Traditional firewalls in cloud environments struggle to detect zero-day attacks and advanced persistent threats (APTs). To address this, this paper proposes a cloud-native automated defense framework leveraging medium-to-high-interaction honeypots. The framework innovatively integrates the Cowrie honeypot with native Azure services—Azure Monitor, Microsoft Sentinel, and Logic Apps—to establish a closed-loop “deception–analysis–response” system. It employs honeypots for deceptive threat sensing, automatically maps and classifies attack behaviors using the MITRE ATT&CK framework, and dynamically updates firewall rules accordingly. Experimental evaluation demonstrates an average threat blocking latency of just 0.86 seconds, accurate identification of over 12,000 SSH-based attack attempts, significant reduction in attacker dwell time, and enhanced Security Operations Center (SOC) visibility and defensive scalability.

In cloud environments, conventional firewalls rely on predefined rules and manual configurations, limiting their ability to respond effectively to evolving or zero-day threats. As organizations increasingly adopt platforms such as Microsoft Azure, this static defense model exposes cloud assets to zero-day exploits, botnets, and advanced persistent threats. In this paper, we introduce an automated defense framework that leverages medium- to high-interaction honeypot telemetry to dynamically update firewall rules in real time. The framework integrates deception sensors (Cowrie), Azure-native automation tools (Monitor, Sentinel, Logic Apps), and MITRE ATT&CK-aligned detection within a closed-loop feedback mechanism. We developed a testbed to automatically observe adversary tactics, classify them using the MITRE ATT&CK framework, and mitigate network-level threats automatically with minimal human intervention. To assess the framework's effectiveness, we defined and applied a set of attack- and defense-oriented security metrics. Building on existing adaptive defense strategies, our solution extends automated capabilities into cloud-native environments. The experimental results show an average Mean Time to Block of 0.86 seconds - significantly faster than benchmark systems - while accurately classifying over 12,000 SSH attempts across multiple MITRE ATT&CK tactics. These findings demonstrate that integrating deception telemetry with Azure-native automation reduces attacker dwell time, enhances SOC visibility, and provides a scalable, actionable defense model for modern cloud infrastructures.