SecOpsLab

Share this post

SecOpsLab
SecOpsLab
Maintain a Watchlist on Public IPs in Azure
Copy link
Facebook
Email
Notes
More

Maintain a Watchlist on Public IPs in Azure

A simple Logic App for collecting Public IP address resources into a Microsoft Sentinel Watchlist from your Azure tenant

Mikko Koivunen
Jun 15, 2023
2

Share this post

SecOpsLab
SecOpsLab
Maintain a Watchlist on Public IPs in Azure
Copy link
Facebook
Email
Notes
More
1
Share

This is a quick rundown on a Logic App I quite often deploy to customers.

The idea is to collect currently existing Azure Public IP addresses into a Sentinel Watchlist, which you can use to identify known assets in your environment and correlate findings and incidents that contain IP address data.

NOTE: This is different from a similarly named watchlist Microsoft provides in the official Sentinel GitHub. That one identifies the known addresses that Microsoft uses to provide global Azure services. The Logic App described here collects IP resources from your own environment, meaning the public attack surface of your own Azure tenant.

Logic App design

The Logic App is nothing very complicated. Mainly we just call Azure API daily, with a query to find the Public IP address resources and write the results to a Watchlist, which gets rotated completely so there is only current data.

You can see the logic here in this Designer screenshot:

At the heart of the Logic App (the HTTP POST action) is just a simple Resource Graph query that finds the IPs and projects a few attributes that we want to collect in our Sentinel Watchlist:

Resources | where type contains 'publicIPAddresses' and isnotempty(properties.ipAddress) | project subscriptionId, name, resourceGroup, properties.ipAddress

That data is put into a CSV table that can be directly inserted into a Watchlist.

Example results

Here you can see an example of a generated Watchlist in Sentinel:

Deploy the Logic App

You can deploy the Logic App from a template in my Github Repo:

mikoiv/MicrosoftSentinel-Playbooks (github.com)

After clicking the Deploy to Azure button, you need to fill in a few parameters so the Logic App can find your Sentinel instance.

Required permissions

After deployment make sure to grant the following Azure RBAC roles for the Playbook’s Managed Identity:

  • Azure Reader role for your Tenant Root Management Group for full visibility, or some other scope if you want to limit what data is collected.

  • Sentinel Contributor role for your Sentinel Resource Group for maintaining the Watchlist.

Thanks for reading SecOpsLab! Subscribe for free to receive new posts and support my work.

2

Share this post

SecOpsLab
SecOpsLab
Maintain a Watchlist on Public IPs in Azure
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

Jim
Jun 30, 2023

We are having issues with bad requests within Logic App any ideas?

Expand full comment
Reply
Share

No posts

Ready for more?

© 2024 Mikko Koivunen
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More