Microsoft Azure
Published in

Microsoft Azure

Automation to block malicious flows detected by Azure Traffic Analytics

Update July 2021 : use the Azure Monitor Logs API connector instead of the Azure Log Analytics Data API collector to query Log Analytics.

Introduction

With Azure Traffic Analytics on Network Security Groups (NSG) we can visualize precious insights like allowed and denied flows per flow type.

In this article we will focus on the Malicious flows type that are allowed on our NSG and we will automatically block them with a Network Security Group rule.

The high level view of our automation workflow consists in the following steps:

The following diagram illustrates this high level view.

High Level View

Log Analytics queries

Enabling Traffic Analytics on our Network Security Groups permits to visualize precious Insights like the following samples.

For more info about Traffic Analytics you can consult this article where it’s shown how to create a dedicated Azure Monitor Workbook.

Count your flows by type

AzureNetworkAnalytics_CL
| summarize Count=count() by [“Flow Type”]=FlowType_s
| render barchart
Flow Type

Filter your allowed malicious flows

AzureNetworkAnalytics_CL
| where FlowType_s == “MaliciousFlow” and FlowStatus_s == "A"
| summarize count() by bin(FlowStartTime_t, 2h) , Country_s
| render barchart
Chart

Automation

Before trying to deploy: make sure you have a Log Analytics Workspace that receives Azure Traffic Analytics logs, to test it, make sure the upper queries output data. If they don’t work the below arm template will fail because the Log Analytics Alert query is tested during the ARM deployment.

You can then navigate to this git repository to deploy the ARM template through the Azure portal, click on the icon “Deploy to Azure”.

This will create the Azure resources of our automation workflow:

Result of the ARM Template deployment

You can also execute the following command to do the same.

# Variables
$AzureRmSubscriptionName = “mvp-sub1”
$RgName = “infr-hub-prd-rg1”
$sendEmailTo = “your-email1@company.fr;your-email2@company.fr”
$logAnalytics = “/subscriptions/<your sub id>/resourcegroups/<the RG name of the Log Analytics Workspace>/providers/microsoft.operationalinsights/workspaces/<The Log Analytics Workspace name containing Traffic Analytics Logs>”
$templateUri = “https://raw.githubusercontent.com/JamesDLD/AzureRm-Template/master/Block-AzMaliciousFlow/template.json"
## Connectivity
# Login first with Connect-AzAccount if not using Cloud Shell
$AzureRmContext = Get-AzSubscription -SubscriptionName $AzureRmSubscriptionName | Set-AzContext -ErrorAction Stop
Select-AzSubscription -Name $AzureRmSubscriptionName -Context $AzureRmContext -Force -ErrorAction Stop
## Action
Write-Host “Deploying to the resource group : $RgName an Azure Logic App that will deny malicious flows” -ForegroundColor Cyan
New-AzResourceGroupDeployment -Name “Block-MaliciousFlow” -ResourceGroupName $RgName `
-TemplateUri $TemplateUri `
-sendEmailTo $sendEmailTo `
-logAnalytics $logAnalytics `
-Confirm -ErrorAction Stop

Additional manual steps

  • Navigate to the Office 365 API connector resource and click on the “Authorize” icon to associate it with an account that has an Office 365 mailbox (this will be the sender of our notifications). The Account you will use to do that need to have the action privilege Microsoft.Web/connections/listConsentLinks/action on the API connection resource. There is no Azure Built-in role for that, you can create a custom role or assign the Contributor privilege directly on the API connection resource.
office 365 API Connector
  • Navigate to the Azure Monitor Logs API connector resource and click on the “Authorize” icon.
Azure Monitor Logs API connector
  • Grant the Network Contributor role to the Logic App’s Managed Identity at your subscription level ; in fact at any level scope where your NSG have Traffic Analytics. This will permit the Logic App to get the NSG and create NSG rules.

Result

The Logic App will create a Network Security Rule with the name «BlockMaliciousFlow-<priority>» and will use the first rule priority available.

You will receive a notification email containing all the information about the blocked malicious flow as illustrated in the following screenshot.

The following screenshot is the detailed view of our Logic App workflow.

Logic App Designer

Conclusion

This demo sample is using native and fully integrated resources with the Microsoft Azure Cloud.

The automation workflow combination of Log Analytics Alert and Logic App could be extended to many other efficient use cases.

I hope you enjoyed the article.

See you in the Cloud

Jamesdld

--

--

--

Any language. Any platform. Our team is focused on making the world more amazing for developers and IT operations communities with the best that Microsoft Azure can provide. If you want to contribute in this journey with us, contact us at medium@microsoft.com

Recommended from Medium

30 Days of Canonic: It’s a wrap!

Install protocol buffer for Mac

Committing to make sense

Integrating Unity with Github

Step by step guide to setting up AWS Web services user and using IAM user policies

Creating Lists Using HTML

Firebase CLI Configuration and Migration Guide

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Dumont le Douarec

James Dumont le Douarec

More from Medium

Azure Storage, terraform and a tale of 404 StorageAccountNotFound

Titans of Cloud: GCP, AWS, and Azure. From Hybrid to Multi-Cloud, Super Cloud and Edge

How to Use Azure Spot Instances to Save Cloud Costs

Terraform State Manipulation