Executive Summary

Enhancing cybersecurity response speed and efficiency is essential for organizations facing ever-changing threats. This blog post details how to integrate Azure Logic Apps with EDL (External Dynamic List) Manager to automate the blocking of malicious IP addresses on firewalls.

By integrating this Logic App with Microsoft Sentinel incidents, you can automate the process of blocking unwanted IP addresses. I developed this automation to eliminate the manual and repetitive task of updating EDL lists, freeing up valuable time for more strategic security activities.

This solution represents my first experience developing an Azure Automation app, and I'm sharing it to help others facing similar challenges streamline their cybersecurity operations.

The Azure Logic App template available in this repository simplifies adding malicious IP addresses to an EDL Manager Blocklist. This seamless integration helps protect your organization by automating the threat mitigation process.

You can visit my GitHub repository here.

Requirements

Prerequisites

To use this integration, ensure the following:

• EDL Manager API Key: Obtain your API Key by following these instructions.
• Manual EDL Source: Create a manual EDL source by following these instructions.
• Manual Source ID: Retrieve your Manual Source ID from the EDL Manager portal.

Azure Permissions

Ensure you have adequate permissions to create and configure the following Azure resources:

• Azure Key Vault
• Azure Logic Apps
• Microsoft Sentinel

Setup Instructions

1. Deploy the provided Azure Logic App template from the repository.
2. After deployment:
   • Navigate to the Azure portal.
   • Open your deployed Logic App.
   • Go to API Connections.
   • Select the Microsoft Sentinel API connection.
   • Click Edit, then Authorize, follow the prompts, and finally click Save.

Using the Integration

With this integration configured, you can:

• Trigger the Logic App as a playbook directly from Microsoft Sentinel.
• Automatically add identified malicious IP addresses to your firewall’s blocklist.
• Effectively manage IP-based threats through dynamic EDL integration.

Important Notes

When configuring your API key, format it correctly by starting the key with Api-Key followed immediately by your actual key.

Example:

Api-Key Zdl5P1Cu.ZCHu0AmO7ppQepsL4b8FnHflffUBYFV5

Incorrect formatting will result in API failures.

Conclusion

Automating IP threat responses using Azure Logic Apps and EDL Manager ensures faster and more reliable threat mitigation. Deploy and integrate this solution today to enhance your cybersecurity posture

Deploy To Azure

You can deploy this application using the button below.