Azure Network Security Groups

Azure network security groups are used to filter network traffic to and from Azure resources in an Azure virtual network.

Configure Azure Network Security Groups on Cortex XSOAR

In both options below, the device authorization grant flow is used.

In order to connect to the Azure Network Security Group using either Cortex XSOAR Azure App or the Self-Deployed Azure App:

  1. Fill in the required parameters.
  2. Run the !azure-nsg-auth-start command.
  3. Follow the instructions that appear.
  4. Run the !azure-nsg-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Cortex XSOAR Azure App

In order to use the Cortex XSOAR Azure application, use the default application ID (d4736600-e3d5-4c97-8e65-57abd2b979fe).

You only need to fill in your subscription ID and resource group name.

Self-Deployed Azure App

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

The application must have user_impersonation permission and must allow public client flows (can be found under the Authentication section of the app).

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-nsg-security-groups-list


List all network security groups.

Base Command

azure-nsg-security-groups-list

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
AzureNSG.SecurityGroup.nameStringThe security group's name.
AzureNSG.SecurityGroup.idStringThe security group's ID.
AzureNSG.SecurityGroup.etagStringThe security group's ETag.
AzureNSG.SecurityGroup.typeStringThe security group's type.
AzureNSG.SecurityGroup.locationStringThe security group's location.
AzureNSG.SecurityGroup.tagsStringThe security group's tags.

Command Example

!azure-nsg-security-groups-list

Context Example

{
"AzureNSG": {
"SecurityGroup": {
"etag": "W/\"fdba51cf-46b3-44af-8da5-16666aa578cc\"",
"id": "/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg",
"location": "westeurope",
"name": "alerts-nsg",
"tags": {},
"type": "Microsoft.Network/networkSecurityGroups"
}
}
}

Human Readable Output

Network Security Groups

etagidlocationnametagstype
W/"fdba51cf-46b3-44af-8da5-16666aa578cc"/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsgwesteuropealerts-nsgMicrosoft.Network/networkSecurityGroups

azure-nsg-security-rules-list


List all rules of the specified security groups.

Base Command

azure-nsg-security-rules-list

Input

Argument NameDescriptionRequired
security_group_nameA comma-separated list of the names of the security groups.Required
limitThe maximum number of rules to display. Default is 50.Optional
offsetThe index of the first rule to display. Used for pagination. Default is 0.Optional

Context Output

PathTypeDescription
AzureNSG.Rule.nameStringThe rule's name.
AzureNSG.Rule.idStringThe rule's ID.
AzureNSG.Rule.etagStringThe rule's ETag.
AzureNSG.Rule.typeStringThe rule's type.
AzureNSG.Rule.provisioningStateStringThe rule's provisioning state.
AzureNSG.Rule.protocolStringThe protocol. Can be "TCP", "UDP", "ICMP", or "*"".
AzureNSG.Rule.sourcePortRangeStringFor a single port, the source port or range of ports. Note that for multiple ports, `sourcePortRanges` will appear instead.
AzureNSG.Rule.sourcePortRangesStringFor multiple ports, a list of source ports. Note that for single ports, `sourcePortRange` will appear instead.
AzureNSG.Rule.destinationPortRangeStringFor a single port, the destination port or range of ports. Note that for multiple ports, `destinationPortRanges` will appear instead.
AzureNSG.Rule.destinationPortRangesStringFor multiple ports, a list of destination ports. Note that for single ports, `destinationPortRange` will appear instead.
AzureNSG.Rule.sourceAddressPrefixStringThe source address.
AzureNSG.Rule.destinationAddressPrefixStringThe destination address.
AzureNSG.Rule.accessStringThe rule's access. Can be either "Allow" or "Deny".
AzureNSG.Rule.priorityNumberThe rule's priority. Can be from 100 to 4096.
AzureNSG.Rule.directionStringThe rule's direction. Can be either "Inbound" or "Outbound".

Command Example

!azure-nsg-security-rules-list security_group_name=alerts-nsg

Context Example

{
"AzureNSG": {
"Rule": {
"access": "Allow",
"destinationAddressPrefix": "1.1.1.1",
"destinationAddressPrefixes": [],
"destinationPortRange": "*",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"fdba51cf-46b3-44af-8da5-16666aa578cc\"",
"id": "/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/wow",
"name": "wow",
"priority": 3323,
"protocol": "*",
"provisioningState": "Succeeded",
"sourceAddressPrefix": "8.8.8.8",
"sourceAddressPrefixes": [],
"sourcePortRanges": [
"1",
"2",
"3"
],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
}
}

Human Readable Output

Rules in alerts-nsg

accessdestinationAddressPrefixdestinationPortRangedirectionetagidnamepriorityprotocolprovisioningStatesourceAddressPrefixsourcePortRangestype
Allow1.1.1.1*InboundW/"fdba51cf-46b3-44af-8da5-16666aa578cc"/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/wowwow3323*Succeeded8.8.8.81,
2,
3
Microsoft.Network/networkSecurityGroups/securityRules

azure-nsg-auth-test


Tests the connectivity to the Azure Network Security Groups.

