Azure Security Center

Robert Paulson 1 Reputation point

Good Morning,

We recently started using security center, and we're trying to figure out the Workflow automation. I followed instructions ( and it looks good, and is triggering.


and the logic app is pretty much default, and fires off an email when it is triggered.

So it seems to work, but it fires off quite a lot!


Has anyone used this workflow and a production environment where it doesn't flood a mailbox, or perhaps I'm missing a step. We're still pretty new with Azure Security Center and Workflows/logic apps.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,047 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 21,191 Reputation points Microsoft Employee

    How many recommendations you have selected and how many VMSS instances you have in your subscription ? If you have a large environment that changes constantly and you select a long list of recommendations, this may occur. You may have to narrow your search, instead of selecting a bunch of recommendations, select just some and narrow the recommendation state. The recommendation state filed below is set to “all states”, which means that, once a recommendation changes the state from healthy to unhealthy (and vice versa), it will trigger the logic app. That’s on its own could be a lot of events. Is this really what you want ? All states?

    1 person found this answer helpful.