Apr 2, 2021
Automation to block malicious flows detected by Azure Traffic Analytics
Update July 2021 : use the Azure Monitor Logs API connector instead of the Azure Log Analytics Data API collector to query Log Analytics.
Introduction
With Azure Traffic Analytics on Network Security Groups (NSG) we can visualize precious insights like allowed and denied flows per flow type.
In this article we will focus on the Malicious flows type that are allowed on our NSG and we will automatically block them with a Network Security Group rule.
The high level view of our automation workflow consists in the following steps:
- A Log Analytics Workspace alert will detect a malicious flow.
- This alert will trigger an Azure Logic App that will block the malicious flow.
- The Logic App will then notify us with a nice and relevant email through an Office 365 API connector.
The following diagram illustrates this high level view.
Log Analytics queries
Enabling Traffic Analytics on our Network Security Groups permits to visualize precious Insights like the following samples.
For more info about Traffic Analytics you can consult this article where it’s shown how to create a dedicated Azure Monitor Workbook.
Count your flows by type
AzureNetworkAnalytics_CL
| summarize Count=count() by [“Flow Type”]=FlowType_s
| render barchart
Filter your allowed malicious flows
AzureNetworkAnalytics_CL
| where FlowType_s == “MaliciousFlow” and FlowStatus_s == "A"
| summarize count() by bin(FlowStartTime_t, 2h) , Country_s
| render barchart
Automation
Before trying to deploy: make sure you have a Log Analytics Workspace that receives Azure Traffic Analytics logs, to test it, make sure the upper queries output data. If they don’t work the below arm template will fail because the Log Analytics Alert query is tested during the ARM deployment.
You can then navigate to this git repository to deploy the ARM template through the Azure portal, click on the icon “Deploy to Azure”.
This will create the Azure resources of our automation workflow:
- A Log Analytics Workspace alert to identify malicious flows and to trigger the remediation Logic App.
- An Office 365 API Connector to send the remediation notification by email.
- A Logic App with its Managed Identity to create the NSG blocking rules.
You can also execute the following command to do the same.
# Variables
$AzureRmSubscriptionName = “mvp-sub1”
$RgName = “infr-hub-prd-rg1”
$sendEmailTo = “your-email1@company.fr;your-email2@company.fr”
$logAnalytics = “/subscriptions/<your sub id>/resourcegroups/<the RG name of the Log Analytics Workspace>/providers/microsoft.operationalinsights/workspaces/<The Log Analytics Workspace name containing Traffic Analytics Logs>”
$templateUri = “https://raw.githubusercontent.com/JamesDLD/AzureRm-Template/master/Block-AzMaliciousFlow/template.json"## Connectivity
# Login first with Connect-AzAccount if not using Cloud Shell
$AzureRmContext = Get-AzSubscription -SubscriptionName $AzureRmSubscriptionName | Set-AzContext -ErrorAction Stop
Select-AzSubscription -Name $AzureRmSubscriptionName -Context $AzureRmContext -Force -ErrorAction Stop## Action
Write-Host “Deploying to the resource group : $RgName an Azure Logic App that will deny malicious flows” -ForegroundColor Cyan
New-AzResourceGroupDeployment -Name “Block-MaliciousFlow” -ResourceGroupName $RgName `
-TemplateUri $TemplateUri `
-sendEmailTo $sendEmailTo `
-logAnalytics $logAnalytics `
-Confirm -ErrorAction Stop
Additional manual steps
- Navigate to the Office 365 API connector resource and click on the “Authorize” icon to associate it with an account that has an Office 365 mailbox (this will be the sender of our notifications). The Account you will use to do that need to have the action privilege Microsoft.Web/connections/listConsentLinks/action on the API connection resource. There is no Azure Built-in role for that, you can create a custom role or assign the Contributor privilege directly on the API connection resource.
- Navigate to the Azure Monitor Logs API connector resource and click on the “Authorize” icon.
- Grant the Network Contributor role to the Logic App’s Managed Identity at your subscription level ; in fact at any level scope where your NSG have Traffic Analytics. This will permit the Logic App to get the NSG and create NSG rules.
Result
The Logic App will create a Network Security Rule with the name «BlockMaliciousFlow-<priority>» and will use the first rule priority available.
You will receive a notification email containing all the information about the blocked malicious flow as illustrated in the following screenshot.
The following screenshot is the detailed view of our Logic App workflow.
Conclusion
This demo sample is using native and fully integrated resources with the Microsoft Azure Cloud.
The automation workflow combination of Log Analytics Alert and Logic App could be extended to many other efficient use cases.
I hope you enjoyed the article.
See you in the Cloud
Jamesdld
