1.Azure Firewall doesn't alert on all known port scanners; only on scanners that are known to also engage in malicious activity.
2.Apologies for the inconvenience. This has been a long-time ask to change this URL as it is not working "testmaliciousdomain.eastus.cloudapp.azure.com". Will work with respective team to provide a quick PR on the doc with working links.
3.When a DNAT rule is matched, an implicit corresponding network rule to allow the translated traffic is added.
4.Need to do a repro to see this abnormal behavior. Will revert on this.
5.Could you please be more specific on this ask? Are you looking for NSG flow logs model here? AFAIK, this feature is not yet available from Firewall team.
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.