Azure Security Center

Robert Paulson 1 Reputation point
2020-05-14T16:26:39.127+00:00

Good Morning,

We recently started using security center, and we're trying to figure out the Workflow automation. I followed instructions (https://learn.microsoft.com/en-us/azure/security-center/workflow-automation) and it looks good, and is triggering.

8068-workflow.jpg

and the logic app is pretty much default, and fires off an email when it is triggered.

So it seems to work, but it fires off quite a lot!

8152-trigger.jpg

Has anyone used this workflow and a production environment where it doesn't flood a mailbox, or perhaps I'm missing a step. We're still pretty new with Azure Security Center and Workflows/logic apps.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,419 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,816 Reputation points Microsoft Employee
    2020-05-18T14:45:26.393+00:00

    How many recommendations you have selected and how many VMSS instances you have in your subscription ? If you have a large environment that changes constantly and you select a long list of recommendations, this may occur. You may have to narrow your search, instead of selecting a bunch of recommendations, select just some and narrow the recommendation state. The recommendation state filed below is set to “all states”, which means that, once a recommendation changes the state from healthy to unhealthy (and vice versa), it will trigger the logic app. That’s on its own could be a lot of events. Is this really what you want ? All states?

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.