Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Automation to Block Outgoing Traffic to Malicious Websites detected by Microsoft Defender for DNS
Published Feb 28 2022 02:43 PM 8,123 Views

One common type of security attack that occurs when an attacker has gained access to a virtual machine is that they will attempt to go to suspicious IP addresses. Attackers may do this for any number of reasons, including to perform data exfiltration from your Azure resources using DNS tunnelling, download malware to communicate with command and control servers, perform DNS attacks which is communication with malicious DNS resolvers, and to communicate with domains used for malicious activities such as phishing and crypto mining. All of these activities can be detected by Microsoft Defender for DNS, which is part of Microsoft Defender for Cloud

 

When the outgoing traffic has been detected to be to suspicious IP addresses by the Microsoft Defender for DNS plan, Microsoft Defender for DNS will trigger an alert. Some ways to investigate the alert can be found in the Take Action tab of the alert:

Liana_Anca_Tomescu_0-1646086421344.png

 

In this case, we recommend that you set up the following workflow automation, which will automatically block this attack from occurring by creating a network security rule in the virtual machine's network security group to block outgoing traffic to this malicious IP address.

 

What are the prerequisites for this automation?

The Microsoft Defender for DNS plan should be enabled, as per here.

 

You should have deployed a VM the standard way with any operating system.

 

Note: It’s not guaranteed for this automation to succeed correctly if the VM is using a domain controller or if the DNS is sent through a DNS server in the VNET.

 

This automation can be utilised for the alerts that come from Defender for DNS that contain the malicious IP address that the attacker is attempting to go to. You can validate this by creating these alerts yourself on the VM by following the instructions here.

 

This automation can be used on the following alerts:

  • Attempted communication with suspicious sinkholed domain

Liana_Anca_Tomescu_1-1646086421352.png

  • Network intrusion detection signature activation

Liana_Anca_Tomescu_2-1646086421358.png

  • Communication with suspicious random domain name

Liana_Anca_Tomescu_3-1646086421365.png

  • Communication with possible phishing domain

Liana_Anca_Tomescu_4-1646086421369.png

  • Anonymity network activity

Liana_Anca_Tomescu_5-1646086421374.png

  • Anonymity network activity using web proxy

Liana_Anca_Tomescu_6-1646086421379.png

 

How does the automation work?

When Microsoft Defender for Cloud detects someone is attempting to go to a malicious IP address from your virtual machine, it triggers an alert to bring you awareness about this potential attack. The automation uses this alert as a trigger to block the outgoing traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address attached to the alert. In the alerts of this type, you can find the outbound IP address appearing in the 'address' field of the alert.

 

The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App's Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Microsoft Defender for Cloud.

Refer to the Readme file in our GitHub Repository for detailed procedure.

 

Deployment process and details

Navigate to Microsoft Defender for Cloud GitHub repository and select “Deploy to Azure” as shown in Image 1:

Liana_Anca_Tomescu_12-1646086934511.png

Image 1: Git Hub repository

 

Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:

Liana_Anca_Tomescu_8-1646086421395.png

 

Image 2: Azure portal, Custom Deployment

 

The ARM template will create the Logic App Playbook and an API connection to Office 365, and ascalert.

You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.

 

Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)

 

Liana_Anca_Tomescu_9-1646086421397.png

Image 3: Summary of the resources created from the ARM template

 

Define when the Logic App should automatically run:

Workflow automation feature of Microsoft Defender for Cloud can trigger Logic Apps on security alerts and recommendations. For example, you might want Microsoft Defender for Cloud to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains "domain" is generated.

 

Note: Read more about workflow automation here

 

When an attempt to go to a suspicious domain is detected by Microsoft Defender for Cloud as shown in Image 4, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address associated with the json of the alert as shown in Image 4.

 

Liana_Anca_Tomescu_10-1646086421403.png

 

Image 4: IP blocked by Microsoft Defender for Cloud

 

You would receive an email notification on the alert details as shown in Image 5:

Liana_Anca_Tomescu_11-1646086421414.png

 

Image 5: Email received to show automation has been triggered

 

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Microsoft Defender for Cloud GitHub Repo

 

Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoyed reading this article and implementing it!

 

Special thanks to:

Tom Janetscheck, Senior Program Manager, Microsoft Defender for Cloud, Microsoft

Safeena Begum Lepakshi, Senior Program Manager, Microsoft Defender for Cloud, Microsoft

Ido Keshet, Senior Program Manager, Microsoft Defender for Cloud, Microsoft

Thomas Vuylsteke, Senior Customer Engineer, Microsoft

@Yuri Diogenes, Principal PM Manager, Microsoft Defender for Cloud

 

 

 

Version history
Last update:
‎Mar 02 2022 11:45 AM
Updated by: