Azure Enrichment and Remediation

Details
Content
Dependencies
Version History

Playbooks using multiple Azure content packs for enrichment and remediation purposes

What does this pack do?

The pack contains Azure playbooks and scripts that conduct enrichment and/or remediation and can use multiple other Azure
content packs.

There are multiple Azure content packs for multiple Azure products (Compute, MSGraphUsers, etc). The intent was so that
users can install and use only the packs they need. However, if an Azure playbook uses multiple pack integrations (such
as Compute and MSGraphUsers), they can't reside in one of the current packs because they include content from multiple integrations. This pack was created as a place to put Azure playbooks that use Azure integrations from multiple packs with a focus on enrichment and remediation.

Scripts

AzureFindAvailableNSGPriorities

This script takes in a list of numbers that represent Azure priorities for NSG rules, a target priority number, and a number of available priorities to return available priorities from the provided list.

Playbooks

Users are only able to run playbooks in v6.5.0 or higher as it requires commands to execute the task.
This content pack includes the following playbook:

Azure - Enrichment

Azure - Network Security Group Remediation

Azure - User Investigation

Cloud Credentials Rotation - Azure

Cloud Response - Azure

What does this pack do?

The pack contains Azure playbooks and scripts that conduct enrichment and/or remediation and can use multiple other Azure
content packs.

Scripts

AzureFindAvailableNSGPriorities

Playbooks

Users are only able to run playbooks in v6.5.0 or higher as it requires commands to execute the task.
This content pack includes the following playbook:

Azure - Enrichment

Azure - Network Security Group Remediation

Azure - User Investigation

Cloud Credentials Rotation - Azure

Cloud Response - Azure

Automations

Name	Description
AzureFindAvailableNSGPriorities	This script takes in a list of numbers that represent Azure priorities for NSG rules, a target priority number, and a number available priorities to return available priorities from the provided list.

Playbooks

Name	Description
Cloud Credentials Rotation - Azure	Azure Credentials Rotation Playbook IAM Remediation Protect your identity and access management: Reset Password: Resets the user password to halt any unauthorized access. Revoke Session: Terminates current active sessions to ensure the malicious actor is locked out. Combo Action: Resets the password and terminates all active sessions. Service Principal Remediation Guard your applications: Password Regeneration: Generate a new password for the service principal, making sure the old one becomes obsolete.
Azure - Network Security Group Remediation	This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from private IP addresses and blocks the rest of the RDP traffic. Conditions and limitations: Limited to one resource group. 200 Azure rules viewed at once to find offending rule. 2 priorities lower than the offending rule priority must be available. Adds rules to NSGs associated to NICs.
Azure - User Investigation	This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: Script-based user agent usage Administrative user activities Security rules and policies changes Failed login attempt MFA failed login attempt Login attempt from an uncommon country Anomalies activities Risky users Uncommon high volume of actions Action uncommonly performed by the user
Azure - Enrichment	Given an IP address, this playbook enriches Azure Compute, Microsoft Graph User, and IAM information and outputs Azure Compute, Microsoft Graph User, and IAM information.
Cloud Response - Azure	This playbook provides response actions to Azure. The following are available for execution automatically/manually: Resource remediation Delete the instance Power off the instance Identity remediation: Disable the user Delete the user Block indicators.

Automations

Name	Description
AzureFindAvailableNSGPriorities	This script takes in a list of numbers that represent Azure priorities for NSG rules, a target priority number, and a number available priorities to return available priorities from the provided list.

Playbooks

Name	Description
Cloud Credentials Rotation - Azure	Azure Credentials Rotation Playbook IAM Remediation Protect your identity and access management: Reset Password: Resets the user password to halt any unauthorized access. Revoke Session: Terminates current active sessions to ensure the malicious actor is locked out. Combo Action: Resets the password and terminates all active sessions. Service Principal Remediation Guard your applications: Password Regeneration: Generate a new password for the service principal, making sure the old one becomes obsolete.
Azure - Enrichment	Given an IP address, this playbook enriches Azure Compute, Microsoft Graph User, and IAM information and outputs Azure Compute, Microsoft Graph User, and IAM information.
Azure - User Investigation	This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: Script-based user agent usage Administrative user activities Security rules and policies changes Failed login attempt MFA failed login attempt Login attempt from an uncommon country Anomalies activities Risky users Uncommon high volume of actions Action uncommonly performed by the user
Cloud Response - Azure	This playbook provides response actions to Azure. The following are available for execution automatically/manually: Resource remediation Delete the instance Power off the instance Identity remediation: Disable the user Delete the user Block indicators.
Azure - Network Security Group Remediation	This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from private IP addresses and blocks the rest of the RDP traffic. Conditions and limitations: Limited to one resource group. 200 Azure rules viewed at once to find offending rule. 2 priorities lower than the offending rule priority must be available. Adds rules to NSGs associated to NICs.

Required Content Packs (5)

Pack Name	Pack By
Azure Compute	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Microsoft Graph User	By: Cortex XSOAR

Optional Content Packs (6)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Azure Network Security Groups	By: Cortex XSOAR
Azure Resource Graph	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Microsoft Graph Applications	By: Cortex XSOAR
Microsoft Graph Identity and Access	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Azure Compute	By: Cortex XSOAR
Microsoft Graph User	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.1.20 - 1423289 (September 23, 2024)

Playbooks

Azure - User Investigation

Updated the Azure Log Analytics queries to support special characters.

Related pull requests:
- 36422

Download

1.1.19 - 1244506 (August 5, 2024)

Playbooks

Azure - Network Security Group Remediation

Updated the playbook to support appending to the destination addresses of a rule if more than one address already exists.
Fixed an issue with conditional checking for deny rule.

Related pull requests:
- 35650
- 35763

Download

1.1.18 - 1184734 (July 17, 2024)

Playbooks

Azure - Enrichment

Updated the playbook with tasks to support gathering the hierarchy path of an asset from the Azure Resource Graph integration.

Related pull requests:
- 35383
- 35463

Download

1.1.17 - 1082615 (June 10, 2024)

Azure Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

Download

1.1.16 - 998827 (May 6, 2024)

Azure Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

1.1.15 - 905887 (March 21, 2024)

Playbooks

Azure - Network Security Group Remediation

Improved implementation of Azure - Network Security Group Remediation playbook.

Related pull requests:
- 33452
- 33408

Download

1.1.14 - 856226 (February 28, 2024)

Playbooks

Azure - Network Security Group Remediation

Added the instance_name optional playbook input to allow users to specify an Azure Network Security Groups integration instance to use.
Added the RemediationAllowRanges optional playbook input to allow users to specify IPv4 network ranges to be used as source addresses for the remediation-allow-port-<port#>-<tcp|udp> Azure NSG rule to be created.
Fixed an issue with not being able to detect all offending rules.

Related pull requests:
- 33039
- 33112

Download

1.1.13 - 834381 (February 18, 2024)

Playbooks

Azure - Network Security Group Remediation

Added the SubscriptionID and ResourceGroup optional inputs in case the subscription ID and/or resource group needs to be specified.
Add the remediatedFlag and remediatedReason outputs to supply information on whether the remediation action was successful and additional information for the parent playbook.
Fixed an issue with not being able to detect all offending rules.

Related pull requests:
- 32882
- 32941

Download

1.1.12 - 778227 (January 22, 2024)

Azure Enrichment and Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

1.1.11 - 728763 (December 31, 2023)

Playbooks

Cloud Response - Azure

Changed the To values in the data collection tasks to incident.assigneduser.
Added a transformer to use the playbook input resource name in case the value is empty in the data collection task for a resource.

Related pull requests:
- 31679

Download

1.1.10 - 722180 (December 28, 2023)

Scripts

AzureFindAvailableNSGPriorities

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31812

Download

1.1.9 - 7254058 (December 24, 2023)

Playbooks

Azure - User Investigation

Added tasks to check if the Azure Sentinel tables are available for querying.

Related pull requests:
- 31441

Download

1.1.8 - 6955725 (November 21, 2023)

Playbooks

Azure - User Investigation

Updated the outputs description.

Related pull requests:
- 30965

Download

1.1.7 - 6641023 (October 18, 2023)

Playbooks

New: Cloud Credentials Rotation - Azure

New: This playbook provides a credentials rotation capabilities both for IAM and service principals. (Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 30112

Download

1.1.6 - 6285754 (September 10, 2023)

Azure-Enrichment-Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 29466

Download

1.1.5 - 6058978 (August 15, 2023)

Playbooks

New: Azure - User Investigation

New: This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics.
(Available from Cortex XSOAR 6.9.0).

Related pull requests:
- 28843

Download

1.1.4 - 5980752 (August 7, 2023)

Playbooks

Cloud Response - Azure

Changed task #21 name from Change the user's password to Delete the user.
Added a task to revoke user's active sessions before disabling or deleting it.

Related pull requests:
- 28812

Download

1.1.3 - 5969979 (August 6, 2023)

Azure-Enrichment-Remediation

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 28753

Download

1.1.2 - 5746599 (July 12, 2023)

Scripts

AzureFindAvailableNSGPriorities

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28088

Download

1.1.1 - R5692327 (July 5, 2023)

Scripts

AzureFindAvailableNSGPriorities

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 25039

Download

1.1.0 - R4718798 (March 1, 2023)

Playbooks

New: Azure - Network Security Group Remediation

This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet (using the private IP of the VM as stated in Azure documentation). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allos traffic from private ip address and blocks rest of the RDP traffic.

New: Azure - Enrichment

Given an IP address, this playbook enriches Azure Compute, Microsoft Graph User, and IAM information and outputs Azure Compute, Microsoft Graph User, and IAM information. (Available from Cortex XSOAR 6.5.0).

Scripts

New: AzureFindAvailableNSGPriorities

This script takes in a list of numbers that represent Azure priorities for NSG rules, a target priority number, and a number available priorities to return available priorities from the provided list. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 24181

Download

1.0.0 - 4497697 (December 2, 2022)

Playbooks using multiple Azure content packs for enrichment and remediation purposes

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 2, 2022
Last Release	September 23, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Azure Active Directory Identity And Access

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Azure Enrichment and Remediation

What does this pack do?

Scripts

AzureFindAvailableNSGPriorities

Playbooks

Azure - Enrichment

Azure - Network Security Group Remediation

Azure - User Investigation

Cloud Credentials Rotation - Azure

Cloud Response - Azure

What does this pack do?

Scripts

AzureFindAvailableNSGPriorities

Playbooks

Azure - Enrichment

Azure - Network Security Group Remediation

Azure - User Investigation

Cloud Credentials Rotation - Azure

Cloud Response - Azure

Azure Credentials Rotation Playbook

IAM Remediation

Service Principal Remediation

Azure Credentials Rotation Playbook

IAM Remediation

Service Principal Remediation

Playbooks

Azure - User Investigation

Playbooks

Azure - Network Security Group Remediation

Playbooks

Azure - Enrichment

Azure Enrichment and Remediation

Azure Enrichment and Remediation

Playbooks

Azure - Network Security Group Remediation

Playbooks

Azure - Network Security Group Remediation

Playbooks

Azure - Network Security Group Remediation

Azure Enrichment and Remediation

Playbooks

Cloud Response - Azure

Scripts

AzureFindAvailableNSGPriorities

Playbooks

Azure - User Investigation

Playbooks

Azure - User Investigation

Playbooks

New: Cloud Credentials Rotation - Azure

Azure-Enrichment-Remediation

Playbooks

New: Azure - User Investigation

Playbooks

Cloud Response - Azure

Azure-Enrichment-Remediation

Scripts

AzureFindAvailableNSGPriorities

Scripts

AzureFindAvailableNSGPriorities

Playbooks

New: Azure - Network Security Group Remediation

New: Azure - Enrichment

Scripts

New: AzureFindAvailableNSGPriorities

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER