Automate responses to Microsoft Defender for Cloud triggers
Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. Security experts recommend that you automate as many steps of those procedures as you can. Automation reduces overhead. It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.
This article describes the workflow automation feature of Microsoft Defender for Cloud. This feature can trigger Logic Apps on security alerts, recommendations, and changes to regulatory compliance. For example, you might want Defender for Cloud to email a specific user when an alert occurs. You'll also learn how to create Logic Apps using Azure Logic Apps.
|Release state:||General availability (GA)|
|Required roles and permissions:||Security admin role or Owner on the resource group
Must also have write permissions for the target resource
To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:
- Logic App Operator permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only run existing ones)
- Logic App Contributor permissions are required for Logic App creation and modification
If you want to use Logic App connectors, you may need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)
National (Azure Government, Azure China 21Vianet)
Create a logic app and define when it should automatically run
From Defender for Cloud's sidebar, select Workflow automation.
From this page you can create new automation rules, enable, disable, or delete existing ones.
To define a new workflow, select Add workflow automation. The options pane for your new automation opens.
Here you can enter:
A name and description for the automation.
The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.
If your trigger is a recommendation that has "sub-recommendations", for example Vulnerability assessment findings on your SQL databases should be remediated, the logic app will not trigger for every new security finding; only when the status of the parent recommendation changes.
The Logic App that will run when your trigger conditions are met.
From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.
You'll be taken to Azure Logic Apps.
Select (+) Add.
Fill out all required fields and select Review + Create.
The message Deployment is in progress appears. Wait for the deployment complete notification to appear and select Go to resource from the notification.
Review the information you entered and select Create.
In your new logic app, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events to occur when this process is triggered.
Sometimes in a logic app, parameters are included in the connector as part of a string and not in their own field. For an example of how to extract parameters, see step #14 of Working with logic app parameters while building Microsoft Defender for Cloud workflow automations.
The logic app designer supports the following Defender for Cloud triggers:
When a Microsoft Defender for Cloud Recommendation is created or triggered - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. To track changes to recommendations, use the release notes.
When a Defender for Cloud Alert is created or triggered - You can customize the trigger so that it relates only to alerts with the severity levels that interest you.
When a Defender for Cloud regulatory compliance assessment is created or triggered - Trigger automations based on updates to regulatory compliance assessments.
If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched by the Workflow Automation feature. Instead, use either of the triggers mentioned above.
After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). Select Refresh to ensure your new Logic App is available for selection.
Select your logic app and save the automation. The Logic App dropdown only shows Logic Apps with supporting Defender for Cloud connectors mentioned above.
Manually trigger a Logic App
You can also run Logic Apps manually when viewing any security alert or recommendation.
To manually run a Logic App, open an alert, or a recommendation and select Trigger Logic App:
Configure workflow automation at scale using the supplied policies
Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.
To deploy your automation configurations across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies described below to create and configure workflow automation procedures.
Get started with workflow automation templates.
To implement these policies:
From the table below, select the policy you want to apply:
Goal Policy Policy ID Workflow automation for security alerts Deploy Workflow Automation for Microsoft Defender for Cloud alerts f1525828-9a90-4fcf-be48-268cdd02361e Workflow automation for security recommendations Deploy Workflow Automation for Microsoft Defender for Cloud recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef Workflow automation for regulatory compliance changes Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance 509122b9-ddd9-47ba-a5f1-d0dac20be63c
The three workflow automation policies have recently been rebranded. Unfortunately, this change came with an unavoidable breaking change. To learn how to mitigate this breaking change, see mitigate breaking change,
You can also find these by searching Azure Policy:
- Open Azure Policy.
- From the Azure Policy menu, select Definitions and search for them by name.
From the relevant Azure Policy page, select Assign.
Open each tab and set the parameters as desired:
- In the Basics tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use the workflow automation configuration.
- In the Parameters tab, enter the required information.
- (Optional), Apply this assignment to an existing subscription in the Remediation tab and select the option to create a remediation task.
Review the summary page and select Create.
Data types schemas
To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the Workflow automation data types schemas. This can be useful in cases where you aren't using Defender for Cloud's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.
FAQ - Workflow automation
Does workflow automation support any business continuity or disaster recovery (BCDR) scenarios?
When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.
For every active automation, we recommend you create an identical (disabled) automation and store it in a different location. When there's an outage, you can enable these backup automations and maintain normal operations.
Learn more about Business continuity and disaster recovery for Azure Logic Apps.
Mitigate breaking change
Recently we've rebranded the following recommendation:
- Deploy Workflow Automation for Microsoft Defender for Cloud alerts
- Deploy Workflow Automation for Microsoft Defender for Cloud recommendations
- Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance
Unfortunately, this change came with an unavoidable breaking change. The breaking change causes all of the old workflow automation policies that used the built-in connectors to be uncompliant.
To mitigate this issue:
Navigate to the logic app that is connected to the policy.
Select Logic app designer.
Select the three dot > Rename.
Rename the Defender for cloud connector as follows:
Original name New name Deploy Workflow Automation for Microsoft Defender for Cloud alerts When a Microsoft Defender for Cloud dAlert is created or triggered 1 Deploy Workflow Automation for Microsoft Defender for Cloud recommendations When a Microsoft Defender for Cloud Recommendation is created or triggered Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance When a Microsoft Defender for Cloud Regulatory Compliance Assessment is created or triggered
In this article, you learned about creating Logic Apps, automating their execution in Defender for Cloud, and running them manually.
For related material, see: