Skip to main content
Skip table of contents

Azure Network Security Groups

LAST UPDATED: NOV 19, 2024

Overview

Azure Network Security Group can be used to filter network traffic between Azure resources in an Azure virtual network. A Network Security Group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

D3 SOAR is providing REST operations to function with Azure Network Security Groups. Azure Network Security Groups is available for use in:

D3 SOAR

V15.3+

Category

Cloud Services

Deployment Options

Option II, Option IV

Known Limitations

See Networking limits - Azure Resource Manager for details.

Connection

To connect to Azure Network Security Groups from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Directory (Tenant) ID

The directory ID used for authentication.

*****

Client ID

The client ID used for authentication.

*****

Client Secret

The client secret used for authentication.

*****

Subscription ID

The Azure subscription ID.

*****

Resource Group Name

The name of the resource group within the user's subscription.

d3devcybergp

API Version

The API Version used for the connection.

2022-07-01

READER NOTE

The prerequisite for using this guide is an active Microsoft Azure subscription. Refer to Build in the cloud with an Azure account for more information.

Permission Requirements

To use the commands, the Network Contributor role (or a role with more extensive permissions) must be assigned to the security principal. Refer to this article for Azure built-in roles and their permission scope. Alternatively, a custom role with the following permissions must be configured:

Command

Required Permissions

Associate Network Security Group with Virtual Network

Microsoft.Network/virtualNetworks/subnets/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/join/action

Block IPs

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/write

Create Network Security Group

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/write

List Network Security Groups

Microsoft.Network/networkSecurityGroups/read

List Subnets

Microsoft.Network/virtualNetworks/subnets/read

List Virtual Networks

Microsoft.Network/virtualNetworks/read

Unblock IPs

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/write

Test Connection

Microsoft.Network/networkSecurityGroups/read

Azure Network Security Groups is using role-based access control (RBAC). Therefore, the command permissions are inherited from the security principal's role. Roles for security principals must be configured from the Azure portal to use the commands in this integration.

READER NOTE

Only security principals with the Role Based Access Control Administrator or User Access Administrator role can configure Azure roles. Refer to Assign Azure roles using Azure portal for more information on configuring user roles.

Configuring Azure Network Security Groups to Work with D3 SOAR

  1. Navigate to the top search bar, then search for and select App registrations.

  2. Click on the + New Registration button to create a new app. If using a pre-existing app, click into it and skip to step 5.

  3. Register the application.

    1. Enter a name.

    2. Select the Accounts in this organizational directory only (<Your Directory Name> only - Single tenant) option.

    3. Register the application.

  4. Obtain the necessary credentials from the app's Overview tab.

    1. Copy the Application (client) ID and store it somewhere safe. Refer to step 3i sub-step 2 in Configuring D3 SOAR to Work with Azure Network Security Groups.

    2. Copy the Directory (tenant) ID and store it somewhere safe. Refer to step 3i sub-step 1 in Configuring D3 SOAR to Work with Azure Network Security Groups.

  5. Obtain the Client Secret.

    1. Click on the Add a certificate or secret link.

    2. Configure the client secret.


      1. Click on the + New client secret button.
      2. Enter a description.
      3. Add the client secret.

    3. Copy the Value of the newly created client secret and store it somewhere safe. Refer to step 3i sub-step 3 in Configuring D3 SOAR to Work with Azure Network Security Groups.

READER NOTE

The client secret value cannot be viewed again after the page is refreshed or closed.

  1. Navigate to the top search bar, then search for and select Resource groups.

  2. Click on the + Create button to create a new resource group. If using a pre-existing resource group, click into it and skip to step 10.

  3. Configure the resource group.

    1. Select a subscription.

    2. Name the resource group.

    3. Select a region.

    4. Click on the Review + Create button.

  4. Create the resource group.

  5. Navigate to Resource groups and select the group for which to configure roles.

  6. Add a role assignment.

    1. Select the Access Control (IAM) tab.

    2. Click on the + Add button.

    3. Click on the Add role assignment button.

  7. Add the Network Contributor role.

    1. Search for the Network Contributor role.

    2. Select the Network Contributor role.

  8. Select members for the role.

    1. Click on the Members tab.

    2. Select User, group, or service principal for Assign access to.

    3. Search and select the members appropriate for the role.

    4. Click on the Review + assign tab.

  9. Confirm and add the role assignment.

READER NOTE

If the dropdown options for + Add are grayed out, it may be due insufficient permissions or limited access scope. Contact the organization's administrator to request that the Network Contributor role (at a minimum) or an equivalent custom role be assigned to the account to use the commands.

