Workflow automation in Microsoft Defender for Cloud (2023)

  • Article
  • 7 minutes to read

Any security program includes multiple incident response workflows. These processes may include notifying relevant interested parties, initiating a change management process, and applying specific corrective actions. Security experts recommend automating as many steps of these procedures as possible. Automation reduces overhead. You can also improve your security by ensuring that process steps are performed quickly, consistently, and according to your predefined requirements.

This article describes the Microsoft Defender for Cloud workflow automation feature. This feature can trigger logic app consumption on security alerts, recommendations, and regulatory compliance changes. For example, you want Defender for Cloud to send an email to a specific user when an alert occurs. You will also learn how to create logic apps withAzure-Logik-Applications.


Release status:General Availability (GA)
Required roles and permissions:Security administrator roleoownerin resource group
You must also have write permissions on the destination resource

To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:
-Logic App OperatorRead/Activate access or permissions are required for logic apps (This role can't create or edit logic apps; it can onlyrunexisting)
-Logic Apps ContributorPermissions are required to create and modify logic apps
If you want to use logic app connectors, you might need different credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances).

Clouds:Workflow automation in Microsoft Defender for Cloud (1)commercial clouds
Workflow automation in Microsoft Defender for Cloud (2)Nacional (Azure Government, Azure China 21Vianet)

Create a logic app and define when to run it automatically

  1. Select in the Defender for Cloud sidebarWorkflow automation.

    On this page you can create new automation rules, activate, deactivate or delete existing ones.

  2. To define a new workflow, chooseAdd workflow automation. The options panel for your new automation will open.

    Here you can enter:

    1. A name and description for the automation.

    2. The triggers that start this automated workflow. For example, you might want your logic app to run when a security alert containing "SQL" is generated.



      For example, if your trigger is a recommendation with "child recommendations".Vulnerability assessment results on your SQL databases need to be fixed, the logic app does not fire with each new security result; only when the status of the parent recommendation changes.

    3. The consuming logic app that runs when the trigger conditions are met.

  3. In the Actions section, selectVisit the logic apps pageto begin the logic app creation process.

    Workflow automation in Microsoft Defender for Cloud (5)

    You will be redirected to Azure Logic Apps.

  4. Choose(+) Add.

  5. Fill in all the required fields and selectReview + Create.

    The messageDeployment is in progressappears Wait for the deployment completion notification to appear and selectgo to resourceof the notification.

  6. Review and select the information enteredCreate.

    In your new logic app, you can choose from predefined built-in security category templates. Or you can define a custom stream of events that occur when this process is triggered.


    In a logic app, parameters are sometimes included as part of a string instead of in their own field in the connector. See step 14 of for an example of parameter extraction.Work with logic app parameters when creating Microsoft Defender for Cloud workflow automations.

    (Video) Automating Cloud Security Posture and Cloud Workload Protection Responses

    Logic App Designer supports the following Defender for Cloud triggers:

    • When a Microsoft Defender for Cloud recommendation is created or activated- If your logic app is based on a recommendation that's outdated or superseded, your automation will no longer work and you'll need to update your trigger. To track changes in recommendations, use therelease notes.

    • When a Defender for Cloud alert is created or triggered- You can customize the trigger to only apply to alerts with the severities you care about.

    • When a Defender for Cloud compliance assessment is created or activated- Trigger automations based on updates from regulatory compliance assessments.


    If you use the legacy trigger "When a response to a Microsoft Defender for Cloud alert is fired", the workflow automation feature won't start your logic apps. Use one of the above triggers instead.

  7. Once you've defined your logic app, return to the define workflow automation panel (Add workflow automation). ChooseUpdateto make sure your new logic app is available for selection.

    Workflow automation in Microsoft Defender for Cloud (8)

  8. Select your logic app and save the automation. The Logic Apps dropdown only shows logic apps with the Defender for Cloud supported connectors listed above.

Manually activate a logic app

You can also manually run Logic Apps when you see a warning or security notice.

To run a logic app manually, open an alert or recommendation and selectactivation logic application:

(Video) Managing Microsoft Defender for Cloud as Code

Set up workflow automation at scale using the provided guidelines

Automating your organization's incident monitoring and response processes can significantly reduce the time it takes to investigate and mitigate security incidents.

To deploy your automation configurations throughout your organization, use the Azure Policy DeployIfNotExist guidelines below to create and configure workflow automation procedures.

Begin withWorkflow Automation Templates.

