Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. Customer feedback has been loud and clear—Security Teams need more efficient and effective ways to communicate directly with Development Teams about discovered security findings. This blog walks through creating a Logic App that Security Teams can use to automate communication of discovered security issues to Development Teams. The Logic App creates a Work Item in Azure DevOps (ADO) containing repository location, description, and remediation information from DevOps security in Defender for Cloud Recommendations that Developers can use to remediate the discovered security issue.
Security Operators will find this Logic App particularly useful because they do not need to be familiar with Azure DevOps or even to login to Azure DevOps to create a Work Item for their Developers. Instead, SecOps can trigger a Logic App on an affected repository and create a Work Item for a Development Team to triage and remediate.
Objectives:
Prerequisite:
Create a Logic App to Create an ADO Work Item
Choose When a Microsoft Defender for Cloud Recommendation is created or triggered
Type variable in the search box
Choose Initialize variable
For Name, type org_name
For Type, choose String
Type variable in the search box
Choose Initialize variable
For Name, type project_name
For Type, choose String
Type variable in the search box
Choose Initialize variable
For Name, type repo_name
For Type, choose String
Type variable in the search box
Choose Set variable
For Name, choose org_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK
Type variable in the search box
Choose Set variable
For Name, choose project_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK
Type variable in the search box
Choose Set variable
For Name, choose repo_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),14)) and click OK
Type azure devops in the search box
Click Create a work item
Click Sign in
Click Accept to allow the App request for the Logic App to write to Azure DevOps
For Organization Name, click in the box, click Enter custom value
In the Add dynamic content flyout, click org_name
For Project name, click Enter custom value
In the Add dynamic content flyout, click project_name
For Work Item Type, type task
For Title, click in the box, type the title of the work item you want to create for your Developers, such as: A security issue needs to be remediated from the following repo:
In the Add dynamic content flyout, click repo_name
For Description, type Description:
In the Add dynamic content flyout, click Properties Metadata Description, then hit enter twice
Type Remediation steps: then hit enter
In the Add dynamic content flyout, click Properties Metadata Remediation Description
Your Logic App should now look like the following:
Your no code Logic App is now complete and needs to be tested.
Test the Logic App
Expand Remediate vulnerabilities, click Code repositories should have secret scanning findings resolved
Expand Affected resources, tick an Azure DevOps repository
Click Trigger logic app
Tick the box next to the Logic app
Click Trigger
Now let’s verify that your work item has been created
Click Boards, then click Work items to see the work item that you created
Your work item should look similar to the following work item:
To review, we’ve walked through creating a Logic App that creates a Work Item in Azure DevOps to communicate with Developers so they can remediate security findings discovered by Microsoft Defender for Cloud. This Logic App can be executed on any Azure DevOps repository. It injects the location, description, and remediation steps in the Work Item description body so that Developers can quickly find and fix the security issue. This helps Security Operators automate communication with Developers by creating a Work Item that the Development Team can then prioritize in their Sprint Planning sessions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.