Azure Network Security Group

Azure Network Security Group v1.2.0

Home FortiSOAR Connectors Azure Network Security Group

1.2.0

Azure Network Security Group v1.2.0

About the connector

Use the Azure Network Security Group to filter network traffic to and from Azure resources in an Azure virtual network.

This document provides information about the Azure Network Security Group Connector, which facilitates automated interactions, with an Azure Network Security Group server using FortiSOAR™ playbooks. Add the Azure Network Security Group Connector as a step in FortiSOAR™ playbooks and perform automated operations such as creating or updating a network security group in Azure Network Security Group, retrieving a list of all network security groups from Azure Network Security Group, etc.

Version information

Connector Version: 1.2.0

FortiSOAR™ Version Tested on: 7.4.1-3167

Azure Network Security Group Version Tested on: 2023-02-01

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.2.0

Following enhancements have been made to the Azure Network Security Group Connector in version 1.2.0:

Fixed the Update Network Security Group action wherein the action was removing all the existing rules in a Network Security Group while adding rules.
The Update Network Security Group action now supports deletion of rules in a Network Security Group.
Parameter Operation to Perform on Network Security Group is added to the Update Network Security Group action which provides the options to Add or Remove rule in a Network Security Group.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-azure-network-security-group

Prerequisites to configuring the connector

You must have acquired authentication tokens to access the Azure Virtual Network APIs using Delegate or Application Permissions. For more information see the Getting Access Tokens section.
Ensure that host login.microsoftonline.com on port 443 is in the allowlist of your Firewall or Proxy servers.

Minimum Permissions Required

Not applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Azure Network Security Group connector card. On the connector popup, click the Configurations tab to enter the required configuration details.

Parameter	Description
Get Access Token	Select the method using which you will get authentication tokens used to access the network security group APIs. You can choose from following options: On behalf of User – Delegate Permission Without a User – Application Permission For more information, see the Getting Access Tokens section.
Server URL	The service-based URL to which you will connect and perform the automated operations.
Directory (Tenant) ID	The ID of the tenant that you have been provided for your Azure Network Security Group instance.
Application (client) ID	Unique ID of the Azure Network Security Group application that is used to create an authentication token required to access the API.
Application (client) Secret	Unique Client Secret of the Azure Network Security Group application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
Authorization Code	(Only Applicable to On behalf of User – Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section.
Redirect URL	(Only Applicable to On behalf of User – Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the `redirect_uri`'s you have registered in your app registration portal.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as `True`.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function	Description	Annotation and Category
Create Network Security Group	Creates a network security group in the specified resource group based on the input parameters, such as subscription ID, name of the network security group, location of the network security group, etc. you have specified.	create_network_security_group Investigation
List Network Security Groups	Retrieves a list of all network security groups from the specified resource group in Azure Network Security Group.	list_of_network_security_groups Investigation
Get Network Security Group Info	Retrieves all the details of the specified network security group from the specified resource group in Azure Network Security Group.	get_network_security_group_info Investigation
Update Network Security Group	Updates a network security group in the specified resource group based on the input parameters, such as subscription ID, name of the network security group, location of the network security group, etc. you have specified.	update_network_security_group Investigation
Delete Network Security Group	Deletes the specified network security group from the specified resource group in Azure Network Security Group.	delete_network_security_group Investigation

operation: Create Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group in which you want to create the network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Specify the name of the network security group that you want to create in the Azure Network Security Group.
Location	Select the location of the network security group that you want to create in the Azure Network Security Group. This parameter makes an API call named `list_of_locations` to dynamically populate the Location's drop-down selections.
Rule Type	Select whether you want to associate a single rule or multiple (or custom) rules with the network security group that you want to create in the Azure Network Security Group. If you select Single Rule, then you must specify the following parameters: Rule Name: The name of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Protocol: Select the protocol of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between , Ah, Esp, Icmp, Tcp, or Udp. Source Address Prefix: Specify the source address prefix of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Destination Address Prefix: Specify the destination address prefix of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Action: Select the action that you want to assign to the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between Allow or Deny. Destination Port Range: Specify the destination port range of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Source Port Range: Specify the source port range of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Priority: Specify the priority of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Direction: Select the direction that you want to assign to the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between Inbound or Outbound. If you select Multiple or Custom Rules*, then you must specify the following parameters: Multiple Rules: Specify the rules in the JSON format for the rule to be associated with the network security group that you want to create in the Azure Network Security Group.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: List Network Security Groups