Base Command

azure-nsg-auth-test

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-nsg-auth-test

Human Readable Output

✅ Success!

azure-nsg-security-rules-delete


Delete a security rule.

Base Command

azure-nsg-security-rules-delete

Input

Argument NameDescriptionRequired
security_group_nameThe name of the security group.Required
security_rule_nameThe name of the rule to be deleted.Required

Context Output

There is no context output for this command.

Command Example

!azure-nsg-security-rules-delete security_group_name=alerts-nsg security_rule_name=wow

Human Readable Output

Rule wow deleted.

azure-nsg-security-rules-create


Create a security rule.

Base Command

azure-nsg-security-rules-create

Input

Argument NameDescriptionRequired
security_group_nameThe name of the security group.Required
security_rule_nameThe name of the rule to be created.Required
directionThe direction of the rule. Possible values are: "Inbound" and "Outbound". Possible values are: Inbound, Outbound.Required
actionWhether to allow the traffic. Possible values are: "Allow" and "Deny". Possible values are: Allow, Deny.Optional
protocolThe protocol on which to apply the rule. Possible values are: "Any", "TCP", "UDP" and "ICMP". Possible values are: Any, TCP, UDP, ICMP.Optional
sourceThe source IP address range from which incoming traffic will be allowed or denied by this rule. Possible values are "Any", an IP address range, an application security group, or a default tag. Default is "Any".Optional
priorityThe priority by which the rules will be processed. The lower the number, the higher the priority. We recommend leaving gaps between rules - 100, 200, 300, etc. - so that it is easier to add new rules without having to edit existing rules. Default is "4096".Optional
source_portsThe source ports from which traffic will be allowed or denied by this rule. Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. Use an asterisk () to allow traffic on any port. Default is "".Optional
destinationThe specific destination IP address range for outgoing traffic that will be allowed or denied by this rule. The destination filter can be "Any", an IP address range, an application security group, or a default tag.Optional
destination_portsThe destination ports for which traffic will be allowed or denied by this rule. Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. Use an asterisk () to allow traffic on any port. Default is "".Optional
descriptionA description to add to the rule.Optional

Context Output

PathTypeDescription
AzureNSG.Rule.nameStringThe rule's name.
AzureNSG.Rule.idStringThe rule's ID.
AzureNSG.Rule.etagStringThe rule's ETag.
AzureNSG.Rule.typeStringThe rule's type.
AzureNSG.Rule.provisioningStateStringThe rule's provisioning state.
AzureNSG.Rule.protocolStringThe protocol. Can be "TCP", "UDP", "ICMP", or "*".
AzureNSG.Rule.sourcePortRangeStringFor a single port, the source port or a range of ports. Note that for multiple ports, `sourcePortRanges` will appear instead.
AzureNSG.Rule.sourcePortRangesStringFor multiple ports, a list of these ports. Note that for single ports, `sourcePortRange` will appear instead.
AzureNSG.Rule.destinationPortRangeStringFor a single port, the destination port or range of ports. Note that for multiple ports, `destinationPortRanges` will appear instead.
AzureNSG.Rule.destinationPortRangesStringFor multiple ports, a list of destination ports. Note that for single ports, `destinationPortRange` will appear instead.
AzureNSG.Rule.sourceAddressPrefixStringThe source address.
AzureNSG.Rule.destinationAddressPrefixStringThe destination address.
AzureNSG.Rule.accessStringThe rule's access. Can be "Allow" or "Deny".
AzureNSG.Rule.priorityNumberThe rule's priority. Can be from 100 to 4096.
AzureNSG.Rule.directionStringThe rule's direction. Can be "Inbound" or "Outbound".

