Working with Logic App Parameters While Building Azure Security Center Automations

In this blog post we will explore how to work with Logic App parameters when working with Azure Security Center Workflow Automation.  During workflow execution, some scenarios require parsing variables to match a correct URI syntax.  Specifically, to do this, we will work with the properties.resourceDetails.id Return type and extract several variables to accomplish our task.

Objectives:

• Create a Logic App for an Azure Security Center Recommendation
• Create Workflow Automation and wire it to the Logic App
• Understand the logic to parse variables from the properties.resourceDetails.id
• Send an email with the parsed variables

When we create a Logic App to perform a Remediation task, the most important Return type is the properties.resourceDetails.id.  This Return type can be used to parse out variables that are required to form a URI to make an Azure REST API call.  There are many other Return types to work with as well.  For details, take a look at the Connector reference here.

The properties.resourceDetails.id is the full Resource Id of the Azure Resource we need to remediate.  A sample Resource Id looks like this:

/subscriptions/<remove-subscription-id>/resourceGroups/rg-usc-vms-01/providers/Microsoft.Compute/virtualMachines/ virtualmachine01

In order for us to remediate an item, we can use the Resource Id to create the correct syntax to send out a HTTP PUT request that looks similar to this:

https://management.azure.com/subscriptions/@{variables('SubscriptionId')}/resourceGroups/@{variables('ResourceGroupName')}/providers/Microsoft.Security/locations/@{variables('vmLocation')}/jitNetworkAccessPolicies/@{first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))}JITPolicy?api-version=2020-01-01 

In the URI, Subscription Id, Resource Group Name, Resource Name, and Location need to be parsed and set in the correct location to create the URI that will carry out the PUT request on a resource.  Although we will not walk through the entire remediation process, we will discuss how to parse variables from the properties.resourceDetails.id Return type so that we can form the correct URI syntax.  To setup a Logic App for Workflow Automation and more details, see the public documentation here.

Building the Logic App

In this section, we will create a Logic App in your Azure Subscription.  Then we will add the logic to parse the variables we need.  Last, we will trigger the Logic App to send an email with our parsed variables.

1. In the Azure Portal, click on All services, in the search box type: logic app, and click on the Logic App in the results
2. Click on Add to create a new Logic App
3. Choose a Resource Group to store the Logic App, type a name, and click Review + create
   
   
4. After the review completes, click on Create
5. Give it a few minutes and then click Go to Resource
6. In the Logic App Designer, click Blank Logic App
   
   
7. On the Designer canvas, type: Security Center. Then, down in the Triggers, click on When an Azure Security Center Recommendation is created or triggered
   
   
8. In the Logic App Designer, click New step and in the search box type: send an email. Choose the type of email to use.  For this demo, I will use outlook.com
9. Once we choose an email type, scroll down the list and click  Send an email (V2) to add it to the Designer.

   Note: you will need to signin to your email provider and grant permissions for the Logic App to send email using your account

10. In the Send an email (V2), add your email address to the To line

11. Click in the Subject box, then click Add dynamic content if it doesn’t pop out automatically.  Then click on Properties Display Name
    
    

12. Click into the Body text box and type the following:

                   Resource Name:

                   Resource Group:

     

13. Click just after Resource Name:  to get your cursor in the right place.  In the dynamic content box, click on Expression and cut and paste the following line, then click Ok:

                    first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))

     

14. Click on the second line Resource Group:  to get your cursor in the right place.  In the dynamic content box, click on Expression and cut and paste the following line, then click Ok:

                   first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),4))

     

    Let’s pause and discuss steps 14 and 15, since these are key steps.  Sometimes in a Logic App, you need to access data that might not yet exist when a workflow starts to run.  In our case, we have the long string called a ResourceId.  Remember this:

                    /subscriptions/<remove-subscription-id>/resourceGroups/rg-usc-vms-         

                    01/providers/Microsoft.Compute/virtualMachines/virtualmachine01  

    
    We must extract the fields we need at runtime when the workflow is running since they are not exposed in the Connector Return types.  In our case, we need to extract the “Resource Name” and “Resource Group Name”.

                       first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))

     

    To do this, we use an Expression.  Let’s work through the Expression piece-by-piece. 

    • first() will return the first item in a collection.  Our ResourceId as a whole string since we only have a single item in the collection. 
    • skip() will remove items starting from the beginning and take two parameters (ResourceId, N number to skip).  For the Resource Name, we need to skip 8 strings. 
    • split() function which will split the ResourceId string at the ‘/’ delimiter.  For our string, we want to skip 4 to get the Resource Group Name and skip 8 to get the Name of the resource.

     

    In the middle is the actual parameter from the Dynamic content ‘Properties Resource Details Id’ but broken out in the workflow like this: triggerBody()?['properties']?['resourceDetails']?['id'].  Any time you need to access a parameter, type triggerBody and it helps by auto-completing in the Logic App Designer Expression.  Of course there’s a lot more to Expressions and the Return types we could look at, but this is what we need for now.

     

    Note: For details about each of the Functions, see this page.

    
    Let’s get back to building the Logic App
    
    

15. Hopefully, your screen looks like the below screenshot.  If so, click on Save in the Logic App Designer and we are ready to fire off the Logic App.

    

     

     

    
    Firing the Logic App

    There are two ways to trigger a Logic App, manually and automated.  For our testing, we will trigger the Logic App manually.  For details on running automated Logic App see the public document here.

16. Go back to Azure Security Center
17. Click on Recommendations under RESOURCE SECURITY HYGIENE
18. Look for any Recommendation that has a Quick Fix! Tag
    
19. Tick the resource for the Trigger Logic App to light up.  Click on the Trigger Logic App button
    
20. In the Logic App Trigger blade, tick the Logic App you created.  If you followed all the steps, it will be named Email-Resource-Info.  Tick it and click the Trigger button. 

You should receive an email that populated the Resource Group Name and Resource Name

Conclusion

To review, we have walked through the process of working with Azure Security Center Recommendation parameters in a Logic App.  We have deployed the Logic App, triggered a Workflow Automation, and received an email with the selected parameters.  We also saw that, when the Workflow Automation triggers a Logic App, the properties.resourceDetails.id is used to query the parameters using three Expressions (First(), Skip(), and Split()) to parse the variables from the properties.resourceDetails.id. 

In a future blog, we will combine these steps with a real Remediation to see how the parameters are used to perform an Azure API REST call.

Special thanks to:

Yuri Diogenes and Ofir Monza for collaborating on and reviewing this post