Security Automation reduces the time it takes to detect and respond to recurring incidents and benign positive threat detections, thereby freeing security analysts’ time to focus on strategic tasks, like threat hunting and compliance management. Microsoft’s flagship security products Microsoft Sentinel and Microsoft Defender for Cloud include rich automation resources that can substantially enhance your cybersecurity efforts.
Security orchestration automation and response (SOAR), Extended detection and response (XDR), and Security as code are advanced and desirable components of a modern IT estate. The Microsoft Azure solution stack enables all these functionalities through robust and extensible automation services and features. This article focuses on automation options available natively in the Microsoft Sentinel and Microsoft Defender for Cloud products.
Azure Logic Apps
Microsoft Azure Logic Apps automate business and security processes. They are microservices you author, that are composed of connectors, triggers, and actions.
- There are over 620 built-in connectors, ranging from Adobe Creative Cloud to Zoom Meetings and covering virtually every cloud application or service that you might need to interface with. You can also author custom connectors using REST or SOAP APIs to any application.
- Built-in Logic App triggers most relevant to security automation are ‘when an Azure Security Center alert, recommendation, or regulatory compliance assessment is created or triggered’, and ‘when a response to a Microsoft Sentinel alert or incident is triggered’.
- Every connector has multiple actions available to select relevant to that connector, which can be included in any automation workflow, regardless of the trigger in that logic app. In other words, the entire universe of thousands of automation actions is available—you have at your service a canvas with infinite possibilities to perform automations.
Both Microsoft Sentinel and Microsoft Defender for Cloud incorporate Azure Logic Apps as their primary automation tool. The only difference is the trigger, which is the first action in every logic app.
Defender for Cloud Workflow Automation
Microsoft Defender for Cloud is a tool for security posture management and threat protection. The security requirements solved by Defender for Cloud— (1) Continuously assess current security posture, (2) Secure and harden resources, and (3) Defend and detect threats—each generate a product that a Logic App can trigger on.
Logic apps with the Azure Security Center alert, recommendation, or regulatory compliance assessment trigger will appear in the Microsoft Defender for Cloud portal page in the Management -> Workflow automation area. Defender for Cloud workflow automation trigger conditions you can use are:
- Security Alert: Name (like “Traffic detected from IP addresses recommended for blocking”) and severity (like “All severities”).
- Recommendation: Name of recommendation (like “Endpoint protection should be installed”), severity (like “High”), and state (like “Unhealthy”).
- Regulatory compliance standard: Compliance standard name (like “PCI-DSS”) and control state (like “Failed”)
SOAR use case: A workflow automation that blocks attacking IP addresses in an Azure Network Security Group (NSG) in response to a brute force attack alert detected by Defender for Cloud. (This logic app, “BlockBruteForceAttack” is available to import directly from GitHub.)
Microsoft Sentinel Playbooks
Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) solution. Among its many features, Microsoft Sentinel can respond to incidents rapidly with built-in orchestration and automation of common tasks. Like Defender for Cloud, Microsoft Sentinel leverages Azure Logic apps as a primary automation tool.
Within Microsoft Sentinel, logic apps are called Playbooks. One or more playbooks can be invoked in response to specific Microsoft Sentinel incidents. This is an extremely powerful solution for creating monitoring overrides that suppress alerting when benign positive detections occur. Playbooks can execute extensive post-processing of incidents to include investigative and enrichment actions that speed and ease investigation. Examples are adding geographic tags to incidents and comparing IP, user, and host entities in an incident to watchlists of known safe or hostile entities.
SOAR use case: A playbook that opens Service Now incidents when new incidents occur in Microsoft Sentinel, to include setting an appropriate Service Now priority: Critical, Moderate, or Planning. (This playbook, “Create-SNOW-record” is available to import directly from GitHub.)
Microsoft Sentinel Automation Rules
Microsoft Sentinel has a second automation feature in addition to playbooks. These are called Automation Rules and they execute wholly within Microsoft Sentinel. When automation requirements are simpler, an Automation Rule alone can meet the need. Automation rules have the following construction:
- Trigger: When incident is created.
- Conditions: If Analytics rule name matches or does not match
- Additional conditions: If incident properties such as severity or tactics do or don’t match
- Run a playbook
- Change incident status (such as “Closed”)
- Change severity (such as “Medium”)
- Assign owner (to any Azure AD user, group, or service principal)
- Add tags (such as “Autoclose = $true”)
Azure Automation Runbooks
Process automation is a primary purpose of Azure Automation accounts. Azure Automation runbooks can be a vehicle to run PowerShell and Python scripts in support of automation goals. Scripts can run in Azure if the script’s target is accessible in Azure or on the Internet. Scripts can also execute on-premises with the new Azure Arc Hybrid Runbook Worker V2 feature against local network devices. Runbook execution is triggered by an Azure logic app using the built-in Azure Automation connector.
SOAR use case: A playbook that blocks attacking IP addresses in an on-premises hardware firewall, in response to an attack incident detected by Microsoft Sentinel. An SSH session script is pre-staged as an Azure Automation runbook. The script downloads and runs on any Windows or Linux computer on-premises and adds an IP address to a blocked addresses group in the firewall.
GitHub Code Repositories
Every automation artifact mentioned in this article can be exported as code, then managed and deployed using proven repository-based DevOps methodologies. There is excellent and dynamic community support for Microsoft security tools. At https://github.com/Azure you will find branches for Microsoft-Defender-for-Cloud/Workflow automation and Azure-Sentinel/Playbooks containing hundreds of useful automations you can import directly or use as inspiration and learning for authoring your own custom logic apps.