Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud

George__Wilburn's avatar
Oct 20, 2022

Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud

Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. Customer feedback has been loud and clear—Security Teams need more efficient and effective ways to communicate directly with Development Teams about discovered security findings. This blog walks through creating a Logic App that Security Teams can use to automate communication of discovered security issues to Development Teams. The Logic App creates a Work Item in Azure DevOps (ADO) containing repository location, description, and remediation information from DevOps security in Defender for Cloud Recommendations that Developers can use to remediate the discovered security issue.

 

Security Operators will find this Logic App particularly useful because they do not need to be familiar with Azure DevOps or even to login to Azure DevOps to create a Work Item for their Developers. Instead, SecOps can trigger a Logic App on an affected repository and create a Work Item for a Development Team to triage and remediate. 

 

Objectives:

  • Create a Logic App to create an Azure DevOps work item from an MDC Recommendation
  • Test the Logic App

Prerequisite:