Necessary "Role Assignments" for the LogicApp are not added
gsriramit opened this issue · 3 comments
Describe the bug
Issue behavior: When the Sentinel Playbook (Logic App) is executed, the execution fails at the point where it tries to read the WAF policy attached to the application gateway. Following is an excerpt from the error message
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '{logicapp-systemassignedIdentity's-PrincipalId}' with object id '{logicapp-systemassignedIdentity's-PrincipalId} does not have authorization to perform action 'microsoft.network/applicationgateways/read' over scope '/subscriptions/{SubscriptionId}/resourcegroups/rg-netsecninja/providers/microsoft.network/applicationgateways/soc-ns-ag-wafv2' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
Similar issues would be observed when the following actions are performed by the playbook
- Update the WAF policy with the identified suspicious IP address
- Read the WAF policy associated with the Front Door Instance
- Update the WAF policy associated with the FD
This behavior is observed when the playbook gets executed (based on the configured analytics rule)
Reference to the tech community article
https://techcommunity.microsoft.com/t5/azure-network-security-blog/integrating-azure-web-application-firewall-with-azure-sentinel/ba-p/1720306
The relative path of the playbook
Azure%20WAF/Playbook%20-%20WAF%20Sentinel%20Playbook%20Block%20IP
Reproduce
Steps to reproduce the behavior:
- Deploy the resources needed for the WAF testing lab (Azure WAF/Lab Template - WAF Attack Testing Lab/AzNetSecdeploy_Juice-Shop_AZFW-Rules_Updated.json)
- Perform the lab exercise steps 1 through 4 Part1
- Create a Sentinel resource atop the Log Analytics workspace that was created before step#1 was performed
- Deploy the playbook from this path (Azure WAF/Playbook - WAF Sentinel Playbook Block IP/template.json)
- Configure the analytics rule based on the documentation provided in this article
- The playbook should be triggered when the analytics rule condition is met.
The app would error out in the step where it tries to read the WAF policy on the gateway/frontdoor
Expected behavior
The playbook should get executed successfully
Screenshots
Error information has been provided in the Description section
Environment- if applicable
NA
Desktop (please complete the following information if applicable):
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
Logs- if applicable
- If logs are available, please provide relevant snippets
Additional context
A Pull Request with the necessary fixes has been created and is pending approval (as of 08/18) - #173
@gsriramit Thank you for the feedback. We will look into this and get back on this issue