Command Example

!azure-nsg-security-rules-create direction=Inbound security_group_name=alerts-nsg security_rule_name=rulerule source=1.1.1.1

Context Example

{
"AzureNSG": {
"Rule": {
"access": "Allow",
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationPortRange": "*",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"276dc93a-488d-47a1-8971-19a1171242a9\"",
"id": "/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/rulerule",
"name": "rulerule",
"priority": 4096,
"protocol": "*",
"provisioningState": "Updating",
"sourceAddressPrefix": "1.1.1.1",
"sourceAddressPrefixes": [],
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
}
}

Human Readable Output

Rules rulerule

accessdestinationAddressPrefixdestinationPortRangedirectionetagidnamepriorityprotocolprovisioningStatesourceAddressPrefixsourcePortRangetype
Allow**InboundW/"276dc93a-488d-47a1-8971-19a1171242a9"/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/rulerulerulerule4096*Updating1.1.1.1*Microsoft.Network/networkSecurityGroups/securityRules

azure-nsg-security-rules-update


Update a security rule. If one does not exist, it will be created.

Base Command

azure-nsg-security-rules-update

Input

Argument NameDescriptionRequired
security_group_nameThe name of the security group.Required
security_rule_nameThe name of the rule to be updated.Required
directionThe direction of the rule. Possible values are: "Inbound" and "Outbound". Possible values are: Inbound, Outbound.Optional
actionWhether to allow the traffic. Possible values are "Allow" and "Deny". Possible values are: Allow, Deny.Optional
protocolThe protocol on which to apply the rule. Possible values are: "Any", "TCP", "UDP", and "ICMP". Possible values are: Any, TCP, UDP, ICMP.Optional
sourceThe source IP address range from which incoming traffic will be allowed or denied by this rule. Possible values are "Any", an IP address range, an application security group, or a default tag. Default is "Any".Optional
priorityThe priority by which the rules will be processed. The lower the number, the higher the priority. We recommend leaving gaps between rules - 100, 200, 300, etc. - so that it is easier to add new rules without having to edit existing rules. Default is "4096".Optional
source_portsThe source ports from which traffic will be allowed or denied by this rule. Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. Use an asterisk () to allow traffic on any port. Default is "".Optional
destinationThe specific destination IP address range for outgoing traffic that will be allowed or denied by this rule. The destination filter can be "Any", an IP address range, an application security group, or a default tag.Optional
destination_portsThe destination ports for which traffic will be allowed or denied by this rule. Provide a single port, such as 80; a port range, such as 1024-65535; or a comma-separated list of single ports and/or port ranges, such as 80,1024-65535. Use an asterisk () to allow traffic on any port. Default is "".Optional
descriptionA description to add to the rule.Optional

Context Output

PathTypeDescription
AzureNSG.Rule.nameStringThe rule's name.
AzureNSG.Rule.idStringThe rule's ID.
AzureNSG.Rule.etagStringThe rule's ETag.
AzureNSG.Rule.typeStringThe rule's type.
AzureNSG.Rule.provisioningStateStringThe rule's provisioning state.
AzureNSG.Rule.protocolStringThe protocol. Can be "TCP", "UDP", "ICMP", "*".
AzureNSG.Rule.sourcePortRangeStringFor a single port, the source port or a range of ports. Note that for multiple ports, `sourcePortRanges` will appear instead.
AzureNSG.Rule.sourcePortRangesStringFor multiple ports, a list of these ports. Note that for single ports, `sourcePortRange` will appear instead.
AzureNSG.Rule.destinationPortRangeStringFor a single port, the destination port or range of ports. Note that for multiple ports, `destinationPortRanges` will appear instead.
AzureNSG.Rule.destinationPortRangesStringFor multiple ports, a list of destination ports. Note that for single ports, `destinationPortRange` will appear instead.
AzureNSG.Rule.sourceAddressPrefixStringThe source address.
AzureNSG.Rule.destinationAddressPrefixStringThe destination address.
AzureNSG.Rule.accessStringThe rule's access. Can be "Allow" or "Deny".
AzureNSG.Rule.priorityNumberThe rule's priority. Can be from 100 to 4096.
AzureNSG.Rule.directionStringThe rule's direction. Can be "Inbound" or "Outbound".