To implement these policies:

  1. Select the policy you want to apply from the following table:

    MetaPolicyPolicy ID
    Workflow automation for security alertsProvide workflow automation for Microsoft Defender for Cloud alertsf1525828-9a90-4fcf-be48-268cdd02361e
    Workflow automation for security recommendationsProvide workflow automation for Microsoft Defender for Cloud recommendations73d6ab6c-2475-4850-afd6-43795f3492ef
    Workflow automation for regulatory compliance changesDeliver workflow automation for Microsoft Defender for cloud compliance509122b9-ddd9-47ba-a5f1-d0dac20be63c


    The three workflow automation policies have recently been renamed. Unfortunately, this change came with an inevitable break change. For information on how to mitigate this radical change, seebreak the change abmildern,


    You can also find them by searching Azure Policy:

    1. Open the Azure policy.Workflow automation in Microsoft Defender for Cloud (10)
    2. In the Azure Policy menu, select the optionThe definitionand search by name.
  2. Select on the appropriate Azure Policy pageAssign to.Workflow automation in Microsoft Defender for Cloud (11)

  3. Open each tab and configure the parameters as you wish:

    1. Soythe essentialOn the tab, set the scope of the policy. To use central administration, assign the policy to the administration group that contains the subscriptions that use the workflow automation settings.
    2. On the Parameters tab, enter the required information.

    Workflow automation in Microsoft Defender for Cloud (12)

    (Video) Get started with Microsoft Defender for Cloud

    1. (Optional): Apply this assignment to an existing subscription on theresourceand select the option to create a remediation task.
  4. Review the summary page and selectCreate.

Data type schemas

To view the raw event schemas for security advisory or warning events passed to your logic app instance, visit theData type schemas for workflow automation. This can be useful in cases where you don't use the built-in Defender for Cloud logic app connectors mentioned above, but use the generic logic app HTTP connector instead; you can use the event JSON schema to manually fetch and parse it at will.

FAQ - Workflow Automation

Does workflow automation support business continuity or disaster recovery (BCDR) scenarios?

When preparing your environment for BCDR scenarios where the target resource experiences an outage or other disaster, it is your organization's responsibility to prevent data loss by performing backups in accordance with Azure Event Hubs policies, the workspace from Log Analytics and configured in the logic app.

We recommend creating an identical (disabled) automation for each active automation and saving it to a different location. In the event of an outage, you can activate these backup automations and maintain normal operations.

learn more aboutBusiness continuity and disaster recovery for Azure Logic Apps.

Breaking the mindset of change

We recently renamed the following recommendation:

Unfortunately, this change came with an inevitable break change. The breaking change means that all legacy workflow automation policies that used the built-in connectors are no longer supported.

To mitigate this problem:

  1. Navigate to the logic app associated with the policy.

  2. ChooseLogic App Designer.

  3. Choosethree points>Rename.

  4. Change the name of the Defender for Cloud Connector as follows:

    Original nameNew name
    Provide workflow automation for Microsoft Defender for Cloud alertsWhen a Microsoft Defender for Cloud alert is created or triggered1
    Provide workflow automation for Microsoft Defender for Cloud recommendationsWhen a Microsoft Defender for Cloud recommendation is created or activated
    Deliver workflow automation for Microsoft Defender for cloud complianceWhen a Microsoft Defender for Cloud compliance assessment is created or activated

    1the typocloud alertis intended.

Next steps

In this article, you learned how to create logic apps, automate their execution in Defender for Cloud, and run them manually.

(Video) Introduction to Microsoft Defender for Cloud

For related material see:

  • The learning module on using workflow automation to automate a security response
  • Security recommendations in Microsoft Defender for the cloud
  • Security alerts in Microsoft Defender for the cloud
  • Learn about Azure Logic Apps
  • Connectors for Azure logic apps
  • Data type schemas for workflow automation


1. How to Deploy Microsoft Defender for Cloud at Scale | Microsoft Defender for Cloud Webinar
(Microsoft Security Community)
2. Microsoft Defender for Cloud Apps Security: Overview
(Microsoft Security Community)
3. Protect your Cloud Workloads with Microsoft Defender for Cloud
(Microsoft Security Community)
4. Getting Started with Microsoft Defender for Cloud Apps
(Andy Malone MVP)
5. Learn Live: Plan for cloud workload protections using Microsoft Defender for Cloud | CLL95
(Microsoft Ignite)
6. How to Connect AWS to Microsoft Defender for Cloud [Microsoft Defender for Cloud Demo]
(Microsoft Security Community)


Top Articles
Latest Posts
Article information

Author: Edwin Metz

Last Updated: 15/07/2023

Views: 6031

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Edwin Metz

Birthday: 1997-04-16

Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

Phone: +639107620957

Job: Corporate Banking Technician

Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.