6ZXPnQHwuvv2mZ7RY1eLHUulIoe4."
name="lia-form-context" type="hidden"><input value="BlogArticlePage:blog-id/AzureNetworkSecurityBlog/article-id/285:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="yDZKQFNI0U/sd9X4pbUemqvQQZw=:H4sIAAAAAAAAALWSzUrDQBSFr4Wuigiib6DbiajdqAhFUISqweBaZibTNJpk4sxNEzc+ik8gvkQX7nwHH8CtKxfmzxJbwaTUVZhzw/nOmblP79COD+FAC6r40OAyQOWyCF0ZaMOkjtgrJgOp/NHONtER810sP9nfIkGtoCuVQ2hI+VAQpKHQqO67hEslPJcRRrUgPZaKlOOxKzx7wxIYhZtX487b+stnC5b60MnZ0junvkBY7d/QETU8GjiGlUYKnP0kRFguwEcFeAHBe02Dm0pyobWV+Wid0sbP9u7g4/G1BZCE8QWc1U3kpzapWoqZ+S+SvoMHgPQ+ypGVj/IoC2dlqHZ8CWZdV7xljUqszZa43voPYNHkFE7qGkdaqKrl1Pm7wEqmV59gcYjGkQOJP25h6jyJnOlzRv4DUURusIWhknbEsWo5K002vhzNufG1WHmDLwdzh8gDBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback"></div>
</div>
<input value="bfx9ThgEom6z-1micA1KZn5F7VExY_f00leiPY8ywzk." name="lia-action-token" type="hidden">
<input value="form" id="form_UIDform" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform" name="form_instance_key" type="hidden">
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext" name="submitContext" type="submit" tabindex="-1"></span>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_0" name="messageSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="2hy9lckg5tfJ2v76zsYN56URLrFy1St4U-LU9Xw9VBU." rel="nofollow" id="disableAutoComplete_a1d8bb6e13ae8" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_1"
name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="f-zhBKDPH3BKX1BLLzORE1f-Lhy5u-_PZXw1jUmgrvg." rel="nofollow" id="disableAutoComplete_a1d8bb71e21f8" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the users" ng-non-bindable="" title="Enter a user name or rank" class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a user name or rank" value="" id="userSearchField" name="userSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="Q9ysNbfwqD33g7ssS19zfxNF5yDpzWRGN5UvqTB2Pik." rel="nofollow" id="disableAutoComplete_a1d8bb741e64c" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the private messages" title="Enter a search word" class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a search word" value="" id="noteSearchField_0" name="noteSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="3JxpCSxO71ucvBjn0MgB5P0YZs9tKjqs9fB68tukT1M." rel="nofollow" id="disableAutoComplete_a1d8bb765eaec" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input title="Enter a search word" class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField"
name="productSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="zW-Im4jHaZHNhCcctSfvoP_-Gf0BbjZdMHxgEDt6zpE." rel="nofollow" id="disableAutoComplete_a1d8bb78b21ee" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/AzureNetworkSecurityBlog/article-id/285&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search">cancel</span>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to Main Content
Microsoft
Tech Community
Home
Community Hubs
Community Hubs
* Community Hubs Home
* Products
* Special Topics
* Video Hub
Close
PRODUCTS (49)
SPECIAL TOPICS (27)
VIDEO HUB (462)
MOST ACTIVE HUBS
Microsoft 365
Microsoft Teams
Windows
Security, Compliance and Identity
Outlook
Planner
Windows Server
Azure
Exchange
Intune and Configuration Manager
Content Management
SQL Server
Microsoft Viva
Connect and learn from experts and peers
Microsoft FastTrack
Best practices and the latest news on Microsoft FastTrack
Microsoft Copilot for Sales
A role-based copilot designed for sellers
MOST ACTIVE HUBS
Education Sector
AI and Machine Learning
ITOps Talk
Microsoft Partner Community
Microsoft Mechanics
Healthcare and Life Sciences
Public Sector
Internet of Things (IoT)
Driving Adoption
Small and Medium Business
Startups at Microsoft
Azure Partner Community
Expand your Azure partner-to-partner network
Microsoft Tech Talks
Bringing IT Pros together through In-Person & Virtual events
MVP Award Program
Find out more about the Microsoft MVP Award Program.
