Azure-Sentinel/Playbooks/ForcepointNGFW

#Forcepoint NGFW Logic Apps Custom Connectors and playbook templates

Table of Contents

1. Overview
2. Deploy 2 Custom Connectors + 6 Playbook templates
3. Authentication
4. Prerequisites
5. Deployment
6. Post Deployment Steps
7. References
8. Limitations

Overview

Forcepoint Next Generation Firewall (NGFW) connects and protects people and the data they use throughout the enterprise network – all with the greatest efficiency, availability and security.

Deploy 2 Custom Connectors + 6 Playbook templates

This package includes:

• Two Custom connectors for ForcepointNGFW.
• Six playbook templates leverage ForcepointNGFW custom connectors.

You can choose to deploy the whole package : two connectors + all six playbook templates, or each one seperately from it's specific folder.

ForcepointNGFW documentation

Authentication

No Authentication

Prerequisites for using and deploying 2 Custom Connectors + 6 playbooks

1. Forcepoint SMC API Key should be known.Refer here
2. Forcepoint SMC Version number should be known. Refer here
3. Forcepoint SMC service endpoint should be known. (e.g. Https://{forcepointdomain:PortNumber/})
4. Forcepoint FUID service endpoint should be known. (e.g. https://{forcepointdomain:PortNumber/})
5. IP address list name for blocking IP address present in SMC should be known.
6. URL list name for blocking URLs present in SMC should be known.
7. Users must have access to Microsoft Teams and they should be a part of a Teams channel and also Power Automate app should be installed in the Microsoft Teams channel.

Deployment instructions

1. Deploy the Custom Connectors and playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
2. Fill in the required parameters for deploying custom connector and playbooks

Parameter	Description
For Playbooks
Block IP Response On Teams PlaybookName	Enter the Block IP Response On Teams Playbook Name here without spaces.
Block IP By Username PlaybookName	Enter the Block IP By Username Playbook Name here without spaces.
Block IP PlaybookName	Enter the Block IP Playbook Name here without spaces.
Block URL PlaybookName	Enter the Block URL Playbook Name here without spaces.
Enrichment IP PlaybookName	Enter the Enrichment IP Playbook Name here without spaces.
Enrichment URL PlaybookName	Enter the Enrichment URL Playbook Name here without spaces.
Forcepoint SMC Api Key	Enter the SMC API Key.
SMC Version Number	Enter the version number of SMC.
IP List Name	Enter IP List Name.
URL List Name	Enter URL List Name.
For Custom Connectors
Service EndPoint FUID Connector	Enter the Forcepoint FUID Service End Point.
SMC Connector name	Enter the name of your Forcepoint SMC Connector without spaces.
Service EndPoint SMC Connector	Enter the Forcepoint SMC Service End Point.

Post-Deployment Instructions

a. Authorize API connections

• Once deployment is complete, go under deployment details and authorize teams connection.

1. Click the Teams connection resource
2. Click Edit API connection
3. Click Authorize
4. Sign in
5. Click Save

• In Logic App designer, go to "Post an adaptive card to teams channel" action and select your Teams name and Channel name from the dropdown.
• In In Logic App designer again, go to "Post adaptive card in a chat or channel" action and select your Teams name, Channel name, and "Flow bot" for "Post as" parameter from the dropdown.

b. Configurations in Sentinel

1. In Azure sentinel analytical rules should be configured to trigger an incident with risky IP address or URL.
2. Configure the automation rules to trigger the playbooks.

Reference to the playbook templates and the connectors

Connector

• Forcepoint SMC Connector

Playbooks

• ResponseOnTeamsBlockIP-ForcepointNGFW
• BlockIPbyUsername-ForcepointNGFW
• BlockIP-ForcepointNGFW
• BlockURL-ForcepointNGFW
• Enrichment-IP-ForcepointNGFW
• Enrichment-URL-ForcepointNGFW

Known Issues and Limitations

• We need to authorize the teams connection after deploying the playbooks.