Edit

Share via

Automate remediation responses

Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, starting a change management process, and applying specific remediation steps.

Security experts recommend that you automate as many steps of security procedures as you can. Automation reduces overhead. It can also improve your security by ensuring process steps are done quickly, consistently, and according to your predefined requirements.

This article describes the workflow automation feature of Microsoft Defender for Cloud. This feature can trigger consumption logic apps on security alerts, recommendations, and changes to regulatory compliance. For example, you might want Defender for Cloud to email a specific user when an alert occurs. You'll also learn how to create logic apps by using Azure Logic Apps.

Prerequisites

Before you start:

  • You need to have Security admin role or Owner on the resource group.

  • You must have write permissions for the target resource.

  • To work with Azure Logic Apps workflows, you must have the following Logic Apps roles or permissions:

    • Logic App Operator permissions are required or Logic App read or trigger access. Users with this role can't create or edit logic apps. They can only run existing ones.
    • Logic App Contributor permissions are required for logic app creation and modification.

  • If you want to use Logic Apps connectors, you might need other credentials to sign in to their respective services (for example, your Outlook, Teams, or Slack instances).

Create a logic app and define when it should automatically run

Follow these steps:

  1. On the Defender for Cloud sidebar, select Workflow automation.

    Screenshot that shows the workflow automation pane with the list of defined automations.

  2. On this page, you can create new automation rules or enable, disable, or delete existing ones. A scope refers to the subscription where the workflow automation is deployed.

  3. To define a new workflow, select Add workflow automation. The options pane for your new automation opens.

    Screenshot that shows the Workflow automation pane.

  4. Enter the following:

    • A name and description for the automation.
    • The triggers that initiate this automatic workflow. For example, you might want your logic app to run when a security alert generates that contains the phrase SQL.

  5. Specify the consumption logic app that will run when your trigger conditions are met.

  6. On the Actions section, select visit the Logic Apps page to begin the process to create a logic app.

    Screenshot that shows the Actions section of the Add workflow automation screen and the link to go to Azure Logic Apps.

    You are taken to Azure Logic Apps.

  7. Select (+) Add.

  8. Fill out all required fields, and then select Review + Create.

    Screenshot that shows where to create a logic app.

    The message Deployment is in progress appears. Wait for the Deployment complete notification to appear, and then select Go to resource.

  9. Review the information you entered, and then select Create.

    In your new logic app, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events that occur when this process is triggered.

    Tip

    Sometimes, parameters are included in a logic app in the connector as part of a string and not in their own field. For an example of how to extract parameters, see step 14 of Working with logic app parameters while building Microsoft Defender for Cloud workflow automations.

Supported triggers

The logic app designer supports the following Defender for Cloud triggers:

  • When a Microsoft Defender for Cloud recommendation is created or triggered: If your logic app relies on a recommendation that gets deprecated or replaced, your automation stops working and you need to update the trigger. To track changes to recommendations, use the release notes.

  • When a Defender for Cloud Alert is created or triggered: You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

  • When a Defender for Cloud regulatory compliance assessment is created or triggered: You want to trigger automations based on updates to regulatory compliance assessments.

Note

If you're using the legacy trigger When a response to a Microsoft Defender for Cloud alert is triggered, the Workflow Automation feature doesn't open your logic apps. Instead, use either of the triggers mentioned previously.

  1. After you define your logic app, return to the Add workflow automation pane.

  2. Select Refresh to ensure your new logic app is available for selection.

  3. Select your logic app, and then save the automation. The dropdown menu shows only logic apps that have supporting Defender for Cloud connectors.

Manually trigger a logic app

You can also manually run logic apps when you view any security alert or recommendation.

To manually run a logic app, open an alert or a recommendation, and then select Trigger logic app.

Screenshot that shows how to manually trigger a logic app.

Configure workflow automation at scale

When you automate your organization's monitoring and incident response processes, the time it takes to investigate and mitigate security incidents can greatly improve.

To deploy your automation configurations across your organization, use the supplied Azure Policy DeployIfNotExist policies (mentioned later) to create and configure workflow automation procedures.

Get started with workflow automation templates.

To implement these policies:

  1. In the following table, select the policy that you want to apply:

    Goal Policy Policy ID
    Workflow automation for security alerts Deploy Workflow Automation for Microsoft Defender for Cloud alerts f1525828-9a90-4fcf-be48-268cdd02361e
    Workflow automation for security recommendations Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef
    Workflow automation for regulatory compliance changes Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance 509122b9-ddd9-47ba-a5f1-d0dac20be63c

    You can also find policies by searching Azure Policy. In Azure Policy, select Definitions, and then search for them by name.

  2. On the relevant Azure Policy page, select Assign. Screenshot that shows how to assign the Azure policy.

  3. On the Basics tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group that contains the subscriptions that use the workflow automation configuration.

  4. On the Parameters tab, enter the required information.

    Screenshot that shows the Parameters tab.

  5. (Optional) Apply this assignment to an existing subscription on the Remediation tab, and then select the option to create a remediation task.

  6. Review the summary page, and then select Create.

    Data types schemas

    To view the raw event schemas of the security alerts or recommendations events that are passed to the logic app, go to the data types schemas for workflow automation. This process can be useful in cases where you aren't using the Defender for Cloud built-in Logic Apps connectors (mentioned previously), but instead are using the generic HTTP connector. You can use the event JSON schema to manually parse it as you see fit.

Related content