Introduction
In this blog post we will explore how to use Azure Security Center’s – Workflow automation (now generally available) to identify a recommendation and create a Change Request in ServiceNow.
At the crossroads of security posture and configuration drift lies IT Service Management (ITSM). In a fast and ever-changing world of modern enterprises, organizations struggle to meet security and compliance requirements while preventing unwanted change. Many organizations use a strict change management process to ensure change is tracked, approved and well documented. When cyber security recommendations come to light that effect an organization’s posture, this change process is sometimes bypassed or seen as a hinderance. This blog post is designed to show the efficacy of using Azure Security Center to not only identify a Security recommendation, but to create a change request based on the related relevant information and resources. These same principles can be used to create incidents, problems, etc. from both Security Center “Recommendations” and/or “Alerts”.
Scenario
In this scenario we are going to use the recommendation of Adaptive Application Control (AAC). The title of the recommendation is: “Adaptive Application Controls should be enabled on virtual machines”.
This recommendation falls under the “Apply adaptive application control” and is worth 2 points, a potential 3% score increase under the new Enhanced Secure Score (in preview).
Configuring the Workflow Automation for this Scenario
Workflow automation is a feature that can trigger Logic Apps on both “Threat detection alerts” and “Security Center recommendations”. Workflow automation is located in the left navigation pane of Azure Security Center dashboard as shown below:
Create the Logic App
Azure Logic Apps contains out of the box templates for third-party vendors like ServiceNow, which makes them very easy to integrate Azure Security Center. We can leverage ServiceNow Record actions like Create, Delete, Get, Update, etc. Follow the steps below to configure the Logic App for this scenario:
- Navigate to the Azure portal and under Logic Apps, select Add
- Provide a name for your new Logic App like “ASCRec-SNOWCR-AAC” and fill in the resource group and location fields. The Log Analytics integration offers capabilities like using search to query the status and history. Click on Create
- In the Logic Apps Designer select the Blank Logic App template
- Search for Azure Security Center and select When a response to an Azure Security Center recommendation is created or triggered as the trigger
- Click on + New Step and search for ServiceNow
- Select Create Record as the action
- To continue, you need to create a ServiceNow connection
Note: if you don’t have a ServiceNow environment you can sign up here for a developer instance
- Fill in the required fields to create the connection
- Now we need to pass values from the Security Center recommendation trigger so that we can automatically populate the ServiceNow record.
Read this blog post here for additional information about ServiceNow integration.
Create the Workflow automation
Now we are going to fill out the necessary fields and select the trigger conditions. For this scenario, we want to trigger the Logic App based on the Security Center recommendation named “Adaptive Application Control should be enabled on virtual machines”. References for the all of Security Center’s recommendations can be found here.
- Navigate to the Azure Security Center portal and under Workflow automation, select + Add Workflow automation.
- Provide a name for your new Logic App like “ASCRec-SNOW-AAC” and fill in the description(optional) and enter the desired Resource Group.
- Select Security Center recommendation as the first trigger condition and “Adaptive Application Control should be enabled on virtual machines” as the Recommendation name.
- Since we want to trigger on the unhealthy resources select Unhealthy in the Recommendation state field. Note: Recommendation severity is only available if you select all of the recommendations, then you are able to select Low, Medium, or High.
- In the Actions section we will select the appropriate subscription and then select the Logic App that we created previously.
- Click Create
Verify the Change Request in ServiceNow
Once the Workflow automation is saved, we can either trigger the Logic App from the Logic App Overview blade or wait for it to fire on its own. After the trigger action has taken place the Change Request will show up in ServiceNow as seen below.
This logic app as well as many other can be found here:
Azure Security Center GitHub Repo
Start automating Security Center Alerts with Workflow automation and ServiceNow today. For more information on Azure Security Center, Workflow automation, and ServiceNow, visit our documentation below.
Additional Resources
Azure Security Center documentation
Azure Security Center Workflow automation