You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Required: Lead with a light intro that describes, in customer-friendly language, what the customer will do. Answer the fundamental “why would I want to do this?” question. Keep it short.
28
-
29
-
Readers should have a clear idea of what they will do in this article after reading the introduction.
30
-
31
-
* Introduction immediately follows the H1 text.
32
-
* Introduction section should be between 1-3 paragraphs.
33
-
* Don't use a bulleted list of article H2 sections.
34
-
35
-
Example: In this article, you will migrate your user databases from IBM Db2 to SQL Server by using SQL Server Migration Assistant (SSMA) for Db2.
36
-
37
-
-->
11
+
# Automated detection and response for Azure WAF with Microsoft Sentinel
38
12
39
13
Malicious attackers increasingly target web applications by exploiting commonly known vulnerabilities such as SQL injection and Cross-site scripting. Preventing these attacks in application code poses a challenge, requiring rigorous maintenance, patching, and monitoring at multiple layers of the application topology. A Web Application Firewall (WAF) solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application. Azure Web Application Firewall (WAF) is a cloud-native service that protects web apps from common web-hacking techniques. You can deploy this service in a matter of minutes to gain complete visibility into the web application traffic and block malicious web attacks.
40
14
41
15
Integrating Azure WAF with Microsoft Sentinel (a cloud-native SIEM/SOAR solution) for automated detection and response to threats/incidents/alerts is an added advantage and reduces the manual intervention needed to update the WAF policy.
42
16
43
-
In this article, you learn about WAF detection templates in Sentinel, deploy a playbook, and configure the detection and response in Sentinel using these templates and the Playbook.
44
-
45
-
46
-
47
-
<!---Avoid notes, tips, and important boxes. Readers tend to skip over them. Better to put that info directly into the article text.
Required: Make Prerequisites the first H2 after the H1.
54
-
55
-
* Provide a bulleted list of items that the user needs.
56
-
* Omit any preliminary text to the list.
57
-
* If there aren't any prerequisites, list "None" in plain text, not as a bulleted item.
58
-
59
-
-->
17
+
In this article, you learn about WAF detection templates in Sentinel, deploy a playbook, and configure the detection and response in Sentinel using these templates and the playbook.
60
18
61
19
## Prerequisites
62
20
63
21
- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
64
22
- An Azure Front Door deployment with an associated WAF policy. For more information, see [Quickstart: Create a Front Door Standard/Premium using an ARM template](../../frontdoor/create-front-door-template.md), and [Tutorial: Create a WAF policy on Azure Front Door by using the Azure portal](waf-front-door-create-portal.md).
65
23
- An Azure Front Door configured to capture logs in a Log Analytics workspace. For more information, see [Configure Azure Front Door logs](../../frontdoor/standard-premium/how-to-logs.md).
Required: Multiple procedures should be organized in H2 level sections. A section contains a major grouping of steps that help users complete a task. Each section is represented as an H2 in the article.
70
-
71
-
For portal-based procedures, minimize bullets and numbering.
72
-
73
-
* Each H2 should be a major step in the task.
74
-
* Phrase each H2 title as "<verb> * <noun>" to describe what they'll do in the step.
75
-
* Don't start with a gerund.
76
-
* Don't number the H2s.
77
-
* Begin each H2 with a brief explanation for context.
78
-
* Provide a ordered list of procedural steps.
79
-
* Provide a code block, diagram, or screenshot if appropriate
80
-
* An image, code block, or other graphical element comes after numbered step it illustrates.
81
-
* If necessary, optional groups of steps can be added into a section.
82
-
* If necessary, alternative groups of steps can be added into a section.
83
-
84
-
-->
85
-
86
25
## Deploy the playbook
87
26
You install a Sentinel playbook named *Block-IPAzureWAF* from a template on GitHub. This playbook runs in response to WAF incidents. The goal is to create or modify a custom rule in a WAF policy to block requests from a certain IP address. This is accomplished using the Azure REST API.
88
27
89
28
You install the playbook from a template on GitHub.
90
-
1. Go to the [Github repository](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Playbook%20-%20WAF%20Sentinel%20Playbook%20Block%20IP%20-%20New) and select **Deploy to Azure** to launch the template.
91
-
1. Fill in the required parameters. You can get your Frontdoor ID from the Azure portal. The Frontdoor ID is the resource ID of the Frontdoor resource.
29
+
1. Go to the [GitHub repository](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Playbook%20-%20WAF%20Sentinel%20Playbook%20Block%20IP%20-%20New) and select **Deploy to Azure** to launch the template.
30
+
1. Fill in the required parameters. You can get your Front Door ID from the Azure portal. The Front Door ID is the resource ID of the Front Door resource.
92
31
:::image type="content" source="../media/automated-detection-response-with-sentinel/playbook-template.png" alt-text="Screenshot showing the playbook template.":::
93
32
1. Select **Review + create** and then **Create**.
94
33
95
34
## Authorize the API connection
96
35
97
36
An API connection named *azuresentinel-Block-IPAzureWAF* is created as part of this deployment. You must authorize it with your Azure ID to allow the playbook to make changes to your WAF policy.
