In this blog post we will explore how to work with Logic App parameters when working with Azure Security Center Workflow Automation. During workflow execution, some scenarios require parsing variables to match a correct URI syntax. Specifically, to do this, we will work with the properties.resourceDetails.id Return type and extract several variables to accomplish our task.
Objectives:
When we create a Logic App to perform a Remediation task, the most important Return type is the properties.resourceDetails.id. This Return type can be used to parse out variables that are required to form a URI to make an Azure REST API call. There are many other Return types to work with as well. For details, take a look at the Connector reference here.
The properties.resourceDetails.id is the full Resource Id of the Azure Resource we need to remediate. A sample Resource Id looks like this:
/subscriptions/<remove-subscription-id>/resourceGroups/rg-usc-vms-01/providers/Microsoft.Compute/virtualMachines/ virtualmachine01
In order for us to remediate an item, we can use the Resource Id to create the correct syntax to send out a HTTP PUT request that looks similar to this:
https://management.azure.com/subscriptions/@{variables('SubscriptionId')}/resourceGroups/@{variables('ResourceGroupName')}/providers/Microsoft.Security/locations/@{variables('vmLocation')}/jitNetworkAccessPolicies/@{first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))}JITPolicy?api-version=2020-01-01
In the URI, Subscription Id, Resource Group Name, Resource Name, and Location need to be parsed and set in the correct location to create the URI that will carry out the PUT request on a resource. Although we will not walk through the entire remediation process, we will discuss how to parse variables from the properties.resourceDetails.id Return type so that we can form the correct URI syntax. To setup a Logic App for Workflow Automation and more details, see the public documentation here.
In this section, we will create a Logic App in your Azure Subscription. Then we will add the logic to parse the variables we need. Last, we will trigger the Logic App to send an email with our parsed variables.
Note: you will need to signin to your email provider and grant permissions for the Logic App to send email using your account
In the Send an email (V2), add your email address to the To line
Click in the Subject box, then click Add dynamic content if it doesn’t pop out automatically. Then click on Properties Display Name
Click into the Body text box and type the following:
Resource Name:
Resource Group:
first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))
Click on the second line Resource Group: to get your cursor in the right place. In the dynamic content box, click on Expression and cut and paste the following line, then click Ok:
first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),4))
Let’s pause and discuss steps 14 and 15, since these are key steps. Sometimes in a Logic App, you need to access data that might not yet exist when a workflow starts to run. In our case, we have the long string called a ResourceId. Remember this:
/subscriptions/<remove-subscription-id>/resourceGroups/rg-usc-vms-
01/providers/Microsoft.Compute/virtualMachines/virtualmachine01
We must extract the fields we need at runtime when the workflow is running since they are not exposed in the Connector Return types. In our case, we need to extract the “Resource Name” and “Resource Group Name”.
first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),8))
To do this, we use an Expression. Let’s work through the Expression piece-by-piece.
In the middle is the actual parameter from the Dynamic content ‘Properties Resource Details Id’ but broken out in the workflow like this: triggerBody()?['properties']?['resourceDetails']?['id']. Any time you need to access a parameter, type triggerBody and it helps by auto-completing in the Logic App Designer Expression. Of course there’s a lot more to Expressions and the Return types we could look at, but this is what we need for now.
Note: For details about each of the Functions, see this page.
Let’s get back to building the Logic App
Hopefully, your screen looks like the below screenshot. If so, click on Save in the Logic App Designer and we are ready to fire off the Logic App.
There are two ways to trigger a Logic App, manually and automated. For our testing, we will trigger the Logic App manually. For details on running automated Logic App see the public document here.
You should receive an email that populated the Resource Group Name and Resource Name
To review, we have walked through the process of working with Azure Security Center Recommendation parameters in a Logic App. We have deployed the Logic App, triggered a Workflow Automation, and received an email with the selected parameters. We also saw that, when the Workflow Automation triggers a Logic App, the properties.resourceDetails.id is used to query the parameters using three Expressions (First(), Skip(), and Split()) to parse the variables from the properties.resourceDetails.id.
In a future blog, we will combine these steps with a real Remediation to see how the parameters are used to perform an Azure API REST call.
Special thanks to:
Yuri Diogenes and Ofir Monza for collaborating on and reviewing this post
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.