  1. Obtain the Subscription ID and Resource Group Name.

    1. Click on the Overview tab.

    2. Copy the resource group name. Refer to step 3i sub-step 5 in Configuring D3 SOAR to Work with Azure Network Security Groups.

    3. Copy the Subscription ID and store it somewhere safe. Refer to step 3i sub-step 4 in Configuring D3 SOAR to Work with Azure Network Security Groups.

Configuring D3 SOAR to Work with Azure Network Security Groups

  1. Log in to D3 SOAR.

  2. Find the Azure Network Security Groups integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Azure Network Security Groups in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Azure Network Security Groups.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input the Directory (Tenant) ID. Refer to step 4b in Configuring Azure Network Security Groups to Work with D3 SOAR.
      2. Input the Client ID. Refer to step 4a in Configuring Azure Network Security Groups to Work with D3 SOAR.
      3. Input the Client Secret. Refer to step 5c in Configuring Azure Network Security Groups to Work with D3 SOAR.
      4. Input the Subscription ID. Refer to step 15c in Configuring Azure Network Security Groups to Work with D3 SOAR.
      5. Input the Resource Group Name. Refer to step 15b in Configuring Azure Network Security Groups to Work with D3 SOAR.
      6. Input the API Version. The default value is 2022-07-01.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Azure Network Security Groups includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Azure Network Security Groups API, refer to the Azure Network Security Groups API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Azure Network Security Groups to Work with D3 SOAR sections for details.

Associate Network Security Group with Virtual Network

Associates a network security group with the specified virtual network. The group can be associated with all or only specific subnets within the network.

READER NOTE

Network Security Group Name and Virtual Network Name are required parameters to run this command.

  • Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.

  • Run the List Virtual Networks command to obtain the Virtual Network Name. Virtual Network Names can be found in the raw data at the path $.value[*].name.

Subnet Names is an optional parameter to run this command.

  • Run the List Virtual Networks or List Subnets command to obtain the Subnet Names. Subnet Names can be found in the raw data at the path $.value[*].properties.subnets[*].name for List Virtual Networks, and $.value[*].name for List Subnets

Input

Input Parameter

Required/Optional

Description

Example

Network Security Group Name

Required

The name of the network security group. Network Security Group Name can be obtained using the List Network Security Groups command. Ensure that the network security group and virtual network are in the same region.

testapache-nsg

Virtual Network Name

Required

The virtual network name with which the specified network security group is to be associated. Virtual Network Name can be obtained using the List Virtual Networks command. Ensure that the network security group and virtual network are in the same region.

D3cybervnet829

Subnet Names

Optional

The subnet names within the virtual network to which the network security group will be assigned. Subnet Names can be obtained using the List Virtual Networks or List Subnets command. By default, the network security group will be assigned to all subnets within the virtual network.

JSON
[ "default" ] 

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "name": "default",
        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default",
        "etag": "W/\"*****\"",
        "properties": {
            "provisioningState": "Updating",
            "addressPrefix": "***.***.***.***/***",
            "networkSecurityGroup": {
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg"
            },
            "ipConfigurations": [
                {
                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1"
                },
                {
                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1"
                },
                {
                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1"
                },
                {
                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1"
                }
            ],
            "delegations": [],
            "privateEndpointNetworkPolicies": "Disabled",
            "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "SubnetNames": ["default"],
  "SubnetIDs": ["/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default"],
  "SubnetAddresses": ["***.***.***.***/***"],
  "NetworkSecurityGroupIDs": ["/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

id

etag

properties

type

default

/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default

W/"*****"

{'provisioningState': 'Updating', 'addressPrefix': '***.***.***.***/***', 'networkSecurityGroup': {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg'}, 'ipConfigurations': [{'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1'}], 'delegations': [], 'privateEndpointNetworkPolicies': 'Disabled', 'privateLinkServiceNetworkPolicies': 'Enabled'}

Microsoft.Network/virtualNetworks/subnets

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Associate Network Security Group with Virtual Network failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Associate Network Security Group with Virtual Network failed.

