Workflow automation in Azure Security Center

  1. Home
  2. Workflow automation in Azure Security Center

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand the workflow automation feature of Azure Security Center. This feature can activate Logic Apps on security alerts and recommendations. However, every security program includes multiple workflows for incident response. Notifying relevant stakeholders, initiating a change management procedure, and implementing particular remedial measures are examples of these processes.

Further, security experts recommend automating as many steps of those procedures as you can. That is to say, automation reduces overhead as well as improves your security by ensuring the process steps are done in a consistent manner, and according to requirements.

Creating a Logic App and defining an automatically running process

  • Firstly, from Security Center’s sidebar, select Workflow automation. Here, on this page you can create new automation rules, as well as enable, disable, or delete existing ones.
workflow automation process
Image Source: Microsoft
  • Secondly, for defining a new workflow, click Add workflow automation. After this, a pane appears with the options for your new automation where you can enter:
    • Firstly, a name and description for the automation.
    • Secondly, the triggers that will initiate this automatic workflow. 
    • Lastly, the Logic App that will run when your trigger conditions are met.
AZ-500 Practice tests
  • Thirdly, from the Actions section, click Create a new one to begin the Logic App creation process. Now, you’ll be taken to Azure Logic Apps.
  • Then, enter a name, resource group, and location, and click Create.
  • After that, in your new Logic App, you can choose from built-in, predefined templates from the security category. However, in the Logic App designer the following triggers from the Security Center connectors are supported:
    • Firstly, when an Azure Security Center Recommendation creates or triggers
    • Secondly, when an Azure Security Center Alert creates or triggers
  • And, after defining your Logic App, return to the workflow automation definition pane (“Add workflow automation”). There, click Refresh to ensure your new Logic App is available for selection.
  • Lastly, select your Logic App and save automation. However, note that the Logic App dropdown only shows Logic Apps with supporting Security Center connectors mentioned above.

Manually triggering a Logic App

When seeing any security alert or advice, you may also manually execute Logic Apps. Open an alert or a recommendation and click Trigger Logic App to manually execute a Logic App.

Data types schemas

  • Visit the Workflow automation data types schemas to see the raw event schemas of the security alerts or recommendations events provided to the Logic App instance. However, if you aren’t using the Security Center’s built-in Logic App connections, this can be handy.
  • If you’re using Logic App’s generic HTTP connection, you may instead utilize the event JSON schema to manually parse it as needed.
Az-500 online course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu