Automate Responses to Azure Security Center Recommendations

Automation in security programs is continuing to become more important. With the increasing number of alerts and threats that organizations are facing on a daily basis, it becomes overwhelming for IT and Security teams to deal with each and every one of them. Automation opportunities in a security program may include notifying stakeholders, launching a change management process, applying specific remediation steps, etc. By automating as many steps of your security program as possible, you can reduce overhead as well as improve your overall security by ensuring that process steps are done quickly, consistently, and according to your predefined requirements.

In this blog post, we will create a new workflow using the workflow automation feature of Azure Security Center and connect it to Azure Logic apps. This workflow can then trigger a logic app based on security alerts, recommendations, and changes to regulatory compliance.

Prerequisites

Create your Workflow Automation

  1. Login to the Azure Portal
  2. Click Security Center in the left hand navigation pane


  3. Click Workflow Automation under the Management subheading


  4. Click the Add workflow automation button


  5. On the Add workflow automation flyout menu, complete the following:
    Enter a Name for your workflow automation
    Select the appropriate Subscription from the dropdown
    Select the appropriate Resource Group from the dropdown


  6. In the Triggered conditions section, select one of the the three options from the Select Security Center data types dropdown:

    Threat Detection Alerts



    Fill out the Alert name contains field. You can find the Azure Security Center reference list of alerts here.
    Note: This field is not required.



    Select the Alert Severity you want to be alerted on.



    Security Center recommendations



    Select the recommendation you want to alert on from the Recommendation name dropdown. You can select specific recommendations or all recommendations. For this example, we’ll Select all.



    Select the Recommendation state you want to be notified on.



    Select the Recommendation Severity you want to be notified on.



    Regulatory Compliance Standards


    In order to fully evaluate regulatory compliance in Azure, Azure Defender must be enabled. To learn more about enabling Azure Defender and regulatory compliance in Azure, check out the Microsoft documentation.

  7. In the Actions section, click the visit the Logic Apps page link


  8. The Logic Apps page will open in a new browser tab. Click the + Add button


  9. Fill out the required fields to create your Logic App
    Select the appropriate Resource Group
    Enter your Logic app name
    Select a Region
    Click the Review + create button


  10. If the details on the Review + create screen look good, click the Create button


  11. Once the deployment is complete, click the Go to resource button. You will be redirected to the Logic App Designer

  12. Scroll down to the Templates section and select Security from the Category dropdown
    Click the Get a notification email when Security Center creates a recommendation tile


  13. Click the Use this template button


  14. Click the + icon to create a connection to your email account


  15. Click the Sign in button


  16. You will be prompted to connect to your email account

  17. Click the + icon to create a connection to Security Center Recommendations


  18. Once the connection is made, click the Continue button


  19. Based on the template selected in step 12, the Azure Logic app will populate the email with the necessary fields for the notification. Enter your email address in the To field and click the Save button


  20. Navigate back to the Workflow Automation tab and click the Refresh link in the Actions section


  21. Select the Logic app you created from the dropdown and click the Create button

  22. When the workflow automation is triggered, you will receive an email similar to one below. This email will be populated based on the conditions you established in step 6.

Summary

In this blog post we configured workflow automation in Azure Security Center for a Security Center recommendation using Azure Logic apps.

Thank you for reading!