Azure Network Security Groups
LAST UPDATED: NOV 19, 2024
Overview
Azure Network Security Group can be used to filter network traffic between Azure resources in an Azure virtual network. A Network Security Group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
D3 SOAR is providing REST operations to function with Azure Network Security Groups. Azure Network Security Groups is available for use in:
Known Limitations
See Networking limits - Azure Resource Manager for details.
Connection
To connect to Azure Network Security Groups from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Directory (Tenant) ID | The directory ID used for authentication. | ***** |
Client ID | The client ID used for authentication. | ***** |
Client Secret | The client secret used for authentication. | ***** |
Subscription ID | The Azure subscription ID. | ***** |
Resource Group Name | The name of the resource group within the user's subscription. | d3devcybergp |
API Version | The API Version used for the connection. | 2022-07-01 |
READER NOTE
The prerequisite for using this guide is an active Microsoft Azure subscription. Refer to Build in the cloud with an Azure account for more information.
Permission Requirements
To use the commands, the Network Contributor role (or a role with more extensive permissions) must be assigned to the security principal. Refer to this article for Azure built-in roles and their permission scope. Alternatively, a custom role with the following permissions must be configured:
Command | Required Permissions |
Associate Network Security Group with Virtual Network | Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/join/action |
Block IPs | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/write |
Create Network Security Group | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/write |
List Network Security Groups | Microsoft.Network/networkSecurityGroups/read |
List Subnets | Microsoft.Network/virtualNetworks/subnets/read |
List Virtual Networks | Microsoft.Network/virtualNetworks/read |
Unblock IPs | Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/write |
Test Connection | Microsoft.Network/networkSecurityGroups/read |
Azure Network Security Groups is using role-based access control (RBAC). Therefore, the command permissions are inherited from the security principal's role. Roles for security principals must be configured from the Azure portal to use the commands in this integration.
READER NOTE
Only security principals with the Role Based Access Control Administrator or User Access Administrator role can configure Azure roles. Refer to Assign Azure roles using Azure portal for more information on configuring user roles.
Configuring Azure Network Security Groups to Work with D3 SOAR
Navigate to the top search bar, then search for and select App registrations.
Click on the + New Registration button to create a new app. If using a pre-existing app, click into it and skip to step 5.
Register the application.
Enter a name.
Select the Accounts in this organizational directory only (<Your Directory Name> only - Single tenant) option.
Register the application.
Obtain the necessary credentials from the app's Overview tab.
Copy the Application (client) ID and store it somewhere safe. Refer to step 3i sub-step 2 in Configuring D3 SOAR to Work with Azure Network Security Groups.
Copy the Directory (tenant) ID and store it somewhere safe. Refer to step 3i sub-step 1 in Configuring D3 SOAR to Work with Azure Network Security Groups.
Obtain the Client Secret.
Click on the Add a certificate or secret link.
Configure the client secret.
1. Click on the + New client secret button.
2. Enter a description.
3. Add the client secret.Copy the Value of the newly created client secret and store it somewhere safe. Refer to step 3i sub-step 3 in Configuring D3 SOAR to Work with Azure Network Security Groups.
READER NOTE
The client secret value cannot be viewed again after the page is refreshed or closed.
Navigate to the top search bar, then search for and select Resource groups.
Click on the + Create button to create a new resource group. If using a pre-existing resource group, click into it and skip to step 10.
Configure the resource group.
Select a subscription.
Name the resource group.
Select a region.
Click on the Review + Create button.
Create the resource group.
Navigate to Resource groups and select the group for which to configure roles.
Add a role assignment.
Select the Access Control (IAM) tab.
Click on the + Add button.
Click on the Add role assignment button.
Add the Network Contributor role.
Search for the Network Contributor role.
Select the Network Contributor role.
Select members for the role.
Click on the Members tab.
Select User, group, or service principal for Assign access to.
Search and select the members appropriate for the role.
Click on the Review + assign tab.
Confirm and add the role assignment.
READER NOTE
If the dropdown options for + Add are grayed out, it may be due insufficient permissions or limited access scope. Contact the organization's administrator to request that the Network Contributor role (at a minimum) or an equivalent custom role be assigned to the account to use the commands.
Obtain the Subscription ID and Resource Group Name.
Click on the Overview tab.
Copy the resource group name. Refer to step 3i sub-step 5 in Configuring D3 SOAR to Work with Azure Network Security Groups.
Copy the Subscription ID and store it somewhere safe. Refer to step 3i sub-step 4 in Configuring D3 SOAR to Work with Azure Network Security Groups.
Configuring D3 SOAR to Work with Azure Network Security Groups
Log in to D3 SOAR.
Find the Azure Network Security Groups integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Azure Network Security Groups in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Azure Network Security Groups.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the checkbox to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Directory (Tenant) ID. Refer to step 4b in Configuring Azure Network Security Groups to Work with D3 SOAR.
2. Input the Client ID. Refer to step 4a in Configuring Azure Network Security Groups to Work with D3 SOAR.
3. Input the Client Secret. Refer to step 5c in Configuring Azure Network Security Groups to Work with D3 SOAR.
4. Input the Subscription ID. Refer to step 15c in Configuring Azure Network Security Groups to Work with D3 SOAR.
5. Input the Resource Group Name. Refer to step 15b in Configuring Azure Network Security Groups to Work with D3 SOAR.
6. Input the API Version. The default value is 2022-07-01.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Azure Network Security Groups includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Azure Network Security Groups API, refer to the Azure Network Security Groups API reference.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Azure Network Security Groups to Work with D3 SOAR sections for details.