Status Code: 400.

Message: Bad request.

Block IPs

Blocks the specified IP addresses or CIDR IP ranges within the designated network security group. The rule to block these IPs is configured with the highest priority. Ensure that the network security group is associated with the subnets in which the IPs will be blocked using the Associate Network Security Group with Virtual Network command. The network security group must be in the same region as the virtual network to which the subnets belong. Refer to Block/allow specific IP addresses on Azure Cloud Services | Azure PaaS Blog for more information.

READER NOTE

Network Security Group Name is a required parameter to run this command.

  • Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Network Security Group Name

Required

The name of the network security group within which the specified IP addresses are blocked. Network Security Group Name can be obtained using the List Network Security Groups command.

test36-nsg

IP Addresses

Required

The IP addresses within the specified network security group to block. Valid values include CIDR IP ranges (e.g. 192.168.99.0/24) and IPv4 IP addresses (e.g. 192.168.99.0).

JSON
[
    "***.***.***.***/***",
    "***.***.***.***"
]

Block Direction

Optional

The block direction. Available options are:

  • Inbound and Outbound

  • Inbound

  • Outbound

By default, the value is Inbound and Outbound.

Inbound and Outbound

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "name": "IB_VSOC_blockIPs_Rule",
        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/IB_VSOC_blockIPs_Rule",
        "etag": "W/\"*****\"",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "properties": {
            "provisioningState": "Updating",
            "protocol": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "*",
            "destinationAddressPrefix": "*",
            "access": "Deny",
            "priority": 100,
            "direction": "Inbound",
            "sourcePortRanges": [],
            "destinationPortRanges": [],
            "sourceAddressPrefixes": [
                "***.***.***.***./***",
                "***.***.***.***"
            ],
            "destinationAddressPrefixes": []
        }
    },
    {
        "name": "OB_VSOC_blockIPs_Rule",
        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/OB_VSOC_blockIPs_Rule",
        "etag": "W/\"*****\"",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "properties": {
            "provisioningState": "Updating",
            "protocol": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "*",
            "sourceAddressPrefix": "*",
            "access": "Deny",
            "priority": 100,
            "direction": "Outbound",
            "sourcePortRanges": [],
            "destinationPortRanges": [],
            "sourceAddressPrefixes": [],
            "destinationAddressPrefixes": [
                "***.***.***.***./***",
                "***.***.***.***"
            ]
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "RuleNames": ["IB_VSOC_blockIPs_Rule","OB_VSOC_blockIPs_Rule"],
  "Directions": ["Inbound","Outbound"],
  "Priorities": [100,100],
  "States": ["Updating","Updating"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

provisioningState

Updating

Updating

protocol

*

*

sourcePortRange

*

*

destinationPortRange

*

*

destinationAddressPrefix

*

access

Deny

Deny

priority

100

100

direction

Inbound

Outbound

sourcePortRanges

[]

[]

destinationPortRanges

[]

[]

sourceAddressPrefixes

['***.***.***.***./***', '***.***.***.***']

[]

destinationAddressPrefixes

[]

['***.***.***.***./***', '***.***.***.***']

sourceAddressPrefix

*

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Block IPs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Block IPs failed.

Status Code: 400.

Message: Bad request.

Create Network Security Group

Creates or updates a network security group.

Input

Input Parameter

Required/Optional

Description

Example

Network Security Group Name

Required

The name of the network security group to be created or updated.

testNSG0113

Location

Required

The region where the network security group is located.