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to retrieve a list of all network security groups. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

[
    {
        "name": "",
        "id": "",
        "etag": "",
        "type": "",
        "location": "",
        "properties": {
            "provisioningState": "",
            "resourceGuid": "",
            "securityRules": [
                {
                    "name": "",
                    "id": "",
                    "etag": "",
                    "type": "",
                    "properties": {
                        "provisioningState": "",
                        "protocol": "",
                        "sourcePortRange": "",
                        "destinationPortRange": "",
                        "sourceAddressPrefix": "",
                        "destinationAddressPrefix": "",
                        "access": "",
                        "priority": "",
                        "direction": "",
                        "sourcePortRanges": [],
                        "destinationPortRanges": [],
                        "sourceAddressPrefixes": [],
                        "destinationAddressPrefixes": []
                    }
                }
            ],
            "defaultSecurityRules": [
                {
                    "name": "",
                    "id": "",
                    "etag": "",
                    "type": "",
                    "properties": {
                        "provisioningState": "",
                        "description": "",
                        "protocol": "",
                        "sourcePortRange": "",
                        "destinationPortRange": "",
                        "sourceAddressPrefix": "",
                        "destinationAddressPrefix": "",
                        "access": "",
                        "priority": "",
                        "direction": "",
                        "sourcePortRanges": [],
                        "destinationPortRanges": [],
                        "sourceAddressPrefixes": [],
                        "destinationAddressPrefixes": []
                    }
                }
            ]
        }
    }
]

operation: Get Network Security Group Info

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to retrieve the specified network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group whose details you want to retrieve from the specified resource group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: Update Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group in which you want to update the network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group that you want to update in the Azure Network Security Group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.
Operation to Perform on Network Security Group	Select the operation to perform on the Network Security Group. You can choose from following options: Add Rule: Select this option to add a rule. Additionally, specify values in following parameters: Rule Type: Select whether you want to associate a single rule or multiple (or custom) rules with the network security group that you want to update in the Azure Network Security Group. Select from the following options: Single Rule: Select this option to update only the specified rule. Specify values in following fields: Rule Name: The name of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Protocol: Select the protocol of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between , Ah, Esp, Icmp, Tcp, or Udp. Source Address Prefix: Specify the source address prefix of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Destination Address Prefix: Specify the destination address prefix of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Action: Select the action that you want to assign to the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between Allow or Deny. Destination Port Range: Specify the destination port range of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Source Port Range: Specify the source port range of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Priority: Specify the priority of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Direction: Select the direction that you want to assign to the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between Inbound or Outbound. Multiple or Custom Rules: Specify the rules in the JSON format for the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Delete Rules*: Select the rule names to delete. This parameter makes an API call named "list_of_rule_names_in_a_nsg" to dynamically populate the Rule names drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: Delete Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to delete the specified network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group that you want to delete from the specified resource group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "result": ""
}

Included playbooks

The Sample - Azure Network Security Group - 1.2.0 playbook collection comes bundled with the Azure Network Security Group connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Azure Network Security Group connector.

Create Network Security Group
Delete Network Security Group
Get Network Security Group Info
List Network Security Groups
Update Network Security Group

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Getting Access Tokens

You can get authentication tokens to access the Network Security Group APIs using two methods:

On behalf of the User – Delegate Permission.
Without a User – Application Permission.

For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview.

