Block IP - Azure Firewall IP groups

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook allows blocking/allowing IPs in Azure Firewall. It allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows using the same IP group for multiple firewalls. Learn more about IP Groups in Azure Firewall

Attribute	Value
Type	Playbook
Solution	Azure Firewall
Source	View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	4
`teams`	Managed	1	0
`virustotal`	Managed	1	1
`AzureFirewallConnector`	Custom	1	3

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Entities_-_Get_IPs	post	`/entities/ip`	—
Add_comment_to_incident_with_the_Virus_Total_report_and_the_action_taken_	post	`/Incidents/Comment`	—
Update_incident	put	`/Incidents`	—
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—

`virustotal` (Managed)

Action	Method	Endpoint	Other
Ip_scan_report_V3	get	`/api/v3/ip_addresses/@{encodeURIComponent(items('For_each_Malicious_IP_Address_Entity_present_in_the_Incident')?['Address'])}`	—

`AzureFirewallConnector` (Custom)

Action	Method	Endpoint	Other
Creates_or_updates_an_ipGroups_in_a_specified_resource_group	put	`/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['IPGroupSelectedVal'])}`	—
Gets_the_specified_ipGroups	get	`/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups/@{encodeURIComponent(body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['data']?['IPGroupSelectedVal'])}`	—
Gets_all_IpGroups_in_a_resource_group	get	`/subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['ResourceGroupName'])}/providers/Microsoft.Network/ipGroups`	—

Additional Documentation

📄 Source: AzureFirewall-BlockIP-addToIPGroup/readme.md

Block IP by adding IP Address to IP Groups

Summary

This playbook allows blocking/allowing IPs in Azure Firewall, using IP Groups. This allows to make changes on IP groups, which are attached to rules, instead of make direct changes on Azure Firewall. It also allows using the same IP group for multiple firewalls. Learn more about IP Groups in Azure Firewall

When a new Sentinel incident is created,this playbook gets triggered and performs below actions

An adaptive card is sent to the SOC channel providing IP address, Virus Total report , showing list of existing firewalls in the Resource group and providing an option to add IP Address to IPGroups or Ignore.
If SOC user confirms yes, the IP Address gets added to IPGroups under IPAddress section and incident will get updates with endpoint information, summary of the action taken and virus total scan report.
Else, incident will get updates with endpoint information and summary of the action taken.
Update the firewall tags "configuration" as key and "sentinel" as value.

Add IP Address to IP Groups

This is the adaptive card SOC will recieve when playbook is triggered:

Adaptive Card example

Comment example:

Prerequisites

Azure Firewall connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.
Azure Firewall connector need to be authenticated with a Service Principal that has permissions over Azure Firewall. Relevant instructions can be found in the connector doc page.
This playbook will query IP Groups that exist in the resource group of Microsoft Sentinel workspace. Make sure to create IP Groups and attach them to Azure Firewall rules prior to running the playbook. You can change the source of the IP groups in the playbook itself after deployment.
Permissions required for this playbook This playbook Gets and Updates IP groups. The registered application/Service Principal that is authenticated to the connector needs to have the following RBAC Roles:
- Contributor on the IP Groups in the Microsoft Sentinel resource group.
To use VirusTotal connector, get your Virus Totan API key. how to generate the API Key

Deployment instructions

Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

Fill in the required parameters:
- Playbook Name: Enter the playbook name here (ex:AzureFirewall-BlockIP-addToIPGroup)
- Teams GroupId : Enter the Teams channel id to send the adaptive card
- Teams ChannelId : Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
- ClientId : Enter the ClientId of the application
- ClientSecret : Enter the Client secret of the application

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

Click the Microsoft Sentinel connection resource
Click edit API connection
Click Authorize
Sign in
Click Save
Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)
Authorize the Azure Firewall custom connector by following the below mentioned steps.

a. Navigate to playbook

b. Click Edit

c. Find the action with the name "Gets all IpGroups in a resource group", "Gets the specified ipGroups","Creates or updates an ipGroups in a specified resource group" in the workflow.

[Content truncated...]