Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud
Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. Customer feedback has been loud and clear—Security Teams need more efficient and effective ways to communicate directly with Development Teams about discovered security findings. This blog walks through creating a Logic App that Security Teams can use to automate communication of discovered security issues to Development Teams. The Logic App creates a Work Item in Azure DevOps (ADO) containing repository location, description, and remediation information from DevOps security in Defender for Cloud Recommendations that Developers can use to remediate the discovered security issue.
Security Operators will find this Logic App particularly useful because they do not need to be familiar with Azure DevOps or even to login to Azure DevOps to create a Work Item for their Developers. Instead, SecOps can trigger a Logic App on an affected repository and create a Work Item for a Development Team to triage and remediate.
Objectives:
- Create a Logic App to create an Azure DevOps work item from an MDC Recommendation
- Test the Logic App
Prerequisite:
- Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub)
Create a Logic App to Create an ADO Work Item
- Login to Azure and search for or click Logic Apps
- Click + Add
- Choose a Subscription and Resource group
- Enter a name for your Logic App
- Under Plan, choose Consumption
- Click Review + create
- Click Create
- Go to the Logic App you created and click Logic app designer in the left menu
- Click Blank Logic App
- In the search box, type Recommendation
Choose When a Microsoft Defender for Cloud Recommendation is created or triggered
- Click + New step
Type variable in the search box
Choose Initialize variable
For Name, type org_name
For Type, choose String
- Click + New step
Type variable in the search box
Choose Initialize variable
For Name, type project_name
For Type, choose String
- Click + New step
Type variable in the search box
Choose Initialize variable
For Name, type repo_name
For Type, choose String
- Click + New step
Type variable in the search box
Choose Set variable
For Name, choose org_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK
- Click + New step
Type variable in the search box
Choose Set variable
For Name, choose project_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK
- Click + New step
Type variable in the search box
Choose Set variable
For Name, choose repo_name from the dropdown menu
For Value, click in the empty box
In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),14)) and click OK
- Click + New step
Type azure devops in the search box
Click Create a work item
Click Sign in
Click Accept to allow the App request for the Logic App to write to Azure DevOps
For Organization Name, click in the box, click Enter custom value
In the Add dynamic content flyout, click org_name
For Project name, click Enter custom value
In the Add dynamic content flyout, click project_name
For Work Item Type, type task
For Title, click in the box, type the title of the work item you want to create for your Developers, such as: A security issue needs to be remediated from the following repo:
In the Add dynamic content flyout, click repo_name
For Description, type Description:
In the Add dynamic content flyout, click Properties Metadata Description, then hit enter twice
Type Remediation steps: then hit enter
In the Add dynamic content flyout, click Properties Metadata Remediation Description
Your Logic App should now look like the following:
Your no code Logic App is now complete and needs to be tested.
Test the Logic App
- Navigate to Microsoft Defender for Cloud
- Click Recommendations
Expand Remediate vulnerabilities, click Code repositories should have secret scanning findings resolved
Expand Affected resources, tick an Azure DevOps repository
Click Trigger logic app
- In the Selected subscription dropdown, choose the Subscription that contains the Logic App
Tick the box next to the Logic app
Click Trigger
Now let’s verify that your work item has been created
- Login to Azure DevOps and navigate to the Project with the repository you tested
Click Boards, then click Work items to see the work item that you created
Your work item should look similar to the following work item:
Conclusion
To review, we’ve walked through creating a Logic App that creates a Work Item in Azure DevOps to communicate with Developers so they can remediate security findings discovered by Microsoft Defender for Cloud. This Logic App can be executed on any Azure DevOps repository. It injects the location, description, and remediation steps in the Work Item description body so that Developers can quickly find and fix the security issue. This helps Security Operators automate communication with Developers by creating a Work Item that the Development Team can then prioritize in their Sprint Planning sessions.
Additional Resources
- To learn more about DevOps security in Defender for Cloud, read this documentation
- Download (free) a special Appendix about DevOps security in Defender for Cloud from the latest Microsoft Defender for Cloud book published by Microsoft Press
- To learn how to onboard your Azure DevOps Source Code Management System to Defender for Cloud, read this documentation for Azure DevOps
