Azure-Sentinel/MasterPlaybooks/Remediation-IP
Joe Fulford 8da0fab9af
Correcting Deploy to Azure Gov buttons for PR
Updated to https://portal.azure.us on the deployment buttons. I accidentally overwrote these beforehand.
2023-05-19 08:00:07 +01:00
..
AzureFirewall-BlockIP-Nested-Remediation Correcting Deploy to Azure Gov buttons for PR 2023-05-19 08:00:07 +01:00
CiscoASA-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:16:52 +05:30
CiscoFirepower-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:22:20 +05:30
CiscoUmbrella-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:25:58 +05:30
F5-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:05:58 +05:30
ForcepointNGFW-BlockIP-Nested-Remediation changed azure deploy links to master 2022-09-05 19:16:42 +03:00
Fortinet-BlockIP-Nested-Remediation fix: support -> microsoft in azuredeploy files 2022-09-05 18:54:21 +03:00
Images Master Playbooks IP and Remediation (#2882) 2021-09-13 13:27:37 -07:00
MDE-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:29:15 +05:30
Meraki-BlockIP-Nested-Remediation Update azuredeploy.json 2022-09-16 13:06:20 +05:30
PaloAlto-PAN-OS-BlockIP-Remediation Update azuredeploy.json 2022-09-16 13:03:21 +05:30
Remediation-IP-GeneralSchema.json Master Playbooks IP and Remediation (#2882) 2021-09-13 13:27:37 -07:00
azuredeploy.json Merge pull request #5452 from socprime/Block_IP_MasterPlaybook 2022-09-16 14:18:15 +05:30
readme.md changed azure deploy links to master 2022-09-05 19:16:42 +03:00

readme.md

Master Playbook Block IP Remediation

Master playbook is integrated with multiple firewall end products like AzureFirewall ,Forcepoint ,Fortinet-Fortigate, Cisco Meraki and PaloAlto-PAN-OS.

Firewall end products are deployed as child/nested playbooks.

If a malicious IP is detected from the Azure sentinel, master playbook calls all the child/nested playbooks and each firewall product will take remidiation steps needed on that Ip Address and comments will be passed on the master playbook from the child/nested playbooks involving multiple products.

Summary

When a new Azure Sentinel incident is created, this playbook gets triggered and performs the below actions:

  1. Fetches a list of potentially malicious IP addresses.
  2. Each nested playbook receives the list of IP addresses and performs respective defined automated actions on it.
  3. Response from individual playbooks are returned to master playbook for incident comment.

Master

Master

Pre-requisites for deployment

At least one of the below-mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group and the same location/region. Capture the name of all the deployed playbooks during deployment.

If any one of the above-mentioned playbooks are not deployed then default playbook will deploy in its place.

Nested Playbook Structure

Input Schema

Each of the nested playbooks of IP Remediation accepts following inputs:

  • IPs: List of IPs as entities from azure sentinel incident.
  • Workflow: Worklfow is identifier for the nested playbook which points to which subscription and which resource group the nested playbook belongs to.
  • Trigger: Tells how the playbook is invoked/triggered.
  • Headers: Tells the content type of entity accepting by nested playbook.

The image below shows example of input schema for CiscoMeraki nested playbook.

Master

Output Schema

Each of the nested playbooks of IP Remediation gives following outputs:

  • Status code: Status code tells the success or failure status of nested playbook run results. The status code value is displayed in incident comment.
  • Body: Body provides with all the output values that nested playbook returns. It varies according to the nested playbook.
  • Incident Comment: It contains output body from nested playbook in tabular format.

For example, taking reference of CiscoMeraki incident comment image below, CiscoMeraki logo is composed for incident comment. Also, table is populated with values such as Incident IP address, Source, Source Port, Destination, Destination Port, Policy, Protocol, Previous status, Current status and Action.

Master

Add new playbook to master playbook

To add new nested playbook to master playbook:

  • Hover below action "Initialize variable playbook status Codes".
  • Click on symbol '+' for insert a new step and choose add a parallel branch.
  • First action is to add scope. Within scope add new action and choose the nested playbook to add.
  • Compose Incident Comment.
  • Append the status code from nested playbook to Status Codes variable .

Master

Deployment Instructions

  1. Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.

Deploy to Azure Deploy to Azure

  1. Fill in the required parameters for deploying the playbook.
Parameter Description
Playbook Name Enter the master playbook name here without spaces.
Azure Firewall Playbook Name Enter the name of Azure Firewall Nested playbook without spaces.
Forcepoint Playbook Name Enter the name of Forcepoint Nested playbook without spaces.
Fortinet Playbook Name Enter the name of Fortinet Nested playbook without spaces.
Cisco Meraki Playbook Name Enter the name of Meraki Nested playbook without spaces.
Palo Alto PAN-OS Playbook Name Enter the name of PaloAlto PAN OS Nested playbook without spaces.
CiscoASA Playbook Name Enter the name of CiscoASA Nested playbook without spaces.
CiscoFirepower Playbook Name Enter the name of CiscoFirepower Nested playbook without spaces.
CiscoUmbrella Playbook Name Enter the name of CiscoUmbrella Nested playbook without spaces.
F5Big-IP Playbook Name Enter the name of F5Big-IP Nested playbook without spaces.
MDE Playbook Name Enter the name of MDE Nested playbook without spaces.

Post-Deployment Instructions

Configurations in Sentinel

  • In Azure sentinel analytical rules should be configured to trigger an incident with IP addresses.
  • Configure the automation rules to trigger the playbook which calls multiple nested playbooks.

Playbook steps explained

When Azure Sentinel incident creation rule is triggered

Captures potentially malicious or malware IP addresses incident information.

##Entities - Get IPs Get the list of IPs as entities from the Incident.

For malicious IP addresses received from the incident

  1. The list of IP address is passed as Entity to each of the nested playbook.
  2. Each nested playbook accepts IP list as entity from master playbook and respectively performs defined automated actions(Block/Unblock IP) for each IP address.
  3. The response from each of the nested playbook is returned to master playbook.
  4. Response from each nested playbook is attached to incident comment and consolidated incident comment is created.
  5. If all the nested playbooks returns success response , the incident will be closed.

Incident Comment

Master Master

Incident Comment for error handling

Master Master