(US) East US

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "name": "testNSG0113",
    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113",
    "etag": "W/\"*****\"",
    "type": "Microsoft.Network/networkSecurityGroups",
    "location": "eastus",
    "properties": {
        "provisioningState": "Updating",
        "resourceGuid": "*****",
        "securityRules": [],
        "defaultSecurityRules": [
            {
                "name": "AllowVnetInBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowVnetInBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Allow inbound traffic from all VMs in VNET",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "VirtualNetwork",
                    "destinationAddressPrefix": "VirtualNetwork",
                    "access": "Allow",
                    "priority": 65000,
                    "direction": "Inbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            },
            {
                "name": "AllowAzureLoadBalancerInBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowAzureLoadBalancerInBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Allow inbound traffic from azure load balancer",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "AzureLoadBalancer",
                    "destinationAddressPrefix": "*",
                    "access": "Allow",
                    "priority": 65001,
                    "direction": "Inbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            },
            {
                "name": "DenyAllInBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/DenyAllInBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Deny all inbound traffic",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "*",
                    "destinationAddressPrefix": "*",
                    "access": "Deny",
                    "priority": 65500,
                    "direction": "Inbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            },
            {
                "name": "AllowVnetOutBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowVnetOutBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Allow outbound traffic from all VMs to all VMs in VNET",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "VirtualNetwork",
                    "destinationAddressPrefix": "VirtualNetwork",
                    "access": "Allow",
                    "priority": 65000,
                    "direction": "Outbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            },
            {
                "name": "AllowInternetOutBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowInternetOutBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Allow outbound traffic from all VMs to Internet",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "*",
                    "destinationAddressPrefix": "Internet",
                    "access": "Allow",
                    "priority": 65001,
                    "direction": "Outbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            },
            {
                "name": "DenyAllOutBound",
                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/DenyAllOutBound",
                "etag": "W/\"*****\"",
                "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                "properties": {
                    "provisioningState": "Updating",
                    "description": "Deny all outbound traffic",
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRange": "*",
                    "sourceAddressPrefix": "*",
                    "destinationAddressPrefix": "*",
                    "access": "Deny",
                    "priority": 65500,
                    "direction": "Outbound",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "NetworkSecurityGroupName": testNSG0113,
  "NetworkSecurityGroupID": /subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113,
  "NetworkSecurityGroupLocation": eastus
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

testNSG0113

id

/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113

etag

W/"*****"

type

Microsoft.Network/networkSecurityGroups

location

eastus

properties

{'provisioningState': 'Updating', 'resourceGuid': '*****', 'securityRules': [], 'defaultSecurityRules': [{'name': 'AllowVnetInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowVnetInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Allow inbound traffic from all VMs in VNET', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'VirtualNetwork', 'destinationAddressPrefix': 'VirtualNetwork', 'access': 'Allow', 'priority': 65000, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowAzureLoadBalancerInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowAzureLoadBalancerInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Allow inbound traffic from azure load balancer', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'AzureLoadBalancer', 'destinationAddressPrefix': '*', 'access': 'Allow', 'priority': 65001, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'DenyAllInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/DenyAllInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Deny all inbound traffic', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': '*', 'access': 'Deny', 'priority': 65500, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowVnetOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowVnetOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Allow outbound traffic from all VMs to all VMs in VNET', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'VirtualNetwork', 'destinationAddressPrefix': 'VirtualNetwork', 'access': 'Allow', 'priority': 65000, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowInternetOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/AllowInternetOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Allow outbound traffic from all VMs to Internet', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': 'Internet', 'access': 'Allow', 'priority': 65001, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'DenyAllOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testNSG0113/defaultSecurityRules/DenyAllOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Updating', 'description': 'Deny all outbound traffic', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': '*', 'access': 'Deny', 'priority': 65500, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}]}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Network Security Group failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Create Network Security Group failed.

Status Code: 400.

Message: Bad request.

