Block IP & URL on ThreatX-WAF cloud

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This Playbook Provides the automation on blocking the suspicious/malicious IP and URL on ThreatX cloud waf

Attribute Value
Type Playbook
Solution ThreatXCloud
Source View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 4
keyvault Managed 0 1
ThreatX-WAFCustomConnector Custom 1 6
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3) post /Incidents/Comment
Add_comment_to_incident_(V3)_2 post /Incidents/Comment
Add_comment_to_incident_(V3)_4 post /Incidents/Comment
Add_comment_to_incident_(V3)_3 post /Incidents/Comment

keyvault (Managed)

Action Method Endpoint Other
Get_secret get /secrets/@{encodeURIComponent(parameters('Threatx_Key_name'))}/value

ThreatX-WAFCustomConnector (Custom)

Action Method Endpoint Other
Get-Post_Blacklist_Blocklist_Whitelist_3 post /tx_api/v1/lists
List_or_Create_Customer_Rule_2 post /tx_api/v1/rules
Get-Post_Blacklist_Blocklist_Whitelist post /tx_api/v1/lists
Get-Post_Blacklist_Blocklist_Whitelist_2 post /tx_api/v1/lists
List_or_Create_Customer_Rule post /tx_api/v1/rules
Login_Generate_Token post /tx_api/v1/login

Additional Documentation

📄 Source: ThreatXPlaybooks/ThreatX-BlockIP-URL/readme.md

ThreatX-BlockIP-URL Info Playbook

Summary

When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below actions

  1. Fetches the list of earlier blocked or allowed URLs and IPs .
  2. Fetches the new IP's and URL's from incidents and compare them with existing one and update the blacklist .

Prerequisites

  1. ThreatX-WAFCustomConnector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. API key. To get API Key, login into your ThreatX cloud instance dashboard and navigate to Settings --> API Key --> Add Api Key.
  3. [Important step]Store the API secret key in Key vault and provide the key name of the stored secret during deployment.

Deployment instructions

  1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.

Deploy to Azure Deploy to Azure Gov

  1. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here (Ex: ThreatX-BlockIP-URL)
    • Custom Connector Name: Enter the ThreatX custom connector name here (Ex: ThreatX-WAFCustomConnector)
    • Keyvault name : Enter the key vault name where secret key is stored .
    • Threatx Key name : Your Key name for the stored api secret .

Post-Deployment instructions

a. Authorize connections (Perform this action if needed)

Once deployment is complete, you will need to authorize each connection.

  1. Click the Microsoft Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for ThreatX Api Connection (For authorizing the ThreatX API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. In Microsoft sentinel analytical rules should be configured to trigger an incident with risky URL or IP Address.
  2. Configure the automation rules to trigger this playbook , mapping of IP and URL entities is necessary

c. Assign Playbook Microsoft Sentinel Responder Role

  1. Select the Playbook (Logic App) resource
  2. Click on Identity Blade
  3. Choose Systen assigned tab
  4. Click on Azure role assignments
  5. Click on Add role assignments
  6. Select Scope - Resource group
  7. Select Subscription - where Playbook has been created
  8. Select Resource group - where Playbook has been created
  9. Select Role - Microsoft Sentinel Responder
  10. Click Save (It takes 3-5 minutes to show the added role.)

d. Assign access policy on key vault for Playbook to fetch the secret key

  1. Select the Keyvault resource where you have stored the secret
  2. Click on Access policies Blade
  3. Click on Create
  4. Under Secret permissions columun , Select Get , List from "Secret Management Operations"
  5. Click next to go to Principal tab and choose your deployed playbook name
  6. Click Next leave application tab as it is .
  7. Click Review and create
  8. Click Create

References

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to ThreatXCloud