Azure Firewall - Add IP Address to Threat Intel Allow list

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbook allows the SOC to automatically response to Microsoft Sentinel incidents which includes IPs, by adding the IPs to the TI Allow list in Azure Firewall Policy.

Attribute Value
Type Playbook
Solution Azure Firewall
Source View on GitHub

Logic App Connectors

This playbook uses 4 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 4
teams Managed 1 0
virustotal Managed 1 1
AzureFirewallConnector Custom 1 3
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_with_the_endpoint_information_and_action_taken post /Incidents/Comment
Update_incident put /Incidents
Add_comment_to_incident_(V3) post /Incidents/Comment
Entities_-_Get_IPs post /entities/ip

virustotal (Managed)

Action Method Endpoint Other
Ip_scan_report_V3 get /api/v3/ip_addresses/@{encodeURIComponent(items('Each_malicious_IP_Address_Entity_present_in_the_Incident')?['Address'])}

AzureFirewallConnector (Custom)

Action Method Endpoint Other
Creates_or_updates_the_specified_Firewall_Policy put /subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/firewallPolicies/@{encodeURIComponent(outputs('Firewall_policy_name'))}
Gets_the_specified_Firewall_Policy get /subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/resourceGroups/@{encodeURIComponent(outputs('Resource_Group_name'))}/providers/Microsoft.Network/firewallPolicies/@{encodeURIComponent(outputs('Firewall_policy_name'))}
Gets_all_the_Firewall_Policies_in_a_subscription get /subscriptions/@{encodeURIComponent(triggerBody()?['workspaceInfo']?['SubscriptionId'])}/providers/Microsoft.Network/firewallPolicies

Additional Documentation

📄 Source: AzureFirewall-AddIPtoTIAllowList/readme.md

Summary

This playbook allows the SOC to automatically response to Microsoft Sentinel incidents which includes IPs, by adding the IPs to the TI Allow list in Azure Firewall Policy. Learn more about Threat Intelligence in Azure Firewall Policies

When a new Microsoft Sentinel is created,this playbook gets triggered and performs below actions:

  1. An adaptive card is sent to the SOC channel providing IP address, Virus Total report , showing list of existing firewalls in the Resource group and providing an option to block IP address or Ignore.
  2. If SOC user confirms yes, the IP Address gets added to Threat Intel Allow list and incident will get updates with endpoint information, summary of the action taken.
  3. Else, incident will get updates with endpoint information and summary of the action taken.
  4. Update the firewall tags "configuration" as key and "sentinel" as value.

IP Address to add Threat Intel Allow List

This is the adaptive card SOC will recieve when playbook is triggered:

Adaptive Card example

Comment example:

Comment example

Prerequisites

  1. This playbook template is based on Microsoft Sentinel Incident Trigger which is currently in Private Preview (Automation Rules). You can change the trigger to the Sentinel Alert trigger in cases you are not part of the Private Preview.

  2. Azure Firewall connector needs to be deployed prior to the deployment of this playbook under the same subscription. Relevant instructions can be found in the connector doc page.

  3. Azure Firewall connector need to be authenticated with a Service Principal that has permissions over Azure Firewall. Relevant instructions can be found in the connector doc page.

  4. This playbook will add new rules to existing Network Collections in Azure Firewalls in your subscription. Make sure you have such prior to running the playbook.

  5. Permissions required for this playbook
    This playbook Gets and Updates Azure Firewall Policies in the subscription of Microsoft Sentinel. The registered application/Service Principal that is authenticated to the connector needs to have the following RBAC Roles:

    • Contributor on the Azure Firewall Policies in the Microsoft Sentinel resource group.

  6. To use VirusTotal connector, get your Virus Totan API key. how to generate the API Key

Deployment instructions

  1. Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.

Deploy to Azure Deploy to Azure Gov

  1. Fill in the required paramteres:
    • Playbook Name : Enter the playbook name here (ex:AzureFirewall-BlockIP-addNewRule)
    • Teams GroupId : Enter the Teams channel id to send the adaptive card
    • Teams ChannelId : Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id
    • ClientId : Enter the ClientId of the application
    • ClientSecret : Enter the Client secret of the application

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microsoft Sentinel connection resource

  2. Click edit API connection

  3. Click Authorize

  4. Sign in

  5. Click Save

  6. Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)

  7. Authorize the Azure Firewall custom connector by following the below mentioned steps.

    a. Navigate to playbook

    b. Click Edit

    c. Find the action with the name "Lists all Azure Firewalls in a resource group " , "Gets the specified Firewall Policy", "Creates or updates the specified Firewall Policy" in the workflow.

[Content truncated...]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Azure Firewall