%3CLINGO-SUB%20id%3D%22lingo-sub-1285670%22%20slang%3D%22en-US%22%3EAzure%20Security%20Center%20%E2%80%93%20automating%20Change%20Requests%20in%20ServiceNow%20using%20Workflow%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285670%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--1380294091%22%20id%3D%22toc-hId--1380294091%22%20id%3D%22toc-hId--1380294091%22%20id%3D%22toc-hId--1380294091%22%3EIntroduction%3C%2FH2%3E%0A%3CP%3EIn%20this%20blog%20post%20we%20will%20explore%20how%20to%20use%20Azure%20Security%20Center%E2%80%99s%20%E2%80%93%20Workflow%20automation%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enow%20generally%3C%2FA%3E%3CSPAN%3E%20available%3C%2FSPAN%3E)%20to%20identify%20a%20recommendation%20and%20create%20a%20Change%20Request%20in%20ServiceNow.%3C%2FP%3E%0A%3CP%3EAt%20the%20crossroads%20of%20security%20posture%20and%20configuration%20drift%20lies%20IT%20Service%20Management%20(ITSM).%20In%20a%20fast%20and%20ever-changing%20world%20of%20modern%20enterprises%2C%20organizations%20struggle%20to%20meet%20security%20and%20compliance%20requirements%20while%20preventing%20unwanted%20change.%20Many%20organizations%20use%20a%20strict%20change%20management%20process%20to%20ensure%20change%20is%20tracked%2C%20approved%20and%20well%20documented.%20When%20cyber%20security%20recommendations%20come%20to%20light%20that%20effect%20an%20organization%E2%80%99s%20posture%2C%20this%20change%20process%20is%20sometimes%20bypassed%20or%20seen%20as%20a%20hinderance.%20This%20blog%20post%20is%20designed%20to%20show%20the%20efficacy%20of%20using%20Azure%20Security%20Center%20to%20not%20only%20identify%20a%20Security%20recommendation%2C%20but%20to%20create%20a%20change%20request%20based%20on%20the%20related%20relevant%20information%20and%20resources.%20These%20same%20principles%20can%20be%20used%20to%20create%20incidents%2C%20problems%2C%20etc.%20from%20both%20Security%20Center%20%E2%80%9CRecommendations%E2%80%9D%20and%2For%20%E2%80%9CAlerts%E2%80%9D.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1107218742%22%20id%3D%22toc-hId-1107218742%22%20id%3D%22toc-hId-1107218742%22%20id%3D%22toc-hId-1107218742%22%3EScenario%3C%2FH2%3E%0A%3CP%3EIn%20this%20scenario%20we%20are%20going%20to%20use%20the%20recommendation%20of%20Adaptive%20Application%20Control%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-application%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAAC%3C%2FA%3E).%20The%20title%20of%20the%20recommendation%20is%3A%20%E2%80%9CAdaptive%20Application%20Controls%20should%20be%20enabled%20on%20virtual%20machines%E2%80%9D.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_0-1586183895675.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182373iA1A0886CD6F9D60B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_0-1586183895675.png%22%20alt%3D%22dougbirch_0-1586183895675.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20recommendation%20falls%20under%20the%20%E2%80%9CApply%20adaptive%20application%20control%E2%80%9D%20and%20is%20worth%202%20points%2C%20a%20potential%203%25%20score%20increase%20under%20the%20new%20Enhanced%20Secure%20Score%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecure-score-security-controls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ein%20preview%3C%2FA%3E).%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--700235721%22%20id%3D%22toc-hId--700235721%22%20id%3D%22toc-hId--700235721%22%20id%3D%22toc-hId--700235721%22%3EConfiguring%20the%20Workflow%20Automation%20for%20this%20Scenario%3C%2FH2%3E%0A%3CP%3EWorkflow%20automation%20is%20a%20feature%20that%20can%20trigger%20Logic%20Apps%20on%20both%20%E2%80%9CThreat%20detection%20alerts%E2%80%9D%20and%20%E2%80%9CSecurity%20Center%20recommendations%E2%80%9D.%20Workflow%20automation%20is%20located%20in%20the%20left%20navigation%20pane%20of%20Azure%20Security%20Center%20dashboard%20as%20shown%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_1-1586183895678.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182375i66948CD9E05581C6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_1-1586183895678.png%22%20alt%3D%22dougbirch_1-1586183895678.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1787277112%22%20id%3D%22toc-hId-1787277112%22%20id%3D%22toc-hId-1787277112%22%20id%3D%22toc-hId-1787277112%22%3ECreate%20the%20Logic%20App%3C%2FH2%3E%0A%3CP%3EAzure%20Logic%20Apps%20contains%20out%20of%20the%20box%20templates%20for%20third-party%20vendors%20like%20ServiceNow%2C%20which%20makes%20them%20very%20easy%20to%20integrate%20Azure%20Security%20Center.%20We%20can%20leverage%20ServiceNow%20%3CSTRONG%3ERecord%3C%2FSTRONG%3E%20actions%20like%20%3CSTRONG%3ECreate%2C%20Delete%2C%20Get%2C%20Update%3C%2FSTRONG%3E%2C%20etc.%20Follow%20the%20steps%20below%20to%20configure%20the%20Logic%20App%20for%20this%20scenario%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3ENavigate%20to%20the%20Azure%20portal%20and%20under%20%3CSTRONG%3ELogic%20Apps%3C%2FSTRONG%3E%2C%20select%20%3CSTRONG%3EAdd%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3EProvide%20a%20name%20for%20your%20new%20Logic%20App%20like%20%E2%80%9CASCRec-SNOWCR-AAC%E2%80%9D%20and%20fill%20in%20the%20resource%20group%20and%20location%20fields.%20The%20Log%20Analytics%20integration%20offers%20capabilities%20like%20using%20search%20to%20query%20the%20status%20and%20history.%20Click%20on%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3EIn%20the%20%3CSTRONG%3ELogic%20Apps%20Designer%3C%2FSTRONG%3E%20select%20the%20%3CSTRONG%3EBlank%20Logic%20App%3C%2FSTRONG%3E%20template%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3ESearch%20for%20%3CSTRONG%3EAzure%20Security%20Center%3C%2FSTRONG%3E%20and%20select%20%3CSTRONG%3EWhen%20a%20response%20to%20an%20Azure%20Security%20Center%20recommendation%20is%20created%20or%20triggered%20%3C%2FSTRONG%3Eas%20the%20trigger%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_2-1586183895680.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182374iA59BEFE938AAB560%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_2-1586183895680.png%22%20alt%3D%22dougbirch_2-1586183895680.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3EClick%20on%20%3CSTRONG%3E%2B%20New%20Step%3C%2FSTRONG%3E%20and%20search%20for%20ServiceNow%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3ESelect%20%3CSTRONG%3ECreate%20Record%3C%2FSTRONG%3E%20as%20the%20action%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_3-1586183895684.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182377i5DFB666F771883E1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_3-1586183895684.png%22%20alt%3D%22dougbirch_3-1586183895684.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%227%22%3E%0A%3CLI%3ETo%20continue%2C%20you%20need%20to%20create%20a%20%3CSTRONG%3EServiceNow%20connection%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CEM%3ENote%3A%20if%20you%20don%E2%80%99t%20have%20a%20ServiceNow%20environment%20you%20can%20sign%20up%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.servicenow.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CEM%3Ehere%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20for%20a%20developer%20instance%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%228%22%3E%0A%3CLI%3EFill%20in%20the%20required%20fields%20to%20create%20the%20connection%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_4-1586183895686.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182376i41D4B85DEF0A7FC7%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_4-1586183895686.png%22%20alt%3D%22dougbirch_4-1586183895686.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%229%22%3E%0A%3CLI%3ENow%20we%20need%20to%20pass%20values%20from%20the%20Security%20Center%20recommendation%20trigger%20so%20that%20we%20can%20automatically%20populate%20the%20ServiceNow%20record.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3ERead%20this%20blog%20post%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fautomate-azure-security-center-actions-with-playbooks-and%2Fba-p%2F264843%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehere%3C%2FA%3E%3CSPAN%3E%20for%20additional%20information%20about%20ServiceNow%20integration%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_5-1586183895692.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182378i5616FA484E5958B9%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_5-1586183895692.png%22%20alt%3D%22dougbirch_5-1586183895692.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--20177351%22%20id%3D%22toc-hId--20177351%22%20id%3D%22toc-hId--20177351%22%20id%3D%22toc-hId--20177351%22%3ECreate%20the%20Workflow%20automation%3C%2FH2%3E%0A%3CP%3ENow%20we%20are%20going%20to%20fill%20out%20the%20necessary%20fields%20and%20select%20the%20trigger%20conditions.%20For%20this%20scenario%2C%20we%20want%20to%20trigger%20the%20Logic%20App%20based%20on%20the%20Security%20Center%20recommendation%20named%20%E2%80%9CAdaptive%20Application%20Control%20should%20be%20enabled%20on%20virtual%20machines%E2%80%9D.%20References%20for%20the%20all%20of%20Security%20Center%E2%80%99s%20recommendations%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Frecommendations-reference%23recs-computeapp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ENavigate%20to%20the%20Azure%20Security%20Center%20portal%20and%20under%20%3CSTRONG%3EWorkflow%20automation%3C%2FSTRONG%3E%2C%20select%20%2B%20%3CSTRONG%3EAdd%20Workflow%20automation.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%20style%3D%22font-weight%3A%20300%3B%22%3EProvide%20a%20name%20for%20your%20new%20Logic%20App%20like%20%E2%80%9CASCRec-SNOW-AAC%E2%80%9D%20and%20fill%20in%20the%20description(optional)%20and%20enter%20the%20desired%20Resource%20Group.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3ESelect%20%3CSTRONG%3ESecurity%20Center%20recommendation%20%3C%2FSTRONG%3Eas%20the%20first%20trigger%20condition%20and%20%E2%80%9CAdaptive%20Application%20Control%20should%20be%20enabled%20on%20virtual%20machines%E2%80%9D%20as%20the%20%3CSTRONG%3ERecommendation%20name.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3ESince%20we%20want%20to%20trigger%20on%20the%20unhealthy%20resources%20select%20%3CSTRONG%3EUnhealthy%20%3C%2FSTRONG%3Ein%20the%20Recommendation%20state%20field.%20Note%3A%20%3CSTRONG%3ERecommendation%20severity%3C%2FSTRONG%3E%20is%20only%20available%20if%20you%20select%20all%20of%20the%20recommendations%2C%20then%20you%20are%20able%20to%20select%20%3CSTRONG%3ELow%2C%20Medium%2C%20%3C%2FSTRONG%3Eor%20%3CSTRONG%3EHigh.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EIn%20the%20Actions%20section%20we%20will%20select%20the%20appropriate%20subscription%20and%20then%20select%20the%20Logic%20App%20that%20we%20created%20previously.%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_6-1586183895697.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182379i992761D118486365%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_6-1586183895697.png%22%20alt%3D%22dougbirch_6-1586183895697.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1827631814%22%20id%3D%22toc-hId--1827631814%22%20id%3D%22toc-hId--1827631814%22%20id%3D%22toc-hId--1827631814%22%3EVerify%20the%20Change%20Request%20in%20ServiceNow%3C%2FH2%3E%0A%3CP%3EOnce%20the%20Workflow%20automation%20is%20saved%2C%20we%20can%20either%20trigger%20the%20Logic%20App%20from%20the%20Logic%20App%20Overview%20blade%20or%20wait%20for%20it%20to%20fire%20on%20its%20own.%20After%20the%20trigger%20action%20has%20taken%20place%20the%20Change%20Request%20will%20show%20up%20in%20ServiceNow%20as%20seen%20below.