Workflow automation (Preview)
Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. Security experts recommend that you automate as many steps of those procedures as you can. Automation reduces overhead. It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.
This article describes the Workflow automation feature (preview) of Azure Security Center. This preview feature can trigger Logic Apps on security alerts and recommendations. For example, you might want Security Center to email a specific user when an alert occurs. You'll also learn how to create Logic Apps using Azure Logic Apps.
If you previously used the Playbooks (Preview) view on the sidebar, you'll find the same features together with the expanded functionality in the new Workflow automation (Preview) page.
To work with Azure Logic Apps workflows, you must have the following Logic Apps roles/permissions:
If you want to use Logic App connectors, you may need additional credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)
Create a Logic App and define when it should automatically run
From Security Center's sidebar, select Workflow automation (Preview).
From this page you can create new automation rules, as well as enable, disable, or delete existing ones.
To define a new workflow, click Add workflow automation.
A pane appears with the options for your new automation. Here you can enter:
From the Actions section, click Create a new one to begin the Logic App creation process.
You'll be taken to Azure Logic Apps.
Enter a name, resource group, and location, and click Create.
In your new Logic App, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events to occur when this process is triggered.
In the Logic App designer the following triggers from the Security Center connectors are supported:
- When an Azure Security Center Recommendation is created or triggered (Preview)
- When an Azure Security Center Alert is created or triggered (Preview)
If you are using the legacy trigger "When a response to an Azure Security Center alert is triggered", your Logic Apps will not be launched by the Workflow Automation feature. Instead, use either of the triggers mentioned above.
After you've defined your Logic App, return to the workflow automation definition pane ("Add workflow automation"). Click Refresh to ensure your new Logic App is available for selection.
Select your Logic App and save the automation. Note that the Logic App dropdown only shows Logic Apps with supporting Security Center connectors mentioned above.
Manually trigger a Logic App
You can also run Logic Apps manually when viewing a security recommendation.
To manually run a Logic App, open a recommendation and click Trigger Logic App (Preview):
Data types schemas
To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the Workflow automation data types schemas. This can be useful in cases where you are not using Security Center's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.
In this article, you learned about creating Logic Apps, running them manually in Security Center, and automating their execution.
For other related material, see the following articles: