- 7 minutes to read
Any security program includes multiple incident response workflows. These processes may include notifying relevant interested parties, initiating a change management process, and applying specific corrective actions. Security experts recommend automating as many steps of these procedures as possible. Automation reduces overhead. You can also improve your security by ensuring that process steps are performed quickly, consistently, and according to your predefined requirements.
This article describes the Microsoft Defender for Cloud workflow automation feature. This feature can trigger logic app consumption on security alerts, recommendations, and regulatory compliance changes. For example, you want Defender for Cloud to send an email to a specific user when an alert occurs. You will also learn how to create logic apps withAzure-Logik-Applications.
|Release status:||General Availability (GA)|
|Required roles and permissions:||Security administrator roleoownerin resource group|
You must also have write permissions on the destination resource
To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:
Nacional (Azure Government, Azure China 21Vianet)
Create a logic app and define when to run it automatically
Select in the Defender for Cloud sidebarWorkflow automation.
On this page you can create new automation rules, activate, deactivate or delete existing ones.
To define a new workflow, chooseAdd workflow automation. The options panel for your new automation will open.
Here you can enter:
A name and description for the automation.
The triggers that start this automated workflow. For example, you might want your logic app to run when a security alert containing "SQL" is generated.
use(Video) AUTOMATE RECOMMENDATIONS WITH WORKFLOW AUTOMATION IN MICROSOFT DEFENDER FOR CLOUD
For example, if your trigger is a recommendation with "child recommendations".Vulnerability assessment results on your SQL databases need to be fixed, the logic app does not fire with each new security result; only when the status of the parent recommendation changes.
The consuming logic app that runs when the trigger conditions are met.
In the Actions section, selectVisit the logic apps pageto begin the logic app creation process.
You will be redirected to Azure Logic Apps.
Fill in all the required fields and selectReview + Create.
The messageDeployment is in progressappears Wait for the deployment completion notification to appear and selectgo to resourceof the notification.
Review and select the information enteredCreate.
In your new logic app, you can choose from predefined built-in security category templates. Or you can define a custom stream of events that occur when this process is triggered.
In a logic app, parameters are sometimes included as part of a string instead of in their own field in the connector. See step 14 of for an example of parameter extraction.Work with logic app parameters when creating Microsoft Defender for Cloud workflow automations.(Video) Automating Cloud Security Posture and Cloud Workload Protection Responses
Logic App Designer supports the following Defender for Cloud triggers:
When a Microsoft Defender for Cloud recommendation is created or activated- If your logic app is based on a recommendation that's outdated or superseded, your automation will no longer work and you'll need to update your trigger. To track changes in recommendations, use therelease notes.
When a Defender for Cloud alert is created or triggered- You can customize the trigger to only apply to alerts with the severities you care about.
When a Defender for Cloud compliance assessment is created or activated- Trigger automations based on updates from regulatory compliance assessments.
If you use the legacy trigger "When a response to a Microsoft Defender for Cloud alert is fired", the workflow automation feature won't start your logic apps. Use one of the above triggers instead.
Once you've defined your logic app, return to the define workflow automation panel (Add workflow automation). ChooseUpdateto make sure your new logic app is available for selection.
Select your logic app and save the automation. The Logic Apps dropdown only shows logic apps with the Defender for Cloud supported connectors listed above.
Manually activate a logic app
You can also manually run Logic Apps when you see a warning or security notice.
To run a logic app manually, open an alert or recommendation and selectactivation logic application:
Set up workflow automation at scale using the provided guidelines
Automating your organization's incident monitoring and response processes can significantly reduce the time it takes to investigate and mitigate security incidents.
To deploy your automation configurations throughout your organization, use the Azure Policy DeployIfNotExist guidelines below to create and configure workflow automation procedures.
Begin withWorkflow Automation Templates.
To implement these policies:
Select the policy you want to apply from the following table:
Meta Policy Policy ID Workflow automation for security alerts Provide workflow automation for Microsoft Defender for Cloud alerts f1525828-9a90-4fcf-be48-268cdd02361e Workflow automation for security recommendations Provide workflow automation for Microsoft Defender for Cloud recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef Workflow automation for regulatory compliance changes Deliver workflow automation for Microsoft Defender for cloud compliance 509122b9-ddd9-47ba-a5f1-d0dac20be63c
The three workflow automation policies have recently been renamed. Unfortunately, this change came with an inevitable break change. For information on how to mitigate this radical change, seebreak the change abmildern,
You can also find them by searching Azure Policy:
- Open the Azure policy.
- In the Azure Policy menu, select the optionThe definitionand search by name.
Select on the appropriate Azure Policy pageAssign to.
Open each tab and configure the parameters as you wish:
(Video) Get started with Microsoft Defender for Cloud
- Soythe essentialOn the tab, set the scope of the policy. To use central administration, assign the policy to the administration group that contains the subscriptions that use the workflow automation settings.
- On the Parameters tab, enter the required information.
- (Optional): Apply this assignment to an existing subscription on theresourceand select the option to create a remediation task.
Review the summary page and selectCreate.
Data type schemas
To view the raw event schemas for security advisory or warning events passed to your logic app instance, visit theData type schemas for workflow automation. This can be useful in cases where you don't use the built-in Defender for Cloud logic app connectors mentioned above, but use the generic logic app HTTP connector instead; you can use the event JSON schema to manually fetch and parse it at will.
FAQ - Workflow Automation
Does workflow automation support business continuity or disaster recovery (BCDR) scenarios?
When preparing your environment for BCDR scenarios where the target resource experiences an outage or other disaster, it is your organization's responsibility to prevent data loss by performing backups in accordance with Azure Event Hubs policies, the workspace from Log Analytics and configured in the logic app.
We recommend creating an identical (disabled) automation for each active automation and saving it to a different location. In the event of an outage, you can activate these backup automations and maintain normal operations.
learn more aboutBusiness continuity and disaster recovery for Azure Logic Apps.
Breaking the mindset of change
We recently renamed the following recommendation:
- Provide workflow automation for Microsoft Defender for Cloud alerts
- Provide workflow automation for Microsoft Defender for Cloud recommendations
- Deliver workflow automation for Microsoft Defender for cloud compliance
Unfortunately, this change came with an inevitable break change. The breaking change means that all legacy workflow automation policies that used the built-in connectors are no longer supported.
To mitigate this problem:
Navigate to the logic app associated with the policy.
ChooseLogic App Designer.
Change the name of the Defender for Cloud Connector as follows:
Original name New name Provide workflow automation for Microsoft Defender for Cloud alerts When a Microsoft Defender for Cloud alert is created or triggered1 Provide workflow automation for Microsoft Defender for Cloud recommendations When a Microsoft Defender for Cloud recommendation is created or activated Deliver workflow automation for Microsoft Defender for cloud compliance When a Microsoft Defender for Cloud compliance assessment is created or activated
In this article, you learned how to create logic apps, automate their execution in Defender for Cloud, and run them manually.
For related material see:
- The learning module on using workflow automation to automate a security response
- Security recommendations in Microsoft Defender for the cloud
- Security alerts in Microsoft Defender for the cloud
- Learn about Azure Logic Apps
- Connectors for Azure logic apps
- Data type schemas for workflow automation