Azure-Sentinel/Playbooks/Isolate-AzureVMtoNSG
..
azuredeploy.json
readme.md

readme.md

Isolate-AzureVMtoNSG

author: Nathan Swift

This playbook will take host entites from triggered incident and search for matches in the enterprises subscriptions. An email for approval will be sent to isolate Azure VM. Upon approval a new NSG Deny All is created and applied to the Azure VM, The Azure VM is restarted to remove any persisted connections.

Deploy to Azure Deploy to Azure Gov

Additional Post Install Notes:

The Logic App creates and uses a Managed System Identity (MSI) to search the Azure Resource Graph, Generate a NSG, Update the VM with NSG, and Restart the VM.

Assign RBAC 'Reader' role to the Logic App at the root Management Group level. Assign RBAC 'Network Contributor' role to the Logic App at the root Management Group level. Assign RBAC 'Virtual Machine Contributor' role to the Logic App at the root Management Group level.