Active Directory & Office 365 Reporting Tool

Automate Security Tasks and Workflows in Your Azure Environment. Are you looking to take your organization’s Azure tenant security to the next level with workflow automation? This article explains how to automate security tasks in Microsoft Defender for Cloud and Sentinel.

First section explains how to use Azure Logic Apps to automate Microsoft Defender for Cloud incident response. While this approach is effective, it is limited to automating at the resource group level.

In the second section, we dive deep into the steps for automating security response workflows with Azure Policies. This approach is more scalable and is used to automate at the subscription level.

The article concludes by demonstrating Azure security workflow automation in Microsoft Sentinel.

So, shall we start with Automate Security Tasks and Workflows in Your Azure Environment?

Azure Security Automation: Overview, Requirements, Environment Prep

To automate Azure security incident responses we 3 Azure services: Logic Apps, Microsoft Defender for Cloud, and Microsoft Sentinel.

  1. Logic Apps is a platform-as-a-service (PaaS) service allowing non-admins to create and run automated workflows. Uses a visual designer and provides pre-built operations and connections to common apps.
  2. Microsoft Defender for Cloud is a complete SaaS security solution to protect Azure, AWS, and on-premises workloads from various cyber threats and vulnerabilities.
  3. Microsoft Sentinel is cloud-based SIEM (Security information and event management) service. Offers security analytics and threat intelligence for workloads in Azure, AWS, Google Cloud and on-prem. 

Subscription, Roles, and Permission Requirements

We perform the lab in this article using the free Microsoft learn Azure sandbox. But, if performing the task in a standard Azure tenant account, you need to meet some requirements. 

Firstly, selecting all subscriptions from the global subscription filter is required. Otherwise, when you attempt to create a Microsoft Defender for Cloud workflow, you may receive a “no access to subscription” error message.

To select all subscriptions, after signing into Azure portal, click your account’s icon on the top right. Then, choose “Switch directory.”

Finally, click the “Default subscription filter” drop down and select the subscription you want to use. 

You also must create a resource group. 

Finally, your account must meet some requirements. Specifically, you must be assigned the Logic App Contributor role to create and modify logic apps. 

How to Create a Resource Group

Please follow these steps:

1. After signing in to azure.portal.com, search “resource groups” and select it. 

2. Once the Azure Resource groups page opens, click “+ Create.”

3. Enter the required details and click “Review + create.” Then, click Create. 

Use Azure Logic App for Automation of Microsoft Defender for Cloud Security Alerts

Firstly, activate the Microsoft Learn sandbox by following these steps:

1. If you do not have an Azure account, create one and sign in. 
2. Next, open the Microsoft Learn link for the lab. If you do not have a Microsoft Learn account, you must create one and sign in. Use the same email address you used to sign in to Azure. 
3. After signing in, click “Activate sandbox.” 

3. Once activated, click “Review permissions.” Microsoft Learn sandbox requests access to your Microsoft account to create the required resources. 

4. Choose “Accept.”

5. On the same browser, open azure.portal.com. Then, select the account you used to sign in to Microsoft Learn. 

Create an Azure Logic App

Following with how to Automate Security Tasks and Workflows in Your Azure Environment. Let’s create Azure Logic App. An Azure Logic App is required to automate Microsoft Defender for Cloud incident responses. Follow these steps to create one.

1. On the Azure portal, search “logic apps” and open the Azure service. 

2. After that, click “+ Add” to open the new Azure logic app creation wizard. 

3. Once the “Create Logic App” opens, enter the following values:

Project Details
a) Subscription: Concierge Subscription
b) Resource group: <select your Microsoft learn resource group>
Instance Details
c) Logic app name: RespondToMalwareAlert (you receive an error message that this name is not available – enter some zeros after the name)
f) Plan type: Consumption
g) Windows plan: accept the defaut
h) Pricing plan: accept the defaut
Zone redundancy
i) Zone redundancy: Disabled

After entering the details, click “Review + create.”

4. To create the Logic App, click Create. Wait for the resource to be created, then click “Go to resource.”

This opens the Logic Apps Designer page for the logic app you just created. 