VIDEO HUB
Azure
Exchange
Microsoft 365
Microsoft 365 Business
Microsoft 365 Enterprise
Microsoft Edge
Microsoft Outlook
Microsoft Teams
Security
SharePoint
Windows
Browse All Community Hubs
Blogs
Blogs
Events
Events
* Events Home
* Microsoft Ignite
* Microsoft Build
* Community Events
Microsoft Learn
Microsoft Learn
* Home
* Community
* Blog
* Azure
* Dynamics 365
* Microsoft 365
* Security, Compliance & Identity
* Power Platform
* Github
* Teams
* .NET
Lounge
Lounge
* 1.5M Members
* 14.1K Online
* 346K Discussions
Search
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a user name or rank
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
cancel
Turn on suggestions
Showing results for
Show only | Search instead for
Did you mean:
Sign In
Sign In
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a user name or rank
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
cancel
Turn on suggestions
Showing results for
Show only | Search instead for
Did you mean:
* Home
* Security, Compliance, and Identity
* Azure Network Security Blog
* Intrusion Detection and Prevention System (IDPS) Based on Signatures
* Back to Blog
* Newer Article
* Older Article
Intrusion Detection and Prevention System (IDPS) Based on Signatures
* Subscribe to RSS Feed
*
* Mark as New
* Mark as Read
*
* Bookmark
* Subscribe
*
* Printer Friendly Page
* Report Inappropriate Content
By
Gustavo Modena
Published Sep 07 2023 10:31 AM 28.7K Views
Listen to the article
00:0000:00
00:00
Powered by
undefined
gusmodena
Microsoft
Sep 07 2023 10:31 AM
INTRUSION DETECTION AND PREVENTION SYSTEM (IDPS) BASED ON SIGNATURES
Sep 07 2023 10:31 AM
Written in collaboration between @andrewmathu and @gusmodena
Introduction
An Intrusion Detection and Prevention System (IDPS) is a vital component of
modern cybersecurity strategy, designed to safeguard networks by actively
monitoring and responding to potential security threats. Among the types of IDPS
currently available such as signature-based and anomaly-based, signature based
IDPS stands out as a reliable and efficient method for identifying known
security risks. This blog delves into signature-based IDPS, with a specific
focus on the Azure Firewall Premium IDPS.
Why is IDPS based on signatures important?
Signature-based IDPS leverages a signature database of well-known anomalies,
attack patterns and exploits making it best suited for identifying known cyber
threats. Several benefits arise from this type of IDPS:
* Minimal False Positives: Through precise pattern matching, the likelihood of
false positive alerts is minimized. This accuracy helps security teams focus
their efforts on legitimate threats.
* Rapid Detection: Signature-based IDPS excels in swiftly recognizing
established attack patterns, ensuring that potential threats are identified
in real-time.
* Comprehensive Analysis: The system conducts in-depth analyses of various
attack vectors, pinpointing specific patterns of malicious behavior.
The above attributes and benefits are important as they allow security
administrators to tune, organize and implement effective security controls.
How does it work?
At its core, signature based IDPS operates by comparing network traffic against
an extensive database of known attack signatures:
* Packet Inspection: Incoming and outgoing packets of data are subjected to
thorough inspection, analyzed to reveal their underlying characteristics.
* Signature Matching: The analyzed packets are then matched against a
repository of recognized attack patterns, looking for a "signature" that
matches any of the known threats.
* Alert Generation: Should the system discover a match, it promptly generates
an alert, notifying administrators about the potential threat.
* Blocking: Once the system finds a match, it promptly blocks the traffic,
protecting the network against potential threat.
Examples:
An example of a signature based IDPS is the IDPS that runs in Azure Firewall
Premium. Azure Firewall Premium provides advanced threat protection that meets
the needs of sensitive and regulated environments, such as the payment and
healthcare industries. Organizations can use the Azure Firewall Premium SKU
features such as IDPS and TLS inspection to prevent exploits, and malware from
spreading across networks in Ingress, Egress, and internal directions.
The IDPS capabilities of Azure Firewall encompass more than fifty categories
with over 67,000 signature rules. The range of detection categories comprises
malware command and control, phishing, trojans, botnets, informational events,
exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and
numerous others. The Azure Firewall IDPS signatures are continuously updated in
real-time to ensure protection against the latest zero-day threats. The Azure
Firewall IDPS signatures can be applied based on the traffic direction –
inbound, spoke-to-spoke (East-West) and outbound traffic.
Azure Firewall Premium IDPS: Mitigating Scanning Attacks
In this section, we look at how the Azure Firewall Premium IDPS detects and
blocks attacks, specifically scanner attacks. Consider a scenario where an
attacker aims to exploit vulnerabilities by conducting scanning attacks using a
tool like Nmap. Nmap, short for Network Mapper, is an open-source Linux
command-line tool. It facilitates broad network exploration by enabling users to
scan IP addresses and ports, revealing active devices, accessible services, and
potential vulnerabilities.
In our setup, we have deployed the following to illustrate the scenario:
1. Azure Firewall Premium.
2. A web application that runs on a Windows Virtual Machine.
3. A Linux virtual machine to simulate the scan attack using the Nmap utility
tool (a Windows-based GUI version of Nmap is also available).
Azure Firewall Setup
To access the web application, The Azure Firewall Premium has been deployed with
DNAT rules to NAT traffic on the firewall’s public IP address and translate to
the backend web application.
