question

RobertPaulson-8767 avatar image
0 Votes"
RobertPaulson-8767 asked ·

Azure Security Center

Good Morning,

We recently started using security center, and we're trying to figure out the Workflow automation. I followed instructions (https://docs.microsoft.com/en-us/azure/security-center/workflow-automation) and it looks good, and is triggering.

8068-workflow.jpg


and the logic app is pretty much default, and fires off an email when it is triggered.

So it seems to work, but it fires off quite a lot!

8152-trigger.jpg

Has anyone used this workflow and a production environment where it doesn't flood a mailbox, or perhaps I'm missing a step. We're still pretty new with Azure Security Center and Workflows/logic apps.

azure-security-center
workflow.jpg (36.7 KiB)
trigger.jpg (21.1 KiB)
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
1 Vote"
SaurabhSharma-msft answered ·

How many recommendations you have selected and how many VMSS instances you have in your subscription ? If you have a large environment that changes constantly and you select a long list of recommendations, this may occur. You may have to narrow your search, instead of selecting a bunch of recommendations, select just some and narrow the recommendation state. The recommendation state filed below is set to “all states”, which means that, once a recommendation changes the state from healthy to unhealthy (and vice versa), it will trigger the logic app. That’s on its own could be a lot of events. Is this really what you want ? All states?


· 1 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image SaurabhSharma-msft ·

@RobertPaulson-8767 Please let me know if you have any further question regarding this.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

0 Votes 0 ·