8c4f371be6
AzureFireWall Playbook - Update broken link |
||
|---|---|---|
| .. | ||
| AzureFirewall-AddIPtoTIAllowList | ||
| AzureFirewall-BlockIP-addNewRule | ||
| AzureFirewall-BlockIP-addToIPGroup | ||
| AzureFirewallConnector | ||
| azuredeploy.json | ||
| readme.md | ||
readme.md
Azure Firewall Logic Apps connector and playbook templates
Table of Contents
- Overview
- Deploy Custom Connector + 3 Playbook templates
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
- References
Overview
Azure Firewall is a cloud-based network security service, sitting at the edge of the Azure virtual network resources, to provide additional security beyond what is offered by NSGs.
This integration allows to automate response to Azure Sentinel incidents which contains IPs. It contains the basic connector component, with which you can create your own playbooks that interact with Azure Firewall, Azure Firewall Policy and IP Groups.
It also contains 3 playbook templates, ready to quick use, that allow direct response on Azure Firewall from Microsoft Teams together and VirusTotal enrichment.
The playbooks in this integration work with:
| Playbook Name | Premium Policy | Standard Policy | Classic Rules |
|---|---|---|---|
| AzureFirewall-BlockIP-addToIPGroup | Yes | Yes | Yes |
| AzureFirewall-AddIPtoTIAllowList | No | Yes | No |
| AzureFirewall-BlockIP-addNewRule | No | No | Yes |
Deploy Custom Connector + 3 Playbook templates
This package includes:
- Custom connector for Azure Firewall
- Three playbook templates leverage Azure Firewall custom connector
You can choose to deploy the whole package: connector + all three playbook templates (below buttons), or each one seperately from it's specific folder.
Firewall connector documentation
Authentication
This connector supports Service Principal authentication type.
Azure Active Directory Service principal
To use your own application with the Azure Sentinel connector, perform the following steps:
-
Register the application with Azure AD and create a service principal. Learn how.
-
Get credentials (for future authentication).
In the registered application blade, get the application credentials for later signing in:
- Tenant Id: under Overview
- Client ID: under Overview
- Client secret: under Certificates & secrets.
-
Grant permissions to Azure Firewall, IP Groups or Azure Firewall Policies.
-
In the relevant resources of the above, go to Settings -> Access control (IAM)
-
Select Add role assignment.
-
Select the role you wish to assign to the application: Contributor role.
-
Find the required application and save. By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.
-
-
Authenticate
In this step we use the app credentials to authenticate to the Sentinel connector in Logic Apps.
In the custome connector for Azure Firewall, fill in the required parameters (can be found in the registered application blade) - Tenant Id: under Overview - Client Id: under Overview - Client Secret: under Certificates & secrets
Prerequisites for using and deploying Custom Connector
- Firewall service end point should be https://management.azure.com/
- Register an AAD app and capture the ClientID, SecretKey and TenantID
- Playbook templates leverage VirusTotal for IP enrichment. To use this VirusTotal capabilities,generate a Virus Total API key. Refer this link how to generate the API Key
Deployment instructions
- Deploy the Custom Connector and playbooks by clicking on "Deploy to Azure" button. This will take you to deplyoing an ARM Template wizard.
- Fill in the required parameteres:
| Parameters | Description |
|---|---|
| Custom Connector name | Enter the Custom connector name (e.g. AzureFirewallConnector) |
| AzureFirewall-BlockIP-addNewRule Playbook Name | Enter the playbook name here (e.g. AzureFirewall-BlockIP-addNewRule) |
| AzureFirewall-BlockIP-addToIPGroup Playbook Name | Enter the playbook name here (e.g. AzureFirewall-BlockIP-addToIPGroup) |
| AzureFirewall-AddIPtoTIAllowList Playbook Name | Enter the playbook name here (e.g. AzureFirewall-AddIPtoTIAllowList) |
| Teams GroupId | Enter the Teams channel id to send the adaptive card |
| Teams ChannelId | Enter the Teams Group id to send the adaptive card Refer the below link to get the channel id and group id |
| ClientId | Enter the Client Id of the Service Principal which the custom connector will authenticate with |
| ClientSecret | Enter the Client secret of the Service Principal which the custom connector will authenticate with |
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, you will need to authorize each connection.
- Click the Azure Sentinel connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connection such as Teams connection and Virus Total (For authorizing the Virus Total API connection, the API Key needs to be provided)
b. Configurations in Azure Sentinel
- Find Azure Sentinel Analytics rules that create alerts and incidents which includes IP entities.
- Configure automation rule(s) to trigger the playbooks
Learn more
Reference to the playbook templates and the connector
Connector
Playbooks
- AzureFirewall-AddIPtoTIAllowList : This playbook uses the Azure Firewall connector to add IP Address to the Threat Intel Allow list based on the Azure Sentinel Incident
- AzureFirewall-BlockIP-addNewRule : This playbook uses the Azure Firewall connector to add IP Address to the Deny Network Rules collection based on the Azure Sentinel Incident
- AzureFirewall-BlockIP-addToIPGroup : This playbook uses the Azure Firewall connector to add IP Address to the IP Groups based on the Azure Sentinel Incident