One common type of security attack that occurs when an attacker has gained access to a virtual machine is that they will attempt to go to suspicious IP addresses. Attackers may do this for any number of reasons, including to perform data exfiltration from your Azure resources using DNS tunnelling, download malware to communicate with command and control servers, perform DNS attacks which is communication with malicious DNS resolvers, and to communicate with domains used for malicious activities such as phishing and crypto mining. All of these activities can be detected by Microsoft Defender for DNS, which is part of Microsoft Defender for Cloud.
When the outgoing traffic has been detected to be to suspicious IP addresses by the Microsoft Defender for DNS plan, Microsoft Defender for DNS will trigger an alert. Some ways to investigate the alert can be found in the Take Action tab of the alert:
In this case, we recommend that you set up the following workflow automation, which will automatically block this attack from occurring by creating a network security rule in the virtual machine's network security group to block outgoing traffic to this malicious IP address.
What are the prerequisites for this automation?
The Microsoft Defender for DNS plan should be enabled, as per here.
You should have deployed a VM the standard way with any operating system.
Note: It’s not guaranteed for this automation to succeed correctly if the VM is using a domain controller or if the DNS is sent through a DNS server in the VNET.
This automation can be utilised for the alerts that come from Defender for DNS that contain the malicious IP address that the attacker is attempting to go to. You can validate this by creating these alerts yourself on the VM by following the instructions here.
This automation can be used on the following alerts:
- Attempted communication with suspicious sinkholed domain
- Network intrusion detection signature activation
- Communication with suspicious random domain name
- Communication with possible phishing domain
- Anonymity network activity
- Anonymity network activity using web proxy
How does the automation work?
When Microsoft Defender for Cloud detects someone is attempting to go to a malicious IP address from your virtual machine, it triggers an alert to bring you awareness about this potential attack. The automation uses this alert as a trigger to block the outgoing traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address attached to the alert. In the alerts of this type, you can find the outbound IP address appearing in the 'address' field of the alert.
The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App's Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Microsoft Defender for Cloud.
Refer to the Readme file in our GitHub Repository for detailed procedure.
Deployment process and details
Navigate to Microsoft Defender for Cloud GitHub repository and select “Deploy to Azure” as shown in Image 1:
Image 1: Git Hub repository
Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:
Image 2: Azure portal, Custom Deployment
The ARM template will create the Logic App Playbook and an API connection to Office 365, and ascalert.
You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.
Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)
Image 3: Summary of the resources created from the ARM template
Define when the Logic App should automatically run:
Workflow automation feature of Microsoft Defender for Cloud can trigger Logic Apps on security alerts and recommendations. For example, you might want Microsoft Defender for Cloud to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains "domain" is generated.
Note: Read more about workflow automation here
When an attempt to go to a suspicious domain is detected by Microsoft Defender for Cloud as shown in Image 4, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address associated with the json of the alert as shown in Image 4.
Image 4: IP blocked by Microsoft Defender for Cloud
You would receive an email notification on the alert details as shown in Image 5:
Image 5: Email received to show automation has been triggered
This logic app as well as many other can be found here:
Microsoft Defender for Cloud GitHub Repo
Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoyed reading this article and implementing it!
Special thanks to:
Tom Janetscheck, Senior Program Manager, Microsoft Defender for Cloud, Microsoft
Safeena Begum Lepakshi, Senior Program Manager, Microsoft Defender for Cloud, Microsoft
Ido Keshet, Senior Program Manager, Microsoft Defender for Cloud, Microsoft
Thomas Vuylsteke, Senior Customer Engineer, Microsoft
YuriDiogenes, Principal PM Manager, Microsoft Defender for Cloud