Azure integration

Azure Web Application Firewall (WAF) is a cloud-based service from Microsoft Azure that helps protect web applications from common web threats and attacks. It acts as a reverse proxy and inspects incoming web traffic to your web applications, filtering out malicious requests and traffic before they reach your application servers. Traceable integrates with Azure’s WAF to block IP addresses and threat actors.

What will you learn in this topic?

By the end of this topic, you will be able to understand:

• An overview of the steps required to set up the Azure integration.

• The prerequisites for setting up the integration.

• The detailed steps for the integration.

Integration Overview

This section provides high-level information on integrating Azure WAF with Traceable and managing threats.

1. Installation — Traceable allows you to choose from an agent-less or agent-based deployment option. For more information on Traceable agents, see Installation.

2. Integration Setup — After deploying the agent, you can retrieve the credentials and configure the Azure integration. To do so, you must complete the following steps:

   1. Prerequisites — Log in to your Azure account and retrieve the necessary credentials, including the Azure tenant ID, subscription ID, client ID, and client secret. For more information, see Before you begin.

   2. Integration — After obtaining the credentials from the previous steps, navigate to the Traceable platform and configure the integration. For more information, see Set up the integration.

3. Threat Management — After setting up the integration, you can establish rules to allow, block, or monitor IP addresses according to your specific requirements. Traceable's integration with Azure WAF supports the following two types of rules:

   1. Threat Actors — Any status change of threat actor on the Traceable Platform is propagated to Azure WAF. For example, if Traceable detects a threat actor and changes it to a deny state, then the requests from this threat actor can be blocked using Azure. Traceable recommends going through the allow list conditions before creating any IP-range rules. Traceable allows creating allowlists using allowed and snoozed states, and supports blocking using deny and suspended states under threat actors. For more information, see IP address allowlist. Moreover, if you make any changes, such as adding a threat actor to the allowlist or resolving the status, these changes are reflected in Azure within a few minutes.

   2. Malicious Source Rules (IP Range only) — If you configure any malicious source rules under Protection → Policies → Custom Policies → Malicious Sources tab to enforce blocking or allow for IP ranges to be executed through Azure.

      Note

      Traceable’s Azure integration does not block IP addresses with x-forwarded-for and x-real-ip headers.

The following is a high-level integration diagram:

Before you begin

Make a note of the following before proceeding with the integration steps:

• Tenant ID — In Microsoft Azure, a Tenant ID, also known as a Directory ID or a Directory Tenant ID, is a unique identifier for an Azure Active Directory (Azure AD) tenant. Azure AD is Microsoft's identity and access management service, which manages and secures access to Azure resources. To retrieve the Tenant ID, see Tenant ID.

• Client ID — A Client ID, or an Application ID, is a unique identifier associated with an application or service registered in Azure AD. This Client ID uniquely identifies and authenticates the application when it interacts with Azure AD for various purposes.

• Client Secret — A secret key associated with the Azure app registration, used by Traceable to obtain access tokens and authenticate API requests.

• Azure Subscription ID — An Azure Subscription ID is a unique identifier associated with a specific Azure subscription. You can find your Azure Subscription ID in the Azure portal, typically in the subscription section. To retrieve the Tenant ID, see Subscription ID.

• Reasonable knowledge of Azure WAF and policies in Azure.

• The policies set by Traceable begin with the prefix Traceable.

Set up the integration

To configure a new Azure integration, navigate to the Integrations page from the bottom left corner of your Traceable account, and do one of the following:

• Search for Azure in the search bar.

• Navigate to WAF → Azure

In the Azure WAF widget, click Configure, and in the Add New Azure Integration window, complete the following steps:

1. Integration Name — A unique name for your integration, for example, Azure_WAF.

2. (Optional) Description — A summary for your integration, for example, Traceable_integration.

3. Environments — The environment for which you wish to integrate Azure from the drop-down list. These environments could be, for example, production or QA. You can choose one or more environments, or all of them.

4. Azure Tenant ID — The unique identifier associated with your Azure Active Directory tenant. For more information, see Before you begin.

5. Azure Subscription ID — The unique identifier associated with your Azure subscription. For more information, see Before you begin.

6. Azure environment — The Azure cloud environment used for the integration, such as Azure, China, or the US government.

7. Client ID — The unique identifier associated with the registered Azure application. For more information, see Before you begin.

8. Client Secret — The secret key generated during Azure application registration and used for secure authentication.

Azure Policy Details

Provide the following policy details for Azure. When you provide the policy name, make sure that you already have a corresponding policy in Azure with the same name. Traceable uses this policy and adds custom rules.

9. Azure WAF Policy Type — The type of Azure WAF policy used for the integration from one of the WAF options —  Global WAF (Front Door) or Regional WAF (Application Gateway). Choose the policy based on the type of policy you have chosen in Azure.

10. Policy Name — The name of the existing Azure WAF policy associated with the selected Global WAF or Regional WAF configuration of the existing policies associated with the respective Global WAF or Regional WAF.

11. Resource Group Name — The name of the Azure resource group associated with the selected WAF policy, for example, QA_group.

12. Click Test Connection to test the connection with Azure.

13. Click Save only after a successful test connection.

Note

You can add one or more than one integration. The same policies are pushed to all the integrations.

To verify the integration, check the rules in your Azure security policy.

Manage configured integration

After configuring the integration, you can view the Azure WAF Integration under Configured WAF Integrations. Traceable gives you the flexibility to control how the integration operates. You can choose either of the following actions using the drop-down, according to your requirements:

• Enabled — You allow Traceable to actively update the WAF with the latest rules to enforce protection and monitor or block threats. When enabled, Traceable continuously sends new rules and updates to the WAF based on policy activity, helping enforce protections with the latest threat information and block suspicious traffic.

• Disabled — You stop Traceable from updating the WAF, so it no longer enforces new protections for that environment or region. When disabled, Traceable stops sending new rules and updates to the WAF for the selected environment or region, while other environments continue using their existing integration settings without impact. The WAF continues to enforce existing rules based on their last applied state, without receiving new updates. Traceable continues to detect and evaluate threats, but it does not enforce them through WAF.