The Azure Firewall IDPS is activated by navigating to the Firewall Policy, then
Settings and clicking on IDPS. Three modes are available as seen in the diagram
below. In our setup, we are using the IDPS in Alert and deny mode. In this mode
the IDPS engine is scanning all the requests in line. We recommend having IDPS
in Alert and deny mode to scan and block any suspicious traffic.
By default, there are signatures set to Alert mode, even though the global
configuration is set to Alert and deny. If you would like to change the mode of
individual signatures you can use the signature overrides, by selecting and
editing the signatures.
In this blog post we are using signature override for the signatures below:
* 2009358
* 2010935
* 2023753
* 2036252
If you are using multiple signature overrides, a better way to list the
signatures and see what modes are assigned to each one is by running the
following Az CLI command:
az network firewall policy intrusion-detection list --policy-name <Your Policy Name> --resource-group <Your RG Name>
Once the command runs successfully, this is what the result will look like:
Web Application Setup:
The web application runs in a Windows virtual machine and listens to traffic on
ports 80 (HTTP) and 443 (HTTPS). There are other services running on the same
virtual machine - 3389 (RDP) and 1433 (SQL Server). These ports are published
over the internet and are accessed via the Azure Firewall public IP address
configured in the DNAT rules illustrated previously.
Scanning Detection:
With the above setup, the next step is to simulate the scan attack/detection.
From the Linux machine, we run the command below to begin the scan:
sudo nmap <IP Address or URL> -A
The command performs a comprehensive network scan on the specified IP address
using the Nmap tool. The "-A" flag enables a series of aggressive scan options
that include:
* Operating System Detection.
* Version Detection.
* Script Scanning (script against the target to gather additional information
and potentially identify vulnerabilities or misconfigurations).
* Traceroute.
The command is run targeting our web application public IP address, with the
output displayed as shown below:
Since there are DNAT rules allowing traffic from our Linux virtual machine
public IP to different ports, as demonstrated in the DNAT rules previously, the
NMAP result will list the ports and show some information from the Windows
virtual machine. The IDPS in this case will alert and deny any request that
matches the signatures. This will be seen on the firewall logs.
If we run the same command with IDPS mode set to disabled or alert, we will have
some additional details on the results since the scripts are not being blocked
by IDPS.
Now let's check the logs and see what requests have been dropped. For checking
the logs, we are using the following KQL:
AZFWIdpsSignature
| where SourceIp contains "<Public IP of the Linux VM>"
| summarize by SignatureId, DestinationPort, Action, Severity, Description
| order by Severity asc
On the logs we can find what signature IDs have been triggered, as well as the
Destination Port, Action, Severity, and Description. Each signature has an
associated severity level and an assigned priority that indicates the
probability that the signature is an actual attack.
* Low (priority 3): An abnormal event is one that doesn't normally occur on a
network or Informational events are logged. The probability of attack is low.
* Medium (priority 2): The signature indicates an attack of a suspicious
nature. The administrator should investigate further.
* High (priority 1): The attack signatures indicate that an attack of a severe
nature is being launched. There's little probability that the packets have a
legitimate purpose.
Conclusion
An Intrusion Detection and Prevention System (IDPS) based on signatures is an
important security solution that helps to identify known cyber threats by
comparing network data to a predetermined list of known indicators of
compromise. It is quick, effective, and has an insignificant risk of raising
false alarms.
The Azure Firewall Premium IDPS plays a critical role in stopping significant
threats by leveraging its base of signature rules, making it an indispensable
tool in safeguarding your Azure environment.
Resources
Azure Firewall Premium – Azure Firewall Premium features | Microsoft Learn
Azure Firewall IDPS Signatures – Azure Firewall IDPS signature rule categories
| Microsoft Learn
Gustavo Modena
4 Likes
Like
1 Comment
Dean_Gross
Silver Contributor
Sep 09 2023 10:18 AM
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
Sep 09 2023 10:18 AM
does this get any information from Defender for Threat Intelligence?
0 Likes
Like
You must be a registered user to add a comment. If you've already registered,
sign in. Otherwise, register and sign in.
* Comment
Co-Authors
gusmodena
* andrewmathu
Version history
Last update:
Sep 08 2023 02:25 AM
Updated by:
andrewmathu
Labels
* Azure Firewall 62
* Azure Network Security 103
SHARE
* Share to LinkedIn
* Share to Facebook
* Share to Twitter
* Share to Reddit
* Share to Email
Browse
Skip to Primary Navigation
What's new
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Surface Laptop Go 2
* Surface Laptop Studio
* Surface Duo 2
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Virtual workshops and training
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* Education consultation appointment
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* About our ads
* © Microsoft 2024
Auto-suggest helps you quickly narrow down your search results by suggesting
possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting
possible matches as you type.