Azure Security Center

Question

Good Morning,

We recently started using security center, and we're trying to figure out the Workflow automation. I followed instructions (https://learn.microsoft.com/en-us/azure/security-center/workflow-automation) and it looks good, and is triggering.

and the logic app is pretty much default, and fires off an email when it is triggered.

So it seems to work, but it fires off quite a lot!

Has anyone used this workflow and a production environment where it doesn't flood a mailbox, or perhaps I'm missing a step. We're still pretty new with Azure Security Center and Workflows/logic apps.

Answer 1

How many recommendations you have selected and how many VMSS instances you have in your subscription ? If you have a large environment that changes constantly and you select a long list of recommendations, this may occur. You may have to narrow your search, instead of selecting a bunch of recommendations, select just some and narrow the recommendation state. The recommendation state filed below is set to “all states”, which means that, once a recommendation changes the state from healthy to unhealthy (and vice versa), it will trigger the logic app. That’s on its own could be a lot of events. Is this really what you want ? All states?