Home

Security Center Playbooks and Azure Functions Integration with Firewalls

%3CLINGO-SUB%20id%3D%22lingo-sub-166520%22%20slang%3D%22en-US%22%3ESecurity%20Center%20Playbooks%20and%20Azure%20Functions%20Integration%20with%20Firewalls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166520%22%20slang%3D%22en-US%22%3E%3CP%3EEvery%20second%20counts%20when%20an%20attack%20has%20been%20detected.%20We%20have%20heard%20from%20you%20that%20you%20need%20to%20be%20able%20to%20quickly%20take%20action%20against%20detected%20threats.%20At%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2Fe8iFCz5RM4g%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIgnite%202017%3C%2FA%3E%2C%20we%20announced%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-playbooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Security%20Center%20Playbooks%3C%2FA%3E%2C%20which%20allow%20you%20to%20control%20how%20you%20want%20to%20respond%20to%20threats%20detected%20by%20Security%20Center.%20You%20can%20manually%20run%20a%20Security%20Center%20Playbooks%20when%20a%20Security%20Center%20alert%20is%20triggered%2C%20reducing%20time%20to%20response%2C%20and%20helping%20you%20stay%20in%20control%20of%20your%20security%20posture.%20Today%2C%20we%20are%20going%20to%20look%20at%20the%20specific%20example%20of%20how%20Azure%20Functions%20work%20with%20Security%20Center%20Playbooks%20to%20help%20you%20rapidly%20respond%20to%20detected%20threats%20against%20your%20Palo%20Alto%20VM-Series%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20scenario%2C%20Azure%20Security%20Center%20has%20detected%20and%20notified%20you%20of%20an%20RDP%20Brute%20Force%20attack.%20To%20help%20you%20block%20the%20source%20IP%20address%20of%20that%20attack%20in%20your%20Palo%20Alto%20VM-Series%20firewall%2C%20there%20are%20a%20couple%20steps%20you%20need%20to%20complete.%20You%20will%20first%20need%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-functions%2Ffunctions-create-first-azure-function%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ecreate%20an%20Azure%20Function%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewhich%20can%20be%20completed%20in%20the%20Functions%20Apps%20in%20the%20Azure%20portal%2C%20for%20HTTP%20Trigger%20using%20C%23%20programming%20language.%20The%20Azure%20Function%20is%20what%20allows%20Security%20Center%20Playbooks%20to%20communicate%20with%20the%20Palo%20Alto%20VM-Series%20firewall%20and%20ultimately%20block%20malicious%20activity%20from%20traversing%20the%20firewall.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F29366iD43C6D2CE880CE31%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%224782947c-c090-4b65-a2bb-f5997b9ed928.png%22%20title%3D%224782947c-c090-4b65-a2bb-f5997b9ed928.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fsecurity-center-playbooks-and-azure-functions-integration-with-firewalls%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-166520%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166934%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Center%20Playbooks%20and%20Azure%20Functions%20Integration%20with%20Firewalls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166934%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%20it.%20If%20you%20need%20the%20steps%20to%20create%20this%20Playbook%2C%20check%20it%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fyuridiogenes%2F2018%2F02%2F24%2Fintegrating-azure-function-with-azure-security-center-playbook%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Community Manager

Every second counts when an attack has been detected. We have heard from you that you need to be able to quickly take action against detected threats. At Ignite 2017, we announced Azure Security Center Playbooks, which allow you to control how you want to respond to threats detected by Security Center. You can manually run a Security Center Playbooks when a Security Center alert is triggered, reducing time to response, and helping you stay in control of your security posture. Today, we are going to look at the specific example of how Azure Functions work with Security Center Playbooks to help you rapidly respond to detected threats against your Palo Alto VM-Series firewall.

 

In this scenario, Azure Security Center has detected and notified you of an RDP Brute Force attack. To help you block the source IP address of that attack in your Palo Alto VM-Series firewall, there are a couple steps you need to complete. You will first need to create an Azure Function which can be completed in the Functions Apps in the Azure portal, for HTTP Trigger using C# programming language. The Azure Function is what allows Security Center Playbooks to communicate with the Palo Alto VM-Series firewall and ultimately block malicious activity from traversing the firewall. 

 

4782947c-c090-4b65-a2bb-f5997b9ed928.png

 

Read about it in the Azure blog.

1 Reply

Thanks for sharing it. If you need the steps to create this Playbook, check it here.