История

Joe Fulford 8da0fab9af Correcting Deploy to Azure Gov buttons for PR Updated to https://portal.azure.us on the deployment buttons. I accidentally overwrote these beforehand.		2023-05-19 08:00:07 +01:00
..
AzureFirewall-BlockIP-Nested-Remediation	Correcting Deploy to Azure Gov buttons for PR	2023-05-19 08:00:07 +01:00
CiscoASA-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:16:52 +05:30
CiscoFirepower-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:22:20 +05:30
CiscoUmbrella-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:25:58 +05:30
F5-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:05:58 +05:30
ForcepointNGFW-BlockIP-Nested-Remediation	changed azure deploy links to master	2022-09-05 19:16:42 +03:00
Fortinet-BlockIP-Nested-Remediation	fix: support -> microsoft in azuredeploy files	2022-09-05 18:54:21 +03:00
Images	Master Playbooks IP and Remediation (#2882 )	2021-09-13 13:27:37 -07:00
MDE-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:29:15 +05:30
Meraki-BlockIP-Nested-Remediation	Update azuredeploy.json	2022-09-16 13:06:20 +05:30
PaloAlto-PAN-OS-BlockIP-Remediation	Update azuredeploy.json	2022-09-16 13:03:21 +05:30
Remediation-IP-GeneralSchema.json	Master Playbooks IP and Remediation (#2882 )	2021-09-13 13:27:37 -07:00
azuredeploy.json	Merge pull request #5452 from socprime/Block_IP_MasterPlaybook	2022-09-16 14:18:15 +05:30
readme.md	changed azure deploy links to master	2022-09-05 19:16:42 +03:00

readme.md

Master Playbook Block IP Remediation

Master playbook is integrated with multiple firewall end products like AzureFirewall ,Forcepoint ,Fortinet-Fortigate, Cisco Meraki and PaloAlto-PAN-OS.

Firewall end products are deployed as child/nested playbooks.

If a malicious IP is detected from the Azure sentinel, master playbook calls all the child/nested playbooks and each firewall product will take remidiation steps needed on that Ip Address and comments will be passed on the master playbook from the child/nested playbooks involving multiple products.

Summary

When a new Azure Sentinel incident is created, this playbook gets triggered and performs the below actions:

Fetches a list of potentially malicious IP addresses.
Each nested playbook receives the list of IP addresses and performs respective defined automated actions on it.
Response from individual playbooks are returned to master playbook for incident comment.

Pre-requisites for deployment

At least one of the below-mentioned nested playbooks must be deployed prior to deployment of this playbook under same subscription and same resource group and the same location/region. Capture the name of all the deployed playbooks during deployment.

AzureFirewall-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for AzureFirewall.
Forcepoint-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for Forcepoint.
Fortinet-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for Fortinet.
Meraki-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for Meraki.
PaloAlto-PAN-OS-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.
CiscoASA-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.
CiscoFirepower-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.
CiscoUmbrella-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.
F5-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.
MDE-BlockIP-Nested-Remediation is a nested playbook that handles remidiation for PaloAlto.

If any one of the above-mentioned playbooks are not deployed then default playbook will deploy in its place.

Nested Playbook Structure

Input Schema

Each of the nested playbooks of IP Remediation accepts following inputs:

IPs: List of IPs as entities from azure sentinel incident.
Workflow: Worklfow is identifier for the nested playbook which points to which subscription and which resource group the nested playbook belongs to.
Trigger: Tells how the playbook is invoked/triggered.
Headers: Tells the content type of entity accepting by nested playbook.

The image below shows example of input schema for CiscoMeraki nested playbook.

Output Schema

Each of the nested playbooks of IP Remediation gives following outputs:

Status code: Status code tells the success or failure status of nested playbook run results. The status code value is displayed in incident comment.
Body: Body provides with all the output values that nested playbook returns. It varies according to the nested playbook.
Incident Comment: It contains output body from nested playbook in tabular format.

For example, taking reference of CiscoMeraki incident comment image below, CiscoMeraki logo is composed for incident comment. Also, table is populated with values such as Incident IP address, Source, Source Port, Destination, Destination Port, Policy, Protocol, Previous status, Current status and Action.

Add new playbook to master playbook

To add new nested playbook to master playbook:

Hover below action "Initialize variable playbook status Codes".
Click on symbol '+' for insert a new step and choose add a parallel branch.
First action is to add scope. Within scope add new action and choose the nested playbook to add.
Compose Incident Comment.
Append the status code from nested playbook to Status Codes variable .

Deployment Instructions

Deploy the playbook by clicking on the "Deploy to Azure" button. This will take you to deploy an ARM Template wizard.

Fill in the required parameters for deploying the playbook.

Parameter	Description
Playbook Name	Enter the master playbook name here without spaces.
Azure Firewall Playbook Name	Enter the name of Azure Firewall Nested playbook without spaces.
Forcepoint Playbook Name	Enter the name of Forcepoint Nested playbook without spaces.
Fortinet Playbook Name	Enter the name of Fortinet Nested playbook without spaces.
Cisco Meraki Playbook Name	Enter the name of Meraki Nested playbook without spaces.
Palo Alto PAN-OS Playbook Name	Enter the name of PaloAlto PAN OS Nested playbook without spaces.
CiscoASA Playbook Name	Enter the name of CiscoASA Nested playbook without spaces.
CiscoFirepower Playbook Name	Enter the name of CiscoFirepower Nested playbook without spaces.
CiscoUmbrella Playbook Name	Enter the name of CiscoUmbrella Nested playbook without spaces.
F5Big-IP Playbook Name	Enter the name of F5Big-IP Nested playbook without spaces.
MDE Playbook Name	Enter the name of MDE Nested playbook without spaces.

Post-Deployment Instructions

Configurations in Sentinel

In Azure sentinel analytical rules should be configured to trigger an incident with IP addresses.
Configure the automation rules to trigger the playbook which calls multiple nested playbooks.

Playbook steps explained

When Azure Sentinel incident creation rule is triggered

Captures potentially malicious or malware IP addresses incident information.

##Entities - Get IPs Get the list of IPs as entities from the Incident.

For malicious IP addresses received from the incident

The list of IP address is passed as Entity to each of the nested playbook.
Each nested playbook accepts IP list as entity from master playbook and respectively performs defined automated actions(Block/Unblock IP) for each IP address.
The response from each of the nested playbook is returned to master playbook.
Response from each nested playbook is attached to incident comment and consolidated incident comment is created.
If all the nested playbooks returns success response , the incident will be closed.

Incident Comment

Incident Comment for error handling