Associate Network Security Group with Virtual Network
Associates a network security group with the specified virtual network. The group can be associated with all or only specific subnets within the network.
READER NOTE
Network Security Group Name and Virtual Network Name are required parameters to run this command.
Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.
Run the List Virtual Networks command to obtain the Virtual Network Name. Virtual Network Names can be found in the raw data at the path $.value[*].name.
Subnet Names is an optional parameter to run this command.
Run the List Virtual Networks or List Subnets command to obtain the Subnet Names. Subnet Names can be found in the raw data at the path $.value[*].properties.subnets[*].name for List Virtual Networks, and $.value[*].name for List Subnets
Input
Input Parameter | Required/Optional | Description | Example |
Network Security Group Name | Required | The name of the network security group. Network Security Group Name can be obtained using the List Network Security Groups command. Ensure that the network security group and virtual network are in the same region. | testapache-nsg |
Virtual Network Name | Required | The virtual network name with which the specified network security group is to be associated. Virtual Network Name can be obtained using the List Virtual Networks command. Ensure that the network security group and virtual network are in the same region. | D3cybervnet829 |
Subnet Names | Optional | The subnet names within the virtual network to which the network security group will be assigned. Subnet Names can be obtained using the List Virtual Networks or List Subnets command. By default, the network security group will be assigned to all subnets within the virtual network. |
JSON
|
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Associate Network Security Group with Virtual Network failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data Associate Network Security Group with Virtual Network failed. Status Code: 400. Message: Bad request. |
Block IPs
Blocks the specified IP addresses or CIDR IP ranges within the designated network security group. The rule to block these IPs is configured with the highest priority. Ensure that the network security group is associated with the subnets in which the IPs will be blocked using the Associate Network Security Group with Virtual Network command. The network security group must be in the same region as the virtual network to which the subnets belong. Refer to Block/allow specific IP addresses on Azure Cloud Services | Azure PaaS Blog for more information.
READER NOTE
Network Security Group Name is a required parameter to run this command.
Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Network Security Group Name | Required | The name of the network security group within which the specified IP addresses are blocked. Network Security Group Name can be obtained using the List Network Security Groups command. | test36-nsg |
IP Addresses | Required | The IP addresses within the specified network security group to block. Valid values include CIDR IP ranges (e.g. 192.168.99.0/24) and IPv4 IP addresses (e.g. 192.168.99.0). |
JSON
|
Block Direction | Optional | The block direction. Available options are:
By default, the value is Inbound and Outbound. | Inbound and Outbound |
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block IPs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data Block IPs failed. Status Code: 400. Message: Bad request. |
Create Network Security Group
Creates or updates a network security group.
Input
Input Parameter | Required/Optional | Description | Example |
Network Security Group Name | Required | The name of the network security group to be created or updated. | testNSG0113 |
Location | Required | The region where the network security group is located. | (US) East US |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Network Security Group failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data Create Network Security Group failed. Status Code: 400. Message: Bad request. |
List Network Security Groups
Retrieves all network security groups within the resource group specified in the Resource Group Name connection parameter.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Network Security Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data List Network Security Groups failed. Status Code: 400. Message: Bad request. |
List Subnets
Retrieves all subnets within the specified virtual network.
READER NOTE
Virtual Network Name is a required parameter to run this command.
Run the List Virtual Networks command to obtain the Virtual Network Name. Virtual Network Names can be found in the raw data at the path $.value[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Virtual Network Name | Required | The name of the virtual network for which to retrieve subnets. Virtual Network Name can be obtained using the List Virtual Networks command. | d3cybervnet829 |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Subnets failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data List Subnets failed. Status Code: 400. Message: Bad request. |
List Virtual Networks
Retrieves all virtual networks within the resource group specified in the Resource Group Name connection parameter.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Virtual Networks failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data List Virtual Networks failed. Status Code: 400. Message: Bad request. |
Unblock IPs
Unblocks the specified IP addresses or CIDR IP ranges within the designated network security group. Only IPs blocked by the Block IPs command of this integration can be unblocked by this command. Ensure that the network security group is associated with the subnets in which the IPs will be unblocked.
READER NOTE
Network Security Group Name is a required parameter to run this command.
Run the List Network Security Groups command to obtain the Network Security Group Name. Network Security Group Names can be found in the raw data at the path $.value[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Network Security Group Name | Required | The name of the network security group within which the specified IP addresses are to be unblocked. Network Security Group Name can be obtained using the List Network Security Groups command. | test36-nsg |
IP Addresses | Required | The IP addresses within the specified network security group to unblock. Valid values include CIDR IP ranges (e.g. 192.168.99.0/24) and IPv4 IP addresses (e.g. 192.168.99.0). |
JSON
|
Unblock Direction | Optional | The unblock direction. Available options are: Inbound and Outbound Inbound Outbound By default, the value is Inbound and Outbound. | Inbound and Outbound |
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Unblock IPs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Bad request. |
Error Sample Data Unblock IPs failed. Status Code: 400. Message: Bad request. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Azure Network Security Groups portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: Unauthorized. |