Getting Access Tokens using the On behalf of the user – Delegated Permission method

Ensure that the required permissions are granted for the registration of the application.
For more information see, https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?toc=/azure/virtual-network/toc.json#network-contributor.
For example, for an Azure Subscriptions User: API/Permission name that should be granted is
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Network/*
- Microsoft.ResourceHealth/availabilityStatuses/read
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- user_impersonation to the application created in Azure portal
- and Microsoft.Support/*of type Delegate.
The Redirect URL can be directed to any web application in which you want to receive responses from Azure Network Security Group. If you are unsure about what to set as a redirect URL, you can use https://localhost/myapp.
Copy the following URL and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/.default offline_access&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
Enter the above link with the replaced values and you will be prompted to grant permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
Copy the AUTH_CODE (without the code= prefix) and paste it into your instance configuration in the Authorization Code parameter.
Enter your client ID in the Application (client) ID parameter field.
Enter your client secret in the Application (client) Secret parameter field.
Enter your tenant ID in the Directory (tenant) ID parameter field.
Enter your redirect URL in the Redirect URL parameter field. By default, it is set to https://localhost/myapp.

Getting Access Tokens using the Without a User – Application Permission method

Ensure that the required permissions are granted for the registration of the application.
For more information see, https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?toc=/azure/virtual-network/toc.json#network-contributor.
For example, for an Azure Subscriptions Application User: API/Permission name that should be granted is
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Network/*
- Microsoft.ResourceHealth/availabilityStatuses/read
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- and Microsoft.Support/*of type Application.
Enter your client ID in the Application (client) ID parameter field.
Enter your client secret in the Application (client) Secret parameter field.
Enter your tenant ID in the Directory (tenant) ID parameter field.

About the connector

Use the Azure Network Security Group to filter network traffic to and from Azure resources in an Azure virtual network.

Version information

Connector Version: 1.2.0

FortiSOAR™ Version Tested on: 7.4.1-3167

Azure Network Security Group Version Tested on: 2023-02-01

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.2.0

Following enhancements have been made to the Azure Network Security Group Connector in version 1.2.0:

Fixed the Update Network Security Group action wherein the action was removing all the existing rules in a Network Security Group while adding rules.
The Update Network Security Group action now supports deletion of rules in a Network Security Group.
Parameter Operation to Perform on Network Security Group is added to the Update Network Security Group action which provides the options to Add or Remove rule in a Network Security Group.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the yum command as a root user to install the connector:

yum install cyops-connector-azure-network-security-group

Prerequisites to configuring the connector

You must have acquired authentication tokens to access the Azure Virtual Network APIs using Delegate or Application Permissions. For more information see the Getting Access Tokens section.
Ensure that host login.microsoftonline.com on port 443 is in the allowlist of your Firewall or Proxy servers.

Minimum Permissions Required

Not applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

Parameter	Description
Get Access Token	Select the method using which you will get authentication tokens used to access the network security group APIs. You can choose from following options: On behalf of User – Delegate Permission Without a User – Application Permission For more information, see the Getting Access Tokens section.
Server URL	The service-based URL to which you will connect and perform the automated operations.
Directory (Tenant) ID	The ID of the tenant that you have been provided for your Azure Network Security Group instance.
Application (client) ID	Unique ID of the Azure Network Security Group application that is used to create an authentication token required to access the API.
Application (client) Secret	Unique Client Secret of the Azure Network Security Group application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
Authorization Code	(Only Applicable to On behalf of User – Delegate Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the On behalf of the user – Delegate Permission method section.
Redirect URL	(Only Applicable to On behalf of User – Delegate Permission) The redirect_uri of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the `redirect_uri`'s you have registered in your app registration portal.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as `True`.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function	Description	Annotation and Category
Create Network Security Group	Creates a network security group in the specified resource group based on the input parameters, such as subscription ID, name of the network security group, location of the network security group, etc. you have specified.	create_network_security_group Investigation
List Network Security Groups	Retrieves a list of all network security groups from the specified resource group in Azure Network Security Group.	list_of_network_security_groups Investigation
Get Network Security Group Info	Retrieves all the details of the specified network security group from the specified resource group in Azure Network Security Group.	get_network_security_group_info Investigation
Update Network Security Group	Updates a network security group in the specified resource group based on the input parameters, such as subscription ID, name of the network security group, location of the network security group, etc. you have specified.	update_network_security_group Investigation
Delete Network Security Group	Deletes the specified network security group from the specified resource group in Azure Network Security Group.	delete_network_security_group Investigation