Command Example

!azure-nsg-security-rules-update security_group_name=alerts-nsg security_rule_name=Demisto_Rule action=Allow description=description

Context Example

{
"AzureNSG": {
"Rule": {
"access": "Allow",
"description": "description",
"destinationAddressPrefix": "11.0.0.0/8",
"destinationAddressPrefixes": [],
"destinationPortRange": "8080",
"destinationPortRanges": [],
"direction": "Outbound",
"etag": "W/\"9fad6036-4c3a-4d60-aac9-18281dba3305\"",
"id": "/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/Demisto_Rule",
"name": "Demisto_Rule",
"priority": 100,
"protocol": "*",
"provisioningState": "Succeeded",
"sourceAddressPrefix": "10.0.0.0/8",
"sourceAddressPrefixes": [],
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
}
}

Human Readable Output

Rules Demisto_Rule

accessdescriptiondestinationAddressPrefixdestinationPortRangedirectionetagidnamepriorityprotocolprovisioningStatesourceAddressPrefixsourcePortRangetype
Allowdescription11.0.0.0/88080OutboundW/"9fad6036-4c3a-4d60-aac9-18281dba3305"/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/Demisto_RuleDemisto_Rule100*Succeeded10.0.0.0/8*Microsoft.Network/networkSecurityGroups/securityRules

azure-nsg-security-rules-get


Get a specific rule.

Base Command

azure-nsg-security-rules-get

Input

Argument NameDescriptionRequired
security_group_nameThe name of the security group.Optional
security_rule_nameA comma-separated list of the names of the rules to get.Optional

Context Output

PathTypeDescription
AzureNSG.Rule.nameStringThe rule's name.
AzureNSG.Rule.idStringThe rule's ID.
AzureNSG.Rule.etagStringThe rule's ETag.
AzureNSG.Rule.typeStringThe rule's type.
AzureNSG.Rule.provisioningStateStringThe rule's provisioning state.
AzureNSG.Rule.protocolStringThe protocol. Can be "TCP", "UDP", "ICMP", "*".
AzureNSG.Rule.sourcePortRangeStringFor a single port, the source port or a range of ports. Note that for multiple ports, `sourcePortRanges` will appear instead.
AzureNSG.Rule.sourcePortRangesStringFor multiple ports, a list of these ports. Note that for single ports, `sourcePortRange` will appear instead.
AzureNSG.Rule.destinationPortRangeStringFor a single port, the destination port or range of ports. Note that for multiple ports, `destinationPortRanges` will appear instead.
AzureNSG.Rule.destinationPortRangesStringFor multiple ports, a list of destination ports. Note that for single ports, `destinationPortRange` will appear instead.
AzureNSG.Rule.sourceAddressPrefixStringThe source address.
AzureNSG.Rule.destinationAddressPrefixStringThe destination address.
AzureNSG.Rule.accessStringThe rule's access. Can be "Allow" or "Deny".
AzureNSG.Rule.priorityNumberThe rule's priority. Can be from 100 to 4096.
AzureNSG.Rule.directionStringThe rule's direction. Can be "Inbound" or "Outbound".

Command Example

!azure-nsg-security-rules-get security_group_name=alerts-nsg security_rule_name=wow

Context Example

{
"AzureNSG": {
"Rule": {
"access": "Allow",
"destinationAddressPrefix": "1.1.1.1",
"destinationAddressPrefixes": [],
"destinationPortRange": "*",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"fdba51cf-46b3-44af-8da5-16666aa578cc\"",
"id": "/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/wow",
"name": "wow",
"priority": 3323,
"protocol": "*",
"provisioningState": "Succeeded",
"sourceAddressPrefix": "8.8.8.8",
"sourceAddressPrefixes": [],
"sourcePortRanges": [
"1",
"2",
"3"
],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
}
}

Human Readable Output

Rules wow

accessdestinationAddressPrefixdestinationPortRangedirectionetagidnamepriorityprotocolprovisioningStatesourceAddressPrefixsourcePortRangestype
Allow1.1.1.1*InboundW/"fdba51cf-46b3-44af-8da5-16666aa578cc"/subscriptions/123456789/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Network/networkSecurityGroups/alerts-nsg/securityRules/wowwow3323*Succeeded8.8.8.81,
2,
3
Microsoft.Network/networkSecurityGroups/securityRules

azure-nsg-auth-start


Run this command to start the authorization process and follow the instructions in the command results.

Base Command

azure-nsg-auth-start

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-nsg-auth-start

Human Readable Output

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code CODECODE to authenticate. Run the !azure-nsg-auth-complete command in the War Room.

azure-nsg-auth-complete


Run this command to complete the authorization process. Should be used after running the azure-nsg-auth-start command.

Base Command

azure-nsg-auth-complete

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-nsg-auth-complete

Human Readable Output

✅ Authorization completed successfully.

azure-nsg-auth-reset


Run this command if for some reason you need to rerun the authentication process.

Base Command

azure-nsg-auth-reset

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-nsg-auth-reset

Human Readable Output

Authorization was reset successfully. You can now run !azure-nsg-auth-start and !azure-nsg-auth-complete.