98
37
99
-
:::image type="content" source="../media/automated-detection-response-with-sentinel/authorize-api.png" alt-text="Screenshot showing the API authorization screen."lightbox="../media/automated-detection-response-with-sentinel/authorize-api.png":::
100
-
101
38
1. In the Azure portal, select the *azuresentinel-Block-IPAzureWAF* API connection.
102
39
1. Select **Edit API connection**.
103
40
1. Under **Display Name**, type your Azure ID.
104
41
1. Select **Authorize**.
105
42
1. Select **Save**.
106
43
44
+
:::image type="content" source="../media/automated-detection-response-with-sentinel/authorize-api.png" alt-text="Screenshot showing the API authorization screen."lightbox="../media/automated-detection-response-with-sentinel/authorize-api.png":::
45
+
107
46
## Configure the Contributor role assignment
108
47
109
48
The playbook must have the necessary permissions to query and modify the existing WAF policy via the REST API. You can assign the playbook a system-assigned Managed Identity with Contributor permissions on the Front Door resource along with their associated WAF policies. You can assign permissions only if your account has been assigned Owner or User Access Administrator roles to the underlying resource.
110
49
111
-
This can be done using the IAM section in the respective resource by adding a new role assignment to this Playbook as shown below:
50
+
This can be done using the IAM section in the respective resource by adding a new role assignment to this playbook.
112
51
113
52
1. In the Azure portal, select the Front Door resource.
114
53
1. In the left pane, select **Access control (IAM)**.
@@ -117,7 +56,7 @@ This can be done using the IAM section in the respective resource by adding a ne
117
56
1. Select **Privileged administrator roles**.
118
57
1. Select **Contributor** and then select **Next**.
119
58
1. Select **Select members**.
120
-
1. Search for **Block-IPAzureWAF** and select it. There may be multiple entries for this playbook. The one you just recently added usually the last one in the list.
59
+
1. Search for **Block-IPAzureWAF** and select it. There may be multiple entries for this playbook. The one you recently added usually the last one in the list.
121
60
1. Select **Block-IPAzureWAF** and select **Select**.
122
61
1. Select **Review + assign**.
123
62
@@ -132,7 +71,7 @@ Repeat this procedure for the WAF policy resource.
132
71
133
72
## Configure detection and response
134
73
135
-
There are detection query templates for SQLi and XSS attacks in Sentinel for Azure WAF. You can download these templates from the Content hub. By using these templates, you can create analytic rules that detect specific type of attack patterns in the WAF logs and further notify the security analyst by creating an incident. The automation section of these rules can help you respond to this incident by blocking the source IP of the attacker on the WAF Policy which then stops subsequent attacks upfront from these source IP addresses. Microsoft is continuously working to include additional Detection Templates for more detection and response scenarios.
74
+
There are detection query templates for SQLi and XSS attacks in Sentinel for Azure WAF. You can download these templates from the Content hub. By using these templates, you can create analytic rules that detect specific type of attack patterns in the WAF logs and further notify the security analyst by creating an incident. The automation section of these rules can help you respond to this incident by blocking the source IP of the attacker on the WAF policy, which then stops subsequent attacks upfront from these source IP addresses. Microsoft is continuously working to include more Detection Templates for more detection and response scenarios.
136
75
137
76
### Install the templates
138
77
@@ -158,15 +97,15 @@ There are detection query templates for SQLi and XSS attacks in Sentinel for Azu
158
97
1. Select **Next: Review + create**.
159
98
1. Select **Save**.
160
99
161
-
Once the Analytic rule is created with respective Automation rule settings, you are now ready for *Detection and Response*. The following flow of events happens during an attack:
100
+
Once the Analytic rule is created with respective Automation rule settings, you're now ready for *Detection and Response*. The following flow of events happens during an attack:
162
101
163
-
-When an attacker tries to target one of the web apps behind Azure WAF, the traffic is logged by the Azure WAF and the logs are ingested by Sentinel.
102
+
-Azure WAF logs traffic when an attacker attempts to target one of the web apps behind it. Sentinel then ingests these logs.
164
103
- The Analytic/Detection rule that you configured detects the pattern for this attack and generates an incident to notify an analyst.
165
104
- The automation rule that is part of the analytic rule triggers the respective playbook that you configured previously.
166
-
- The playbook creates a custom rule called *SentinelBlockIP* in the respective WAF policy which includes the source IP of the attacker.
167
-
-The consequent attack attempts are blocked by WAF and if the attacker tries to use another source IP, the same flow happen again, and the respective source IP is also appended to this block rule.
105
+
- The playbook creates a custom rule called *SentinelBlockIP* in the respective WAF policy, which includes the source IP of the attacker.
106
+
-WAF blocks subsequent attack attempts, and if the attacker tries to use another source IP, it appends the respective source IP to the block rule.
168
107
169
-
An important point is that by default Azure WAF blocks any malicious web attacks with the help of core ruleset of the Azure WAF engine. However, this automated detection and response configuration further enhances the security by modifying or adding new custom block rules on the Azure WAF policy for the respective source IP addresses. This ensures that the traffic from these source IP addresses get blocked before it even hits the Azure WAF engine ruleset.
108
+
An important point is that by default Azure WAF blocks any malicious web attacks with the help of core ruleset of the Azure WAF engine. However, this automated detection and response configuration further enhances the security by modifying or adding new custom block rules on the Azure WAF policy for the respective source IP addresses. This ensures that the traffic from these source IP addresses gets blocked before it even hits the Azure WAF engine ruleset.
0 commit comments