1 min read

Azure – Automatically block IP’s in Network Security Group when brute force attack is detected

As you know Azure Security Center is your one stop shop to help you stay on top of your security posture for your resources hosted in Azure.

As there is more and more resources hosted on cloud services, security and protection against attack is more important than ever.

As you know you can protect your virtual machines running on Azure using various options, the easiest and free one is the Network Security Group (NSG).

Managing allowed/denied IP address list on NSG is not easy, especially when you need to act fast when an attack is detected.

Well, good news, the Azure Security Center group has developed an automation helping you block IP addresses at the NSG level when a brute force attack is detected.

To start using it you need:

Well, let’s start deploying the automation by hitting the Deploy to Azure

image_thumb

Then fill up the required filled:

  • Resource group: where the automation will be deployed
  • Region
  • Playbook name: keep the default name – BlockBruteForceAttackedIP or name it as you wish
  • User name: the username of a mailbox which will be used to send notification; the mailbox needs to be on Office 365
  • Email contact: email address the security team

image_thumb[1]

Now you need to grant the BlockBruteForceAttackedIP Logic App either User Access Administrator or Owner for the subscription(s), group management or resource group to scope your usage (scope of your Azure Security Center protection)

image_thumb[5]  image_thumb[6]

Then you need to grant the Office 365 API called office365-BlockBruteForceAttackedIP by accessing the Edit API connection blade by hitting the blue button

image_thumb[7]  image_thumb[8]

If you see the Authorization was successful message you can hit the Save button

image_thumb[9]

Now you can create the automation on your Azure Security Center.

The ASC automation workflow needs to use the following:

  • Security Center data types: Threat detection alerts
  • Alert name: contains the word brute
  • Action: select the BlockBruteForceAttackedIP Logic App

image_thumb[10]  image_thumb[11]

You are now ready to get all IP addresses doing a brute force attack being added on the NSG associated with the attacked VM and being blocked.

Azure – Azure Security Center is now helping you identifying weak network access

You may already know Azure Security Center, your one stop shop for anything security related on Azure, helping you managing and improving your...

Read More

Azure – New capability added to Azure Security Center: Inventory

As you know Azure comes with a lot of security capability which sometimes get missed or misconfigured.

Read More

Azure – You can now get notification when your Secure Score downgrade

After releasing a Power BI dashboard to follow up on the evolution of your Azure Secure Score (see https://t.co/U1I15FSuBP), you can now get an email...

Read More