List Network Security Groups

Retrieves all network security groups within the resource group specified in the Resource Group Name connection parameter.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "value": [
        {
            "name": "test36-nsg",
            "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg",
            "etag": "W/\"*****\"",
            "type": "Microsoft.Network/networkSecurityGroups",
            "location": "westus",
            "properties": {
                "provisioningState": "Succeeded",
                "resourceGuid": "*****",
                "securityRules": [
                    {
                        "name": "RDP",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/RDP",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "3389",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 300,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "OB_VSOC_blockIPs_Rule",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/OB_VSOC_blockIPs_Rule",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 100,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": [
                                "***.***.***.***"
                            ]
                        }
                    },
                    {
                        "name": "IB_VSOC_blockIPs_Rule",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/IB_VSOC_blockIPs_Rule",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "destinationAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 100,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [
                                "***.***.***.***"
                            ],
                            "destinationAddressPrefixes": []
                        }
                    }
                ],
                "defaultSecurityRules": [
                    {
                        "name": "AllowVnetInBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowVnetInBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Allow inbound traffic from all VMs in VNET",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 65000,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "AllowAzureLoadBalancerInBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowAzureLoadBalancerInBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Allow inbound traffic from azure load balancer",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "AzureLoadBalancer",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 65001,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "DenyAllInBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/DenyAllInBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Deny all inbound traffic",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 65500,
                            "direction": "Inbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "AllowVnetOutBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowVnetOutBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Allow outbound traffic from all VMs to all VMs in VNET",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "VirtualNetwork",
                            "destinationAddressPrefix": "VirtualNetwork",
                            "access": "Allow",
                            "priority": 65000,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "AllowInternetOutBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowInternetOutBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Allow outbound traffic from all VMs to Internet",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "Internet",
                            "access": "Allow",
                            "priority": 65001,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    },
                    {
                        "name": "DenyAllOutBound",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/DenyAllOutBound",
                        "etag": "W/\"*****\"",
                        "type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "description": "Deny all outbound traffic",
                            "protocol": "*",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "*",
                            "destinationAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 65500,
                            "direction": "Outbound",
                            "sourcePortRanges": [],
                            "destinationPortRanges": [],
                            "sourceAddressPrefixes": [],
                            "destinationAddressPrefixes": []
                        }
                    }
                ],
                "networkInterfaces": [
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842"
                    }
                ],
                "subnets": [
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default"
                    }
                ]
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "NetworkSecurityGroupNames": ["test36-nsg"],
  "NetworkSecurityGroupIDs": ["/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg"],
  "NetworkSecurityGroupLocations": ["westus"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

value

{'name': 'test36-nsg', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups', 'location': 'westus', 'properties': {'provisioningState': 'Succeeded', 'resourceGuid': '*****', 'securityRules': [{'name': 'RDP', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/RDP', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/securityRules', 'properties': {'provisioningState': 'Succeeded', 'protocol': 'TCP', 'sourcePortRange': '*', 'destinationPortRange': '3389', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': '*', 'access': 'Allow', 'priority': 300, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'OB_VSOC_blockIPs_Rule', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/OB_VSOC_blockIPs_Rule', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/securityRules', 'properties': {'provisioningState': 'Succeeded', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'access': 'Deny', 'priority': 100, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': ['***.***.***.***']}}, {'name': 'IB_VSOC_blockIPs_Rule', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/IB_VSOC_blockIPs_Rule', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/securityRules', 'properties': {'provisioningState': 'Succeeded', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'destinationAddressPrefix': '*', 'access': 'Deny', 'priority': 100, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': ['***.***.***.***'], 'destinationAddressPrefixes': []}}], 'defaultSecurityRules': [{'name': 'AllowVnetInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowVnetInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Allow inbound traffic from all VMs in VNET', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'VirtualNetwork', 'destinationAddressPrefix': 'VirtualNetwork', 'access': 'Allow', 'priority': 65000, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowAzureLoadBalancerInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowAzureLoadBalancerInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Allow inbound traffic from azure load balancer', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'AzureLoadBalancer', 'destinationAddressPrefix': '*', 'access': 'Allow', 'priority': 65001, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'DenyAllInBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/DenyAllInBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Deny all inbound traffic', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': '*', 'access': 'Deny', 'priority': 65500, 'direction': 'Inbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowVnetOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowVnetOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Allow outbound traffic from all VMs to all VMs in VNET', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': 'VirtualNetwork', 'destinationAddressPrefix': 'VirtualNetwork', 'access': 'Allow', 'priority': 65000, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'AllowInternetOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/AllowInternetOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Allow outbound traffic from all VMs to Internet', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': 'Internet', 'access': 'Allow', 'priority': 65001, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}, {'name': 'DenyAllOutBound', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/defaultSecurityRules/DenyAllOutBound', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/networkSecurityGroups/defaultSecurityRules', 'properties': {'provisioningState': 'Succeeded', 'description': 'Deny all outbound traffic', 'protocol': '*', 'sourcePortRange': '*', 'destinationPortRange': '*', 'sourceAddressPrefix': '*', 'destinationAddressPrefix': '*', 'access': 'Deny', 'priority': 65500, 'direction': 'Outbound', 'sourcePortRanges': [], 'destinationPortRanges': [], 'sourceAddressPrefixes': [], 'destinationAddressPrefixes': []}}], 'networkInterfaces': [{'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842'}], 'subnets': [{'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default'}]}}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Network Security Groups failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

