As you know Azure Security Center is your one stop shop to help you stay on top of your security posture for your resources hosted in Azure.
As there is more and more resources hosted on cloud services, security and protection against attack is more important than ever.
As you know you can protect your virtual machines running on Azure using various options, the easiest and free one is the Network Security Group (NSG).
Managing allowed/denied IP address list on NSG is not easy, especially when you need to act fast when an attack is detected.
Well, good news, the Azure Security Center group has developed an automation helping you block IP addresses at the NSG level when a brute force attack is detected.
To start using it you need:
Well, let’s start deploying the automation by hitting the Deploy to Azure
Then fill up the required filled:
Now you need to grant the BlockBruteForceAttackedIP Logic App either User Access Administrator or Owner for the subscription(s), group management or resource group to scope your usage (scope of your Azure Security Center protection)
Then you need to grant the Office 365 API called office365-BlockBruteForceAttackedIP by accessing the Edit API connection blade by hitting the blue button
If you see the Authorization was successful message you can hit the Save button
Now you can create the automation on your Azure Security Center.
The ASC automation workflow needs to use the following:
You are now ready to get all IP addresses doing a brute force attack being added on the NSG associated with the attacked VM and being blocked.