This repository contains the ARM templates for deploying an Azure Logic App to automatically update an IP Group when a malicious flow is detected by NSG Flow Logs.
- Existing Azure Firewall utlizing IP groups
- Existing Azure IP Group configured to be used by Azure Firewall
- Azure Network Security Groups (NSG) with Flow logs enabled
- Start the deployment of the Azure Logic App to your Azure subscription by clicking the Deploy to Azure button above.
- For the deployment you will need to provide the following parameters -
- Resource Group - Name of new or existing Resource Group that the logic app will be deployed into
- Region - If deploying into an existing Resource Group the region will autopopulate, if deploying to a new Resource Group you will need to manually specify an Azure region
- Logic App Name - Name of the Azure Logic App Resource being deployed
- Azure Sub ID - Azure Subscription GUID that will contain the Logic App and IP Group resources, Parameter will automatically pupulate with
[subscription().subscriptionId]
which will pull the Subscription GUILD that you are deploying into - IP Group Resource Group Name - Name of Resource Group that contains the IP Group resource that will be updated
- IP Group Name - Name of the IP Group resource that will be updated by the Logic App
- Verify that all provided settings are correct and then click Create to initiate the deployment.
- When the deploment completes you will have a Logic App created in the Resource Group specified
- Select the Logic App resource that was deployed and navigate to the Logic App Designer section under Development Tools
- In the designer click on the fist step When a HTTP request is recieved to expand it
- Copy and save the HTTP POST UTL value, it will be used for the deployment configuration of the Action Group so that the Alert Rule can trigger the Logic App and send information about the malicious flow
- Start the deployment of the Alert Rule and Action Group to your Azure subscription by clicking the Deploy to Azure button above
- For the deployment you will need to provide the following parameters -
- Action Group Name - Name of the Action Group resource that will be created
- Logic App Endpoint - The value of the HTTP POST URL identified during the seployment of the Logic App
- Log Analytics Workspace Name - Name of the Log Analytics Workspace that the Kusto queury will run against to identify malicious flows in NSG Flow Logs
- Log Analytics Workspace Resource Group - Name of the Resource Group containing the Log Analytics Workspace being used to perform Kusto queries
- Verify that all provided settings are correct and then click Create to initiate the deployment.
- When the deployment completes both the Alert Rule and Action Group will be deployed
The Alert Rule is now actively monitoring the NSG Flow logs and will trigger the Logic App with the information about Malicious Flows to update the IP Group.
To view the Alert Rule and Action Group and adjust any settings you can navigate to the Alerts Management Summary Blade and selecting Alert Rules