5. On the Logic Apps Designer page, scroll to the Templates, select Security category. Then, choose “Get a notification email when Defender for Cloud detects a threat.”

When the template opens, click “Use this template.”

6. On the next page, click “Sign in” next to Office 365 Outlook and sign in with your Microsoft 365 credentials. 

7. After that, next to “Microsoft Defender for Cloud alter,” click Create. 

8. Once the2 connectors are validated, click Connect. 

9. Finally, enter the email (s) that receives the notification and click Save. 

Create a Microsoft Defender for Cloud Workflow Automation

1. Using the search box on the Azure portal, search “Defender for Cloud”  and open it. 

2. Next, scroll down the menu on the left and click “Workflow Automation,” select “+ Add workflow automation.” After that, enter the following information:

a) Name: RespondToMalwareAlert
b) Subscription: Concierge Subscription
c) Resource group: <select your Microsoft learn resource group>
Trigger conditions
d) Select Defender for Cloud data types: Security alert
e) Alert name contains: Malware
f) Alert severity: All severities selected
g) Show logic app instances from the following subscriptions: Concierge Subscription
Logic app name: copy and paste the name of the logic app you created earlier. 

After you’ve added all the settings for the Microsoft Defender for Cloud Workflow automation, click Create. 

After this configuration, when an alert meets the criteria, the logic app sends an email. However, to do it manually:  1.Open the logic app, click the Run Trigger drop-down, and choose Run. When you complete this task, an email is sent. 

Use Azure Policies for Automation of Microsoft Defender for Cloud Security Alerts

1. To begin, open the – Configure workflow automation at scale using the supplied policies – page. 
2. Then, on the Policy on the “Workflow automation for security alerts” column. 

3. Azure requires re-authentication. Sign in with your Microsoft Learn sandbox account. 

3. Once you sign in, Azure loads Policy definition page for the Azure Policy template you clicked in step 2. Click Assign. 

4. After that, click launch scope selector and follow the numbering in the screenshot. 

5. Next, update the Parameters page. 

6. Finally, click Create to assign the policy. 

Note that the policy will NOT be created because the sandbox is not created for the lab. 

Use Playbooks with Automation Rules for Security Threats in Sentinel

What are Microsoft Sentinel Automation Rules and Playbooks?

Understand 2 rules: automation rules and playbooks. 

Sentinel automation rule automatically assigns incidents to the right person. Additionally, they are used to change the severity of incidents or close known false incidents. 

Beyond it, automation rules are also used to run playbooks when specific incidents or alerts are detected. Based on Azure Logic Apps, playbooks extend the automation of Sentinel incidents.

Playbooks put together a set of actions to run in response to incidents in Microsoft Sentinel. Furthermore, they automate responses to specific alerts or incidents. 

This creates 2 automation alert types: alert or incident-based automation.

Which one you use depends on your use case. However, Microsoft suggests that incident-based automation rules apply to most use cases.

So, using incidents for automation rules instead of alerts makes sense. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Create a Microsoft Sentinel Log Analytics Workspace

The demo below follows the Microsoft Learn course – Create a Microsoft Sentinel playbook.

You require an Azure account. If you don’t have an account, create one. 

1. Sing in to Microsoft Learn page. 
2. After that, under Task 1, right-click Deploy to Azure and open it in a new browser tab. 

2. On the new browser tab, Microsoft prompts you to sign in to Azure. If you’re already signed in on the same browser, you need to re-authenticate. 

3. When the deployment from the template page opens, enter the details described below:

a) Subscription: select an Azure subscription in your account. If you do not have a subscription, create one, then return here to continue. 
b) Resource Group: Click Create new, enter azure-sentinel-rg, and click OK.
c) Region: select an Azure region. 
d) Workspace name: enter a unique name for the Azure Sentinel workspace. 
e) Location: Accept the default value – [resourceGroup().location].
f) Simplevm Name: Also accept the default value – simple-vm
g) Simplevm Windows OS Version: Accept the default value, 2016-Datacenter

When you finish entering the values, click “Review + create.” Once Azure has reviewed resource creation task, click Create. 

4. Wait for the Sentinel Log Analytics workspace to finish deploying. Then, proceed to the next step.  

Set up Microsoft Sentinel Content Hub Connector

1. On the Azure portal, search “Microsoft Sentinel” and open it. 
2. On the Content management menu and choose Content hub

3. After that, enter Azure Activity in the search box, then check the “Azure Activity” solution and click Install

5. Then click Manage. The installed connector details page opens.

6. On the “Azure Activity” connector page, check Azure Activity on the Content name column. Afterward, click Open connector page.

7. Scroll to “2. Connect your subscriptions through diagnostic settings new pipeline” and select Launch Azure Policy Assignment Wizard.

8. On the policy assignment page, click the ellipsis  under Scope. Then, select a subscription and click Select. 

9. When you finish, click the Parameter tab.  Select the Microsoft Sentinel you created earlier on the Primary Log analytics workspace drop-down. 

10. Next, click the Remediation tab and check the Create a remediation task checkbox.  When you finish, click “Review + create.”

11. Finally, click Create. 

After deploying this policy, you are returned to the Azure Activity page. It takes about 15 minutes for the policy to apply and the connector’s status to display “connected.”

While this is happening, proceed to the next task. 

Create a Microsoft Sentinel Playbook with Incident Trigger

  1. Follow the screen below to configure playbook permissions.

2. Open the Sentinel workspace and click Automation in the Configuration menu. After that, click “+ Create” and select “Playbook with incident trigger.”

3. On the “Create playbook” page, enter a name for the playbook, then check “Enable diagnostics logs in Log Analytics.” After that, click “Review + create.”

Then, “Create and continue to designer.”

4. The Logic app designer page should display the Microsoft Sentinel incident (preview) – click it. 

5. After that, click the Change connection link.

6. Click Add new to add a new connector. Then, click Sign in. 

7. On the pop-up, sign in with your Microsoft Azure account. Microsoft Sentinel displays that you’re connected to your account. 

Click the highlighted button to close the flyout. 

8. Back on the Microsoft Sentinel incident screen, click the + sign and select Add action

9. Once the “Add an action” flyout opens, enter Microsoft Sentinel in the search box. After that, on the Microsoft Sentinel section, click see more. 

10. Scroll through and choose Get incident.

11. Click on the Incident ARM Id filed, and type “\.” After that, select “Insert Dynamic content.”

12. A new pop-out is displayed. Enter “arm” in the search field, then choose Incident ARM ID

13. After that, close the flyout and click the + sign to add another action. 

14. Repeat steps 11 to 12 and select “Update incident” and Incident Owner Object ID. Complete the step using the screenshot below. 

15. Save the playbook. 

Create a Microsoft Sentinel Analytics Rule

1. Open Microsoft Sentinel on the Azure portal. Then, open your Microsoft Sentinel workspace. 
2. Once the Sentinel workspace opens, choose Analytics in the Configuration section. After that, click “+ Create” and choose NRT Query Rule (Preview).

3. On the General tab of the “Analytics rule wizard,” enter the information below:

a) Name: Enter a name that describes the action that the rule performs. 
b) Description: enter a description that explains what the rule does.
c) Tactics and Techniques: Select a category, and check all applicable rules. 
d) Severity: select a severity.
e) Status: Enable or disable the rule. 

3. After entering all the details, click the Set rule logic tab. 

4. Then, enter this query in the Rule query section and click the Incident setting tab

  | where ActivityStatusValue == 'Success'
  | extend AccountCustomEntity = Caller
  | extend IPCustomEntity = CallerIpAddress

6. On the Incident setting tab, confirm that Enabled is selected as highlighted. Next, click “Review + create.”

7. Finally, click save to save the rule.

Thank you for reading Automate Security Tasks and Workflows in Your Azure Environment. We shall conclude this article. 

Automate Security Tasks & Workflows in Your Azure Environment Conclusion

Microsoft Defender for Cloud and Microsoft Sentinel offers organizations the ability to manage security and compliance across their Azure tenant. On their own, these tools provide threat management capabilities. 

However, the automation of Azure security incidents is achieved using Azure Logic App and playbook.

This hands on guide explains these 3 Azure services and a step-by-step guide to using them to automate security tasks and workflows in your Azure environment.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *