Skip to main content

Azure - Network Security Group Remediation

This Playbook is part of the Azure Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from private IP addresses and blocks the rest of the RDP traffic.

Conditions and limitations:

  • Limited to one resource group.
  • 200 Azure rules viewed at once to find offending rule.
  • 2 priorities lower than the offending rule priority must be available.
  • Adds rules to NSGs associated to NICs.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • Azure Network Security Groups

Scripts#

  • Set
  • AzureFindAvailableNSGPriorities

Commands#

  • azure-nsg-security-rule-update
  • azure-nsg-security-rule-create
  • azure-nsg-security-rules-list

Playbook Inputs#


NameDescriptionDefault ValueRequired
AzureSecurityGroupThe Azure Network Security Group that will have new rules created or updated.Required
AzureVMPrivateIPThe private IP of the Azure Virtual Machine.Required
RemoteProtocolThe remote protocol that is publicly exposed.Required
RemotePortThe remote port that is publicly exposed.Required
SubscriptionIDThe Azure subscription ID (optional).Optional
ResourceGroupThe Azure resource group (optional).Optional
InstanceNameAzure Network Security Groups integration instance to use if you have multiple instances configured (optional).Optional
RemediationAllowRangesComma-separated list of IPv4 network ranges to be used as source addresses for the `remediation-allow-port-<port#>-<tcp|udp>` rule to be created. Typically this will be private IP ranges (to allow access within the vnet and bastion hosts) but other networks can be added as needed.172.16.0.0/12,10.0.0.0/8,192.168.0.0/16Optional

Playbook Outputs#


PathDescriptionType
remediatedFlagOutput key to determine if remediation was successfully done.boolean
remediatedReasonReason remediation was done or not done.string

Playbook Image#


Azure - Network Security Group Remediation