operation: Create Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group in which you want to create the network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Specify the name of the network security group that you want to create in the Azure Network Security Group.
Location	Select the location of the network security group that you want to create in the Azure Network Security Group. This parameter makes an API call named `list_of_locations` to dynamically populate the Location's drop-down selections.
Rule Type	Select whether you want to associate a single rule or multiple (or custom) rules with the network security group that you want to create in the Azure Network Security Group. If you select Single Rule, then you must specify the following parameters: Rule Name: The name of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Protocol: Select the protocol of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between , Ah, Esp, Icmp, Tcp, or Udp. Source Address Prefix: Specify the source address prefix of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Destination Address Prefix: Specify the destination address prefix of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Action: Select the action that you want to assign to the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between Allow or Deny. Destination Port Range: Specify the destination port range of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Source Port Range: Specify the source port range of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Priority: Specify the priority of the rule to be associated with the network security group that you want to create in the Azure Network Security Group. Direction: Select the direction that you want to assign to the rule to be associated with the network security group that you want to create in the Azure Network Security Group. You can choose between Inbound or Outbound. If you select Multiple or Custom Rules*, then you must specify the following parameters: Multiple Rules: Specify the rules in the JSON format for the rule to be associated with the network security group that you want to create in the Azure Network Security Group.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: List Network Security Groups

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to retrieve a list of all network security groups. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

[
    {
        "name": "",
        "id": "",
        "etag": "",
        "type": "",
        "location": "",
        "properties": {
            "provisioningState": "",
            "resourceGuid": "",
            "securityRules": [
                {
                    "name": "",
                    "id": "",
                    "etag": "",
                    "type": "",
                    "properties": {
                        "provisioningState": "",
                        "protocol": "",
                        "sourcePortRange": "",
                        "destinationPortRange": "",
                        "sourceAddressPrefix": "",
                        "destinationAddressPrefix": "",
                        "access": "",
                        "priority": "",
                        "direction": "",
                        "sourcePortRanges": [],
                        "destinationPortRanges": [],
                        "sourceAddressPrefixes": [],
                        "destinationAddressPrefixes": []
                    }
                }
            ],
            "defaultSecurityRules": [
                {
                    "name": "",
                    "id": "",
                    "etag": "",
                    "type": "",
                    "properties": {
                        "provisioningState": "",
                        "description": "",
                        "protocol": "",
                        "sourcePortRange": "",
                        "destinationPortRange": "",
                        "sourceAddressPrefix": "",
                        "destinationAddressPrefix": "",
                        "access": "",
                        "priority": "",
                        "direction": "",
                        "sourcePortRanges": [],
                        "destinationPortRanges": [],
                        "sourceAddressPrefixes": [],
                        "destinationAddressPrefixes": []
                    }
                }
            ]
        }
    }
]

operation: Get Network Security Group Info

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to retrieve the specified network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group whose details you want to retrieve from the specified resource group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: Update Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group in which you want to update the network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group that you want to update in the Azure Network Security Group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.
Operation to Perform on Network Security Group	Select the operation to perform on the Network Security Group. You can choose from following options: Add Rule: Select this option to add a rule. Additionally, specify values in following parameters: Rule Type: Select whether you want to associate a single rule or multiple (or custom) rules with the network security group that you want to update in the Azure Network Security Group. Select from the following options: Single Rule: Select this option to update only the specified rule. Specify values in following fields: Rule Name: The name of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Protocol: Select the protocol of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between , Ah, Esp, Icmp, Tcp, or Udp. Source Address Prefix: Specify the source address prefix of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Destination Address Prefix: Specify the destination address prefix of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Action: Select the action that you want to assign to the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between Allow or Deny. Destination Port Range: Specify the destination port range of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Source Port Range: Specify the source port range of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Priority: Specify the priority of the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Direction: Select the direction that you want to assign to the rule to be associated with the network security group that you want to update in the Azure Network Security Group. You can choose between Inbound or Outbound. Multiple or Custom Rules: Specify the rules in the JSON format for the rule to be associated with the network security group that you want to update in the Azure Network Security Group. Delete Rules*: Select the rule names to delete. This parameter makes an API call named "list_of_rule_names_in_a_nsg" to dynamically populate the Rule names drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "name": "",
    "id": "",
    "etag": "",
    "type": "",
    "location": "",
    "properties": {
        "provisioningState": "",
        "resourceGuid": "",
        "securityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ],
        "defaultSecurityRules": [
            {
                "name": "",
                "id": "",
                "etag": "",
                "type": "",
                "properties": {
                    "provisioningState": "",
                    "description": "",
                    "protocol": "",
                    "sourcePortRange": "",
                    "destinationPortRange": "",
                    "sourceAddressPrefix": "",
                    "destinationAddressPrefix": "",
                    "access": "",
                    "priority": "",
                    "direction": "",
                    "sourcePortRanges": [],
                    "destinationPortRanges": [],
                    "sourceAddressPrefixes": [],
                    "destinationAddressPrefixes": []
                }
            }
        ]
    }
}

