Automation in security programs is continuing to become more important. With the increasing number of alerts and threats that organizations are facing on a daily basis, it becomes overwhelming for IT and Security teams to deal with each and every one of them. Automation opportunities in a security program may include notifying stakeholders, launching a change management process, applying specific remediation steps, etc. By automating as many steps of your security program as possible, you can reduce overhead as well as improve your overall security by ensuring that process steps are done quickly, consistently, and according to your predefined requirements.
In this blog post, we will create a new workflow using the workflow automation feature of Azure Security Center and connect it to Azure Logic apps. This workflow can then trigger a logic app based on security alerts, recommendations, and changes to regulatory compliance.
Prerequisites
Create your Workflow Automation
- Login to the Azure Portal
- Click Security Center in the left hand navigation pane
- Click Workflow Automation under the Management subheading
- Click the Add workflow automation button
- On the Add workflow automation flyout menu, complete the following:
Enter a Name for your workflow automation
Select the appropriate Subscription from the dropdown
Select the appropriate Resource Group from the dropdown
- In the Triggered conditions section, select one of the the three options from the Select Security Center data types dropdown:
Threat Detection Alerts
Fill out the Alert name contains field. You can find the Azure Security Center reference list of alerts here.
Note: This field is not required.
Select the Alert Severity you want to be alerted on.
Security Center recommendations
Select the recommendation you want to alert on from the Recommendation name dropdown. You can select specific recommendations or all recommendations. For this example, we’ll Select all.
Select the Recommendation state you want to be notified on.
Select the Recommendation Severity you want to be notified on.
Regulatory Compliance Standards
In order to fully evaluate regulatory compliance in Azure, Azure Defender must be enabled. To learn more about enabling Azure Defender and regulatory compliance in Azure, check out the Microsoft documentation. - In the Actions section, click the visit the Logic Apps page link
- The Logic Apps page will open in a new browser tab. Click the + Add button
- Fill out the required fields to create your Logic App
Select the appropriate Resource Group
Enter your Logic app name
Select a Region
Click the Review + create button
- If the details on the Review + create screen look good, click the Create button
- Once the deployment is complete, click the Go to resource button. You will be redirected to the Logic App Designer
- Scroll down to the Templates section and select Security from the Category dropdown
Click the Get a notification email when Security Center creates a recommendation tile
- Click the Use this template button
- Click the + icon to create a connection to your email account
- Click the Sign in button
- You will be prompted to connect to your email account
- Click the + icon to create a connection to Security Center Recommendations
- Once the connection is made, click the Continue button
- Based on the template selected in step 12, the Azure Logic app will populate the email with the necessary fields for the notification. Enter your email address in the To field and click the Save button
- Navigate back to the Workflow Automation tab and click the Refresh link in the Actions section
- Select the Logic app you created from the dropdown and click the Create button
- When the workflow automation is triggered, you will receive an email similar to one below. This email will be populated based on the conditions you established in step 6.
Summary
In this blog post we configured workflow automation in Azure Security Center for a Security Center recommendation using Azure Logic apps.
Thank you for reading!
Dave McCollough 