Add Block Outbound Rule - Zero Networks Acccess Orchestrator
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook allows blocking an IP outbound from protected assets in Zero Networks Segment.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | ZeroNetworks |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 2 |
ZeroNetworksConnector |
Custom | 1 | 2 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Entities_-_Get_IPs | post | /entities/ip |
— |
ZeroNetworksConnector (Custom)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_Outbound_Block_rule | post | /protection/rules/outbound-block |
— |
| Encode_IP_Address_to_AssetId | get | /entities/encode-ip |
— |
Additional Documentation
📄 Source: ZeroNetworksSegment-AddBlockOutboundRule/readme.md
Zero Networks Segment - Add Block Outbound Rule
Summary
This playbook allows blocking an IP outbound from protected assets in Zero Networks Segment.
When a new Sentinel incident is created, this playbook gets triggered and performs below actions
- For the IPs, we add them to a new outbound block rule in Segment.
- A comment is added to Microsoft Sentinel incident.
Playbook overview:
Prerequisites
- Zero Networks custom connector needs to be deployed prior to the deployment of this playbook, in the same resource group and region. Relevant instructions can be found in the connector doc page.
Deployment instructions
- Deploy the playbook by clicking on "Depoly to Azure" button. This will take you to deplyoing an ARM Template wizard.
- Fill in the required paramteres:
- Playbook Name: Enter the playbook name here (ex:ZNSegment-AddBlockOutboundRule)
- Connector name : Enter the name of the Zero Networks custom connector (default value:ZeroNetworksConnector)
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Microsoft Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections such as Zero Networks
c. Configurations in Microsoft Sentinel
- In Microsoft Sentinel, analytical rules should be configured to trigger an incident with IP Entity.
- Configure the automation rules to trigger this playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