Azure – Automatically block IP’s in Network Security Group when brute force attack is detected

As you know Azure Security Center is your one stop shop to help you stay on top of your security posture for your resources hosted in Azure.

As there is more and more resources hosted on cloud services, security and protection against attack is more important than ever.

As you know you can protect your virtual machines running on Azure using various options, the easiest and free one is the Network Security Group (NSG).

Managing allowed/denied IP address list on NSG is not easy, especially when you need to act fast when an attack is detected.

Well, good news, the Azure Security Center group has developed an automation helping you block IP addresses at the NSG level when a brute force attack is detected.

To start using it you need:

Well, let’s start deploying the automation by hitting the Deploy to Azure

image_thumb

Then fill up the required filled:

  • Resource group: where the automation will be deployed
  • Region
  • Playbook name: keep the default name – BlockBruteForceAttackedIP or name it as you wish
  • User name: the username of a mailbox which will be used to send notification; the mailbox needs to be on Office 365
  • Email contact: email address the security team

image_thumb[1]

Now you need to grant the BlockBruteForceAttackedIP Logic App either User Access Administrator or Owner for the subscription(s), group management or resource group to scope your usage (scope of your Azure Security Center protection)

image_thumb[5]  image_thumb[6]

Then you need to grant the Office 365 API called office365-BlockBruteForceAttackedIP by accessing the Edit API connection blade by hitting the blue button

image_thumb[7]  image_thumb[8]

If you see the Authorization was successful message you can hit the Save button

image_thumb[9]

Now you can create the automation on your Azure Security Center.

The ASC automation workflow needs to use the following:

  • Security Center data types: Threat detection alerts
  • Alert name: contains the word brute
  • Action: select the BlockBruteForceAttackedIP Logic App

image_thumb[10]  image_thumb[11]

You are now ready to get all IP addresses doing a brute force attack being added on the NSG associated with the attacked VM and being blocked.