operation: Delete Network Security Group

Input parameters

Parameter	Description
Subscription ID	Select the subscription credentials that uniquely identify Azure subscription. The subscription ID forms part of the URI for every service call. This parameter makes an API call named `list_of_subscriptions` to dynamically populate the Subscription ID's drop-down selections.
Resource Group Name	Select the name of the resource group from which you want to delete the specified network security group. This parameter makes an API call named `list_of_resource_groups` to dynamically populate the Resource Group Name's drop-down selections.
Network Security Group Name	Select the name of the network security group that you want to delete from the specified resource group. This parameter makes an API call named `list_of_network_security_groups_only_names` to dynamically populate the Network Security Group Name's drop-down selections.

Output

The output contains the following populated JSON schema:

{
    "result": ""
}

Included playbooks

Create Network Security Group
Delete Network Security Group
Get Network Security Group Info
List Network Security Groups
Update Network Security Group

Getting Access Tokens

You can get authentication tokens to access the Network Security Group APIs using two methods:

On behalf of the User – Delegate Permission.
Without a User – Application Permission.

For more information, see https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview.

Getting Access Tokens using the On behalf of the user – Delegated Permission method

Ensure that the required permissions are granted for the registration of the application.
For more information see, https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?toc=/azure/virtual-network/toc.json#network-contributor.
For example, for an Azure Subscriptions User: API/Permission name that should be granted is
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Network/*
- Microsoft.ResourceHealth/availabilityStatuses/read
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- user_impersonation to the application created in Azure portal
- and Microsoft.Support/*of type Delegate.
The Redirect URL can be directed to any web application in which you want to receive responses from Azure Network Security Group. If you are unsure about what to set as a redirect URL, you can use https://localhost/myapp.
Copy the following URL and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/.default offline_access&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
Enter the above link with the replaced values and you will be prompted to grant permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
Copy the AUTH_CODE (without the code= prefix) and paste it into your instance configuration in the Authorization Code parameter.
Enter your client ID in the Application (client) ID parameter field.
Enter your client secret in the Application (client) Secret parameter field.
Enter your tenant ID in the Directory (tenant) ID parameter field.
Enter your redirect URL in the Redirect URL parameter field. By default, it is set to https://localhost/myapp.

Getting Access Tokens using the Without a User – Application Permission method

Ensure that the required permissions are granted for the registration of the application.
For more information see, https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?toc=/azure/virtual-network/toc.json#network-contributor.
For example, for an Azure Subscriptions Application User: API/Permission name that should be granted is
- Microsoft.Authorization/*/read
- Microsoft.Insights/alertRules/*
- Microsoft.Network/*
- Microsoft.ResourceHealth/availabilityStatuses/read
- Microsoft.Resources/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- and Microsoft.Support/*of type Application.
Enter your client ID in the Application (client) ID parameter field.
Enter your client secret in the Application (client) Secret parameter field.
Enter your tenant ID in the Directory (tenant) ID parameter field.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions