Protecting the VM from Brute Force Attacks using a SOAR Playbook

To safeguard the deployed VM from brute force attacks, a SOAR (Security Orchestration, Automation, and Response) playbook was created. This playbook automates the detection and mitigation of brute force attempts by dynamically updating Network Security Group (NSG) rules and notifying the administrator via email.

1. Setting Up the Automation Account:

The first step involved creating an Automation Account in Azure to manage automated tasks. After creating the account, Az modules were installed from the PowerShell module gallery to enable interaction with Azure resources. A runbook was then created to automate the deployment of NSG rules in response to detected brute force events.

Automation Account:

Runbook:

2. Log Monitoring in Log Analytics Workspace

After setting up the automation components, logs related to network activity and security events started flowing into the Log Analytics Workspace. This centralized logging solution collects and organizes the data, providing real-time visibility into events occurring on the VM and its associated infrastructure.

3. Configuring the Analytics Rule:

To detect brute force attempts, an analytics rule was created. This rule examines events every half hour, analyzing data from the previous half hour. If more than five suspicious events are detected within this period, the playbook is triggered.

Upon activation, the playbook runs an automation runbook to create an NSG rule that blocks the IP address associated with the detected events. This proactive measure helps mitigate brute force attacks by dynamically updating the VM’s network security configuration.

4. Automating Notifications with a Playbook:

An automation playbook was configured to send email notifications whenever an alert is triggered. This playbook integrates with the detection system and sends a detailed alert email to the specified address. The alert email contains information about the detected brute force attempt, the affected VM, and the action taken.

Playbook:

Playbook details:

The playbook was tested, and a confirmation email was received, indicating that the notification system works correctly. This setup ensures that administrators are promptly informed whenever a security incident occurs, enabling swift response and investigation.

Email Notification Received:

By integrating the SOAR playbook with both automated mitigation and alert notification, the system provides robust and proactive protection against brute force attacks.