List Network Security Groups failed.

Status Code: 400.

Message: Bad request.

List Subnets

Retrieves all subnets within the specified virtual network.

READER NOTE

Virtual Network Name is a required parameter to run this command.

  • Run the List Virtual Networks command to obtain the Virtual Network Name. Virtual Network Names can be found in the raw data at the path $.value[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Virtual Network Name

Required

The name of the virtual network for which to retrieve subnets. Virtual Network Name can be obtained using the List Virtual Networks command.

d3cybervnet829

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "value": [
        {
            "name": "default",
            "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default",
            "etag": "W/\"*****\"",
            "properties": {
                "provisioningState": "Succeeded",
                "addressPrefix": "***.***.***.***/***",
                "networkSecurityGroup": {
                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg"
                },
                "ipConfigurations": [
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1"
                    },
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1"
                    },
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1"
                    },
                    {
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1"
                    }
                ],
                "delegations": [],
                "privateEndpointNetworkPolicies": "Disabled",
                "privateLinkServiceNetworkPolicies": "Enabled"
            },
            "type": "Microsoft.Network/virtualNetworks/subnets"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "SubnetNames": ["default"],
  "SubnetIDs": ["/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

value

{'name': 'default', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default', 'etag': 'W/"*****"', 'properties': {'provisioningState': 'Succeeded', 'addressPrefix': '***.***.***.***/***', 'networkSecurityGroup': {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg'}, 'ipConfigurations': [{'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1'}], 'delegations': [], 'privateEndpointNetworkPolicies': 'Disabled', 'privateLinkServiceNetworkPolicies': 'Enabled'}, 'type': 'Microsoft.Network/virtualNetworks/subnets'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Subnets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

List Subnets failed.

Status Code: 400.

Message: Bad request.

List Virtual Networks

Retrieves all virtual networks within the resource group specified in the Resource Group Name connection parameter.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "value": [
        {
            "name": "d3cybervnet829",
            "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829",
            "etag": "W/\"*****\"",
            "type": "Microsoft.Network/virtualNetworks",
            "location": "westus",
            "properties": {
                "provisioningState": "Succeeded",
                "resourceGuid": "*****",
                "addressSpace": {
                    "addressPrefixes": [
                        "***.***.***.***/***"
                    ]
                },
                "subnets": [
                    {
                        "name": "default",
                        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default",
                        "etag": "W/\"*****\"",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "addressPrefix": "***.***.***.***/***",
                            "networkSecurityGroup": {
                                "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg"
                            },
                            "ipConfigurations": [
                                {
                                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1"
                                },
                                {
                                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1"
                                },
                                {
                                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1"
                                },
                                {
                                    "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1"
                                }
                            ],
                            "delegations": [],
                            "privateEndpointNetworkPolicies": "Disabled",
                            "privateLinkServiceNetworkPolicies": "Enabled"
                        },
                        "type": "Microsoft.Network/virtualNetworks/subnets"
                    }
                ],
                "virtualNetworkPeerings": [],
                "enableDdosProtection": false
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "VirtualNetworkNames": ["d3cybervnet829"],
  "VirtualNetworkIDs": ["/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829"],
  "VirtualNetworkLocations": ["westus"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

value

{'name': 'd3cybervnet829', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829', 'etag': 'W/"*****"', 'type': 'Microsoft.Network/virtualNetworks', 'location': 'westus', 'properties': {'provisioningState': 'Succeeded', 'resourceGuid': '*****', 'addressSpace': {'addressPrefixes': ['***.***.***.***/***']}, 'subnets': [{'name': 'default', 'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/virtualNetworks/d3cybervnet829/subnets/default', 'etag': 'W/"*****"', 'properties': {'provisioningState': 'Succeeded', 'addressPrefix': '***.***.***.***/***', 'networkSecurityGroup': {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/testapache-nsg'}, 'ipConfigurations': [{'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/test36842/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/testapache816/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb19/ipConfigurations/ipconfig1'}, {'id': '/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkInterfaces/d3mdb289/ipConfigurations/ipconfig1'}], 'delegations': [], 'privateEndpointNetworkPolicies': 'Disabled', 'privateLinkServiceNetworkPolicies': 'Enabled'}, 'type': 'Microsoft.Network/virtualNetworks/subnets'}], 'virtualNetworkPeerings': [], 'enableDdosProtection': False}}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Virtual Networks failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

List Virtual Networks failed.

Status Code: 400.

Message: Bad request.

Unblock IPs

Unblocks the specified IP addresses or CIDR IP ranges within the designated network security group. Only IPs blocked by the Block IPs command of this integration can be unblocked by this command. Ensure that the network security group is associated with the subnets in which the IPs will be unblocked.

READER NOTE

Network Security Group Name is a required parameter to run this command.

  • Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Network Security Group Name

Required

The name of the network security group within which the specified IP addresses are to be unblocked. Network Security Group Name can be obtained using the List Network Security Groups command.

test36-nsg

IP Addresses

Required

The IP addresses within the specified network security group to unblock. Valid values include CIDR IP ranges (e.g. 192.168.99.0/24) and IPv4 IP addresses (e.g. 192.168.99.0).

JSON
[ "***.***.***.***/***" ] 

Unblock Direction

Optional

The unblock direction. Available options are:

Inbound and Outbound

Inbound

Outbound

By default, the value is Inbound and Outbound.

Inbound and Outbound

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "name": "IB_VSOC_blockIPs_Rule",
        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/IB_VSOC_blockIPs_Rule",
        "etag": "W/\"*****\"",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "properties": {
            "provisioningState": "Updating",
            "protocol": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "*",
            "destinationAddressPrefix": "*",
            "access": "Deny",
            "priority": 100,
            "direction": "Inbound",
            "sourcePortRanges": [],
            "destinationPortRanges": [],
            "sourceAddressPrefixes": [
                "***.***.***.***"
            ],
            "destinationAddressPrefixes": []
        }
    },
    {
        "name": "OB_VSOC_blockIPs_Rule",
        "id": "/subscriptions/*****/resourceGroups/d3cyber/providers/Microsoft.Network/networkSecurityGroups/test36-nsg/securityRules/OB_VSOC_blockIPs_Rule",
        "etag": "W/\"*****\"",
        "type": "Microsoft.Network/networkSecurityGroups/securityRules",
        "properties": {
            "provisioningState": "Updating",
            "protocol": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "*",
            "sourceAddressPrefix": "*",
            "access": "Deny",
            "priority": 100,
            "direction": "Outbound",
            "sourcePortRanges": [],
            "destinationPortRanges": [],
            "sourceAddressPrefixes": [],
            "destinationAddressPrefixes": [
                "***.***.***.***"
            ]
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "RuleNames": ["IB_VSOC_blockIPs_Rule","OB_VSOC_blockIPs_Rule"],
  "Directions": ["Inbound","Outbound"],
  "Priorities": [100,100],
  "States": ["Updating","Updating"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

provisioningState

Updating

Updating

protocol

*

*

sourcePortRange

*

*

destinationPortRange

*

*

destinationAddressPrefix

*

access

Deny

Deny

priority

100

100

direction

Inbound

Outbound

sourcePortRanges

[]

[]

destinationPortRanges

[]

[]

sourceAddressPrefixes

['***.***.***.***']

[]

destinationAddressPrefixes

[]

['***.***.***.***']

sourceAddressPrefix

*

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unblock IPs failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Unblock IPs failed.

Status Code: 400.

Message: Bad request.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 403.

Message: Unauthorized.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.