You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/workflow-automation.md
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Workflow automation in Microsoft Defender for Cloud | Microsoft Docs
3
3
description: Learn how to create and automate workflows in Microsoft Defender for Cloud
4
4
ms.topic: how-to
5
-
ms.date: 11/09/2021
5
+
ms.date: 06/26/2022
6
6
---
7
7
# Automate responses to Microsoft Defender for Cloud triggers
8
8
@@ -17,7 +17,7 @@ This article describes the workflow automation feature of Microsoft Defender for
17
17
|----|:----|
18
18
|Release state:|General availability (GA)|
19
19
|Pricing:|Free|
20
-
|Required roles and permissions:|**Security admin role** or **Owner** on the resource group<br>Must also have write permissions for the target resource<br><br>To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:<br> - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)<br> - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for Logic App creation and modification<br>If you want to use Logic App connectors, you may need additional credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)|
20
+
|Required roles and permissions:|**Security admin role** or **Owner** on the resource group<br>Must also have write permissions for the target resource<br><br>To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:<br> - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)<br> - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for Logic App creation and modification<br>If you want to use Logic App connectors, you may need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)|
21
21
|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)|
22
22
23
23
@@ -29,11 +29,11 @@ This article describes the workflow automation feature of Microsoft Defender for
29
29
30
30
:::image type="content" source="./media/workflow-automation/list-of-workflow-automations.png" alt-text="Screenshot of workflow automation page showing the list of defined automations." lightbox="./media/workflow-automation/list-of-workflow-automations.png":::
31
31
32
-
From this page you can create new automation rules, as well as enable, disable, or delete existing ones.
32
+
From this page you can create new automation rules, enable, disable, or delete existing ones.
33
33
34
-
1. To define a new workflow, click**Add workflow automation**. The options pane for your new automation opens.
34
+
1. To define a new workflow, select**Add workflow automation**. The options pane for your new automation opens.
@@ -46,22 +46,26 @@ This article describes the workflow automation feature of Microsoft Defender for
46
46
47
47
1. From the Actions section, select **visit the Logic Apps page** to begin the Logic App creation process.
48
48
49
+
:::image type="content" source="media/workflow-automation/visit-logic.png" alt-text="Screenshot that shows where on the screen you need to select the visit the logic apps page in the actions section of the add workflow automation screen." border="true":::
50
+
49
51
You'll be taken to Azure Logic Apps.
50
52
51
-
1. Select **Add**.
53
+
1. Select **(+) Add**.
52
54
53
-
[](media/workflow-automation/logic-apps-create-new.png#lightbox)
55
+
:::image type="content" source="media/workflow-automation/logic-apps-create-new.png" alt-text="Screenshot of the create a logic app screen." lightbox="media/workflow-automation/logic-apps-create-new.png":::
54
56
55
-
1.Enter a name, resource group, and location, and select **Review and create** > **Create**.
57
+
1.Fill out all required fields and select **Review + Create**.
56
58
57
59
The message **Deployment is in progress** appears. Wait for the deployment complete notification to appear and select **Go to resource** from the notification.
58
60
59
-
1. In your new logic app, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events to occur when this process is triggered.
61
+
1. Review the information you entered and select **Create**.
62
+
63
+
In your new logic app, you can choose from built-in, predefined templates from the security category. Or you can define a custom flow of events to occur when this process is triggered.
60
64
61
65
> [!TIP]
62
66
> Sometimes in a logic app, parameters are included in the connector as part of a string and not in their own field. For an example of how to extract parameters, see step #14 of [Working with logic app parameters while building Microsoft Defender for Cloud workflow automations](https://techcommunity.microsoft.com/t5/azure-security-center/working-with-logic-app-parameters-while-building-azure-security/ba-p/1342121).
63
67
64
-
The logic app designer supports these Defender for Cloud triggers:
68
+
The logic app designer supports the following Defender for Cloud triggers:
65
69
66
70
-**When a Microsoft Defender for Cloud Recommendation is created or triggered** - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. To track changes to recommendations, use the [release notes](release-notes.md).
67
71
@@ -74,18 +78,18 @@ This article describes the workflow automation feature of Microsoft Defender for
1. After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). Click**Refresh** to ensure your new Logic App is available for selection.
81
+
1. After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). Select**Refresh** to ensure your new Logic App is available for selection.
1. Select your logic app and save the automation. Note that the Logic App dropdown only shows Logic Apps with supporting Defender for Cloud connectors mentioned above.
85
+
1. Select your logic app and save the automation. The Logic App dropdown only shows Logic Apps with supporting Defender for Cloud connectors mentioned above.
82
86
83
87
84
88
## Manually trigger a Logic App
85
89
86
90
You can also run Logic Apps manually when viewing any security alert or recommendation.
87
91
88
-
To manually run a Logic App, open an alert or a recommendation and click**Trigger Logic App**:
92
+
To manually run a Logic App, open an alert or a recommendation and select**Trigger Logic App**:
89
93
90
94
[](media/workflow-automation/manually-trigger-logic-app.png#lightbox)
91
95
@@ -120,21 +124,17 @@ To implement these policies:
120
124
121
125
1. Open each tab and set the parameters as desired:
122
126
1. In the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use the workflow automation configuration.
123
-
1. In the **Parameters** tab, set the resource group and data type details.
124
-
> [!TIP]
125
-
> Each parameter has a tooltip explaining the options available to you.
126
-
>
127
-
> Azure Policy's parameters tab (1) provides access to similar configuration options as Defender for Cloud's workflow automation page (2).
128
-
> :::image type="content" source="./media/workflow-automation/azure-policy-next-to-workflow-automation.png" alt-text="Comparing the parameters in workflow automation with Azure Policy." lightbox="./media/workflow-automation/azure-policy-next-to-workflow-automation.png":::
127
+
1. In the Parameters tab, enter the required information.
129
128
130
-
1. Optionally, to apply this assignment to existing subscriptions, open the **Remediation**tab and select the option to create a remediation task.
129
+
:::image type="content" source="media/workflow-automation/parameters-tab.png" alt-text="Screenshot of the parameters tab.":::
131
130
132
-
1.Review the summary page and select **Create**.
131
+
1.(Optional), Apply this assignment to an existing subscription in the **Remediation** tab and select the option to create a remediation task.
133
132
133
+
1. Review the summary page and select **Create**.
134
134
135
135
## Data types schemas
136
136
137
-
To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the [Workflow automation data types schemas](https://aka.ms/ASCAutomationSchemas). This can be useful in cases where you are not using Defender for Cloud's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.
137
+
To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the [Workflow automation data types schemas](https://aka.ms/ASCAutomationSchemas). This can be useful in cases where you aren't using Defender for Cloud's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.
0 commit comments