Microsoft Azure has a wide range of services built into their cloud ecosystem. These services provide the ability to monitor resources, create and set policies, and identify and mitigate threats within not only the Azure infrastructure, but also to external resources for a consistent security posture across an organization. In the first post of a series of three articles on Azure Security, we focused on the services that make up the foundation of an organization’s security program. Our second article provided guidance on how to use Policies and Initiatives to govern our Azure environment.  In this, our third article, we will discuss how we can manage our environment through Security Center with the use of alerts and automation workflows.

How can Azure Security Center be used for management?

Azure Security Center provides a central source for gathering information from through your Azure environment and reviewing that information based on security best practices. Security Center presents that information in various ways that allow you to evaluate the resources and controls within your environment for potential vulnerabilities and threats.  The information can be presented at the resource level, threat level, and regulatory compliance level.   The amount of information provided is extremely helpful to understand how enabling a control will increase your level of security within the environment in comparison to industry best practices.  The information and recommendations presented in Security Center helps you to manage how resources are deployed and protected on an on-going basis.

Of course, the information within Azure Security Center is only useful if someone is reviewing it and acting upon the recommendations provided.  What happens if no one is reviewing Security Center?  How is the review, response, and remediation handled by your organization?  What happens if a new threat presents itself to your environment and no one is watching the threat protection dashboard?

Security Center has a way to address this with workflow automation.  Workflow automation works similar to Alerts and Actions within Azure Monitor, but there are differences in how it is setup.  The following sections will walk you through the components of a Security Center automation workflow, and the steps that you would take to create them within Security Center. 

What are the components of the workflow?

Security Center workflow automation allows you to create a trigger and from that trigger, initiate an action.  These workflows are created at the subscription level, and you are able to have multiple workflows to cover multiple triggers.  Let’s talk about the main components to creating a workflow.

Trigger conditions

The trigger conditions are the alert criteria that initiates an action.  Trigger conditions have two data types within Security Center that can be used, Threat detection alerts and Security Center recommendations.

These data types can be thought of in the sense of active alerts and passive alerts.  Threat detection alerts would be active and based on potentially an event that could immediately impact the security of your environment.  These alerts should be responded to right away.  Security Center recommendations can be thought of as passive.  Recommendations are just that, and they should be reviewed for potential impact, but unlike the detection of a threat, these recommendations may not be something that are an active exploit to your environment.  These alerts can make you aware of a newly deployed resource that is out of compliance to a policy, however. 

After you have determined the data type that will be used for the trigger condition, you can then identify the details that will initiate an action to take place.  This can get as defined as a specific Security Center recommendation or a threat alert name.   The final criteria is the severity or state of the condition.  Severity can be low, medium, and/or high, and state, which only pertains to recommendation triggers, is unhealthy, healthy, and/or not applicable.  These can be selected in an individual, multiple, or all selection.  Best practice would be to select the high severity and unhealthy state, at a minimum.

Logic Apps

Once a trigger condition is met, an action needs to take place based on the trigger conditions.  This is where Logic Apps come into play.  Security Center workflow automation was compared to Monitor alerts and actions earlier in the article.  Where they differ is that where Monitor has the ability to define the condition, action groups, and alert within configuration tile, Security Center workflow automation requires a Logic App to be used to configure the action and alert that will take place once the trigger conditions are met.

The Logic Apps Designer is used to configure these actions and alerts.  For Azure Security Center, there are two templates available that are built for the trigger conditions in Security Center workflow automation.  These can be located easily within the templates by filtering on the Security category.

Logic App Designer follows a logical if this happens, then do that approach.  The available templates simply get a notification that the trigger condition has been met, and send a notification email to addresses or distribution lists that you identify.  These templates do allow for additional actions to be added, if needed. 

Detail of workflow automation creation steps

Here are the steps and order of operations for creating a workflow automation within Security Center.  The first step when creating a workflow automation is to create a Logic App that will be used as the alert/action for the workflow.  If you already know whether the workflow trigger data source is going to be a threat detection alert or a Security Center recommendation, then you can create a single Logic App within the designer.  If you plan to create workflows for both data sources, then you can just create two Logic Apps.

To create a Logic App:

1. Navigate to Logic App within the Azure Portal

2. Select +Add for a new Logic App

3. Select the subscription

4. Select or create a Resource Group

5. Enter a name

6. Select the region Location

7. Select Review + Create, and then Create

8. Upon create, you will be taken to the Logic App Designer

9. Under the Templates section, under Categories, select Security (see screen shot in Logic App section of this article

10. Two templates will be available based on which trigger data source you will use

11. Select one of these templates and follow the steps to configure.  This will include connecting your O365 account, connecting to Security Center, and configuring the notification email addresses and message.

12. Save the designer when complete

To create a Workflow:

1. Navigate to Security Center

2. In the menu, select Workflow automation

3. Select +Add Workflow automation

4. Enter a Name for your workflow

5. Select a Resource group

6. Configure the Trigger conditions

7. Under Actions, select the Logic App that you created

8. Select Create

Once the deployment is complete, the Workflow automation will be visible in the table with a Status of enabled.  If you need additional workflow automations, follow the same steps and the list will continue to be populated in the table.

Azure Security Center

Azure Security Center is a central source for the overall security health of your organization’s environment.  The tools that are available not only provide visibility into your security posture versus best practice controls, but also assist in managing potential active threats to your environment.  Workflow automation addresses the need to know these vulnerabilities and threats actively to respond and remediate any potential issues before they become a wide-scale issue

What’s Next?

As you build your Azure infrastructure and continue to add resources, it continues to be important that you manage these resources and monitor them for vulnerabilities against the overall organizations security posture and overall best practices. Azure Security Center can help through usage of these workflow automation tools to manage security alerts and vulnerabilities in security controls.

Other Useful Resources

1. Azure Security Center documentation: https://docs.microsoft.com/en-us/azure/security-center/

2. Security Center Workflow automation documentation: https://docs.microsoft.com/en-us/azure/security-center/workflow-automation

3. Logic Apps documentation: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview

4. Microsoft Learn modules on Azure Policy: https://docs.microsoft.com/en-us/learn/browse/?products=azure&term=policy

5. Azure policy samples: https://docs.microsoft.com/en-us/azure/governance/policy/samples/

6. Azure Policy overview: https://docs.microsoft.com/en-us/azure/governance/policy/overview

7. Built-in policies: https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies

8. Built-in initiatives: https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-initiatives

9. Tutorial on creating a custom policy definition: https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition

—Dwayne Natwick

Let us know about your success! We love to empower our students and promote them. You can reach us on Twitter, LinkedIn or Facebook