Introduction
In today's digital landscape, the rise of complex cyber threats poses a significant challenge for businesses relying on cloud-based services. Specifically, Distributed Denial of Service (DDoS) attacks are now often being used as a diversion in multi-layer attacks. To safeguard their applications and ensure uninterrupted service availability, organizations must deploy robust security solutions. Microsoft Azure offers powerful security solutions - Azure DDoS Protection, Azure Web Application Firewall (WAF) and Microsoft Sentinel - to help you proactively defend your assets against such attacks.
In this blog, we will explore how to integrate the Azure DDoS Sentinel Solution with the Azure WAF Playbook to enable a powerful automated detection and response system. By combining these two solutions, you can ensure a secure and uninterrupted experience for users, protect your services, and minimize the risk of DDoS attacks.
Prerequisites
Before proceeding with the integration of the Azure DDoS Sentinel Solution and the Azure WAF Playbook, ensure you have the following prerequisites in place:
With these prerequisites in place, we now take the Azure DDoS Sentinel Solution and the WAF Playbook to create an automated system that prevents DDoS attacks and further blocks the attacker IP addresses within a custom WAF rule.
Integrating Azure DDoS Sentinel Solution with the WAF Playbook
DDoS attacks often serve as a cover for concealing more sophisticated attack vectors such as exfiltration of confidential data. Manually correlating the IPs from DDoS attacks with these advanced threats can be demanding and time intensive. However, by harnessing the combined power of the Azure DDoS Sentinel Solution and the Azure WAF Playbook, you obtain a simplified process of detecting, responding to, and preventing such attacks.
The integration of the Azure DDoS Sentinel Solution and WAF Playbook works following these main steps:
With this integration, the Azure DDoS Sentinel Solution and the WAF Playbook work together to prevent attacks with the steps described below:
Azure DDoS Sentinel Solution Configuration and Deployment
The Azure DDoS Solution for Microsoft Sentinel involves integrating Azure DDoS Protection with Sentinel for easy ingestion of protection logs. This integration facilitates the analysis of the data in workbooks, the ability to formulate customized alerts, and the incorporation of the data to enhance investigative procedures, thereby providing heightened visibility into platform security.
This solution can be installed from the Azure marketplace - https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-... or directly from Microsoft Sentinel by navigating to the Content Hub and searching for “Azure DDoS Protection”.
In our scenario, we deploy the solution from Sentinel. Navigate to Content management and select Content Hub. Search for Azure DDoS Protection and select Install to begin the deployment.
Once the Solution is installed, the two main analytic rules appear in your Microsoft Sentinel Workspace under Analytics:
The two analytic rules are:
To complete the solution setup, it is essential to configure the analytic rules. This configuration process also encompasses establishing the query scheduling, which can be adjusted according to your preferences. For detailed instructions on configuring the analytic rules, refer to the New Azure DDoS Solution for Microsoft Sentinel blog.
Azure WAF Playbook Configuration and Deployment
The Azure WAF Sentinel Playbook adds the source IP address passed from a Sentinel incident to a custom WAF rule, blocking the IP. The Playbook supports Application Gateway WAF policies as well as WAF policies for Front Door Standard and Front Door Premium.
The older WAF Playbook has been updated to concurrently add multiple IP addresses to the WAF custom rule and eliminate duplicate IP addresses in the rule by checking if the IP address is already in the rule.
To deploy the Playbook, navigate to Azure-Network-Security/Azure WAF/Playbook - WAF Sentinel Playbook Block IP - New at master · Azure/A.... On the page, click on “Deploy to Azure” (v2 Deployment button) and begin the installation process.
The following fields will be displayed on the new Azure portal page:
Fill in the details and proceed to deploy the template. Once the Playbook is deployed, the next step is to authorize the API connection created as part of the deployment. Navigate to the resource group specified during the Playbook creation and select the API connection. Inside the API connection, navigate to Edit API connection and click on Authorize. Ensure to authenticate against Azure AD.
Once authorized, save the changes. You will receive a notification that the API connection has been successfully edited.
To finalize the Playbook setup, we need to allocate a system assigned managed identity with contributor permissions on the Application Gateway/Front Door entities along with their respective WAF policies. This will ensure that the Playbook has the necessary authorizations to query and modify the existing WAF policy via the REST API. To assign this managed identity, navigate to:
For further details on the WAF Playbook deployment and setup you can also refer to the blog - Automated Detection and Response for Azure WAF with Sentinel.
Automation
The concluding step is to bring the two solutions together through the creation of an automation rule. In the Microsoft Sentinel workspace, navigate to Automation and select Create and then Automation Rule.
In the Create new automation rule page:
The Integration is now complete and ready to defend your environment.
Simulating a DDoS Attack
To test the solution against a DDoS attack, you can use one of the approved testing partners found in - Azure DDoS Protection simulation testing. You can also check out this blog - Strengthening Your Defenses: Simulation Testing for Azure DDoS Protection - Microsoft Community Hub – for in-depth details and a step-by-step guide of Azure DDoS simulation testing. Carrying out the simulation will validate that the solution works and provide a proactive means of ensuring that your services and applications maintain their anticipated functionality in the event of an attack.
With the integration having been successfully deployed, and a DDoS simulation attack conducted, we can see the attacker IPs added to a WAF custom rule called “SentinelBlockIP” as displayed below:
Conclusion
With the integration of the Azure DDoS Sentinel Solution and the Azure WAF Playbook, you establish a strong defense against advanced cyberattacks, mitigating the risk of service disruptions and maintaining a secure environment. The automated detection and response process allows security teams to focus on proactive measures, ensuring that their applications and services remain protected from the ever-evolving cyber threats.
Resources
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.