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dougbirch_7-1586183895704.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182380iA3EE7862B2A9D0B5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22dougbirch_7-1586183895704.png%22%20alt%3D%22dougbirch_7-1586183895704.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20logic%20app%20as%20well%20as%20many%20other%20can%20be%20found%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkflow%2520automation%2FCreate-SNOWCRfromASCRec%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDirect%20Link%20to%20GitHub%20sample%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Security%20Center%20GitHub%20Repo%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EStart%20automating%20Security%20Center%20Alerts%20with%20Workflow%20automation%20and%20ServiceNow%20today.%20For%20more%20information%20on%20Azure%20Security%20Center%2C%20Workflow%20automation%2C%20and%20ServiceNow%2C%20visit%20our%20documentation%20below.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-659881019%22%20id%3D%22toc-hId-659881019%22%20id%3D%22toc-hId-659881019%22%20id%3D%22toc-hId-659881019%22%3EAdditional%20Resources%3C%2FH2%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Security%20Center%20documentation%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fworkflow-automation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Security%20Center%20Workflow%20automation%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.servicenow.com%2Fproducts%2Fit-service-management.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EServiceNow%20ITSM%20solution%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.servicenow.com%2Fapp.do%23!%2Fhome%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EServiceNow%20developer%20instance%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1436189%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20%E2%80%93%20automating%20Change%20Requests%20in%20ServiceNow%20using%20Workflow%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436189%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%20I%20did%20something%20similar%20but%20what%20i%20noticed%20is%20that%20it%20creates%20multiple%20tickets%20in%20servicenow%20for%20the%20same%20trigger%20(ASC%20recommendation%20%26amp%3B%20resource%20details)%20IS%20there%20a%20way%20to%20suppress%20ASC%20recommendation%20once%20it%20already%20created%20a%20ticket%20in%20snow%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476820%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Security%20Center%20%E2%80%93%20automating%20Change%20Requests%20in%20ServiceNow%20using%20Workflow%20automation.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476820%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F591232%22%20target%3D%22_blank%22%3E%40dougbirch%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355819%22%20target%3D%22_blank%22%3E%40abePH%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20noticed%20this%20as%20well%20-%20albeit%2C%20we're%20intending%20on%20pushing%20ASC%20Recommendations%20and%20Alerts%20into%20Azure%20DevOps%20to%20create%20work%20items%20that%20can%20be%20prioritised%20and%20worked%20on.%20The%20principle%20is%20very%20much%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20work%20around%20or%20a%20setting%20to%20trigger%20once%20or%20once%20per%20x%20days%2Fweeks%20etc.%3F%20At%20the%20moment%20this%20feature%20is%20unusable%20because%20this%20creates%20many%20duplicates%2C%20and%20I%20cannot%20see%20what%20the%20pattern%20is%20for%20triggering.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%3C%2FP%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3EStephen%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Introduction

