Block IP - Cisco Firepower
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook allows blocking of IPs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Cisco Firepower EStreamer |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 5 |
azuresentinel_1 |
Managed | 0 | 1 |
cisco-firepower-connector |
Managed | 0 | 5 |
CiscoFirepowerConnector |
Custom | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Entities_-_Get_IPs | post | /entities/ip |
— |
| Add_comment_to_incident_(V3):_No_IPs_found | post | /Incidents/Comment |
— |
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Add_comment_to_incident_(V3):_Network_Group_object_not_found | post | /Incidents/Comment |
— |
azuresentinel_1 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3):_Network_Group_object_not_found_2 | post | /Incidents/Comment |
— |
cisco-firepower-connector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Modifies_the_network_group_object_associated_with_the_specified_ID | put | /api/fmc_config/v1/domain/@{encodeURIComponent(outputs('Generate_token')['headers']['DOMAIN_UUID'])}/object/networkgroups/@{encodeURIComponent(body('Retrieves_the_network_group_object_associated_with_the_specified_ID')?['id'])} |
— |
| Retrieves_the_network_group_object_associated_with_the_specified_ID | get | /api/fmc_config/v1/domain/@{encodeURIComponent(outputs('Generate_token')['headers']['DOMAIN_UUID'])}/object/networkgroups/@{encodeURIComponent(variables('Network Group Object')?['id'])} |
— |
| Generate_token | post | /api/fmc_platform/v1/auth/generatetoken |
— |
| Retrieves_list_of_all_network_group_objects | get | /api/fmc_config/v1/domain/@{encodeURIComponent(outputs('Generate_token')['headers']['DOMAIN_UUID'])}/object/networkgroups |
— |
| Revoke_access | post | /api/fmc_platform/v1/auth/revokeaccess |
— |
CiscoFirepowerConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Revoke_access:_Network_Group_object_not_found | post | /api/fmc_platform/v1/auth/revokeaccess |
— |
| Revoke_access:_Network_Group_object_not_found_2 | post | /api/fmc_platform/v1/auth/revokeaccess |
— |
Additional Documentation
Cisco Firepower - Add IP Addresses to a Network Group object
Summary
This playbook allows blocking of IPs in Cisco Firepower, using a Network Group object. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.
When a new Sentinel incident is created, this playbook gets triggered and performs below actions.
- For the IPs we check if they are already selected for the Network Group object
- For the IPs not already selected for the Network Group object, add it so it gets blocked
- Comment is added to Microsoft Sentinel incident
** IP is added to Cisco Firepower Network Group object:**
Plabook overview:
Prerequisites
- Cisco Firepower custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc pages.
- In Cisco Firepower there needs to be a Network Group object. Creating Network Objects
Deployment instructions
- Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here (ex:CiscoFirepower-BlockIP-NetworkGroup)
- Cisco Firepower Connector name: Enter the name of the Cisco Firepower custom connector (default value:CiscoFirepowerConnector)
- Network Group object name: The name of the Network Group object.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Cisco Firepower (For authorizing the Cisco Firepower API connection, the username and password needs to be provided)
b. Configurations in Sentinel
- In Microsoft sentinel analytical rules should be configured to trigger an incident with IP Entity.
- Configure the automation rules to trigger this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