In this blog post we will explore how to use Azure Security Center’s – Workflow automation (now generally available) to identify a recommendation and create a Change Request in ServiceNow.

At the crossroads of security posture and configuration drift lies IT Service Management (ITSM). In a fast and ever-changing world of modern enterprises, organizations struggle to meet security and compliance requirements while preventing unwanted change. Many organizations use a strict change management process to ensure change is tracked, approved and well documented. When cyber security recommendations come to light that effect an organization’s posture, this change process is sometimes bypassed or seen as a hinderance. This blog post is designed to show the efficacy of using Azure Security Center to not only identify a Security recommendation, but to create a change request based on the related relevant information and resources. These same principles can be used to create incidents, problems, etc. from both Security Center “Recommendations” and/or “Alerts”.

Scenario

In this scenario we are going to use the recommendation of Adaptive Application Control (AAC). The title of the recommendation is: “Adaptive Application Controls should be enabled on virtual machines”.

dougbirch_0-1586183895675.png

This recommendation falls under the “Apply adaptive application control” and is worth 2 points, a potential 3% score increase under the new Enhanced Secure Score (in preview).

Configuring the Workflow Automation for this Scenario

Workflow automation is a feature that can trigger Logic Apps on both “Threat detection alerts” and “Security Center recommendations”. Workflow automation is located in the left navigation pane of Azure Security Center dashboard as shown below:

dougbirch_1-1586183895678.png

Create the Logic App

Azure Logic Apps contains out of the box templates for third-party vendors like ServiceNow, which makes them very easy to integrate Azure Security Center. We can leverage ServiceNow Record actions like Create, Delete, Get, Update, etc. Follow the steps below to configure the Logic App for this scenario:

  1. Navigate to the Azure portal and under Logic Apps, select Add
  2. Provide a name for your new Logic App like “ASCRec-SNOWCR-AAC” and fill in the resource group and location fields. The Log Analytics integration offers capabilities like using search to query the status and history. Click on Create
  3. In the Logic Apps Designer select the Blank Logic App template
  4. Search for Azure Security Center and select When a response to an Azure Security Center recommendation is created or triggered as the trigger

dougbirch_2-1586183895680.png

  1. Click on + New Step and search for ServiceNow
  2. Select Create Record as the action

dougbirch_3-1586183895684.png

  1. To continue, you need to create a ServiceNow connection

Note: if you don’t have a ServiceNow environment you can sign up here for a developer instance

  1. Fill in the required fields to create the connectiondougbirch_4-1586183895686.png
  1. Now we need to pass values from the Security Center recommendation trigger so that we can automatically populate the ServiceNow record.

Read this blog post here for additional information about ServiceNow integration.

dougbirch_5-1586183895692.png

Create the Workflow automation

Now we are going to fill out the necessary fields and select the trigger conditions. For this scenario, we want to trigger the Logic App based on the Security Center recommendation named “Adaptive Application Control should be enabled on virtual machines”. References for the all of Security Center’s recommendations can be found here.

 

  1. Navigate to the Azure Security Center portal and under Workflow automation, select + Add Workflow automation.
  1. Provide a name for your new Logic App like “ASCRec-SNOW-AAC” and fill in the description(optional) and enter the desired Resource Group.
  1. Select Security Center recommendation as the first trigger condition and “Adaptive Application Control should be enabled on virtual machines” as the Recommendation name.
  2. Since we want to trigger on the unhealthy resources select Unhealthy in the Recommendation state field. Note: Recommendation severity is only available if you select all of the recommendations, then you are able to select Low, Medium, or High.
  3. In the Actions section we will select the appropriate subscription and then select the Logic App that we created previously.
  4. Click Create

dougbirch_6-1586183895697.png

Verify the Change Request in ServiceNow

Once the Workflow automation is saved, we can either trigger the Logic App from the Logic App Overview blade or wait for it to fire on its own. After the trigger action has taken place the Change Request will show up in ServiceNow as seen below.

dougbirch_7-1586183895704.png

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Azure Security Center GitHub Repo

Start automating Security Center Alerts with Workflow automation and ServiceNow today. For more information on Azure Security Center, Workflow automation, and ServiceNow, visit our documentation below.

Additional Resources

Azure Security Center documentation

Azure Security Center Workflow automation

ServiceNow ITSM solution

ServiceNow developer instance

 

2 Comments
Frequent Visitor

Hello. I did something similar but what i noticed is that it creates multiple tickets in servicenow for the same trigger (ASC recommendation & resource details) IS there a way to suppress ASC recommendation once it already created a ticket in snow?

 

 

Occasional Visitor

Hi @dougbirch @abePH ,

 

We've noticed this as well - albeit, we're intending on pushing ASC Recommendations and Alerts into Azure DevOps to create work items that can be prioritised and worked on. The principle is very much the same.

 

Is there any work around or a setting to trigger once or once per x days/weeks etc.? At the moment this feature is unusable because this creates many duplicates, and I cannot see what the pattern is for triggering.

 

Thank you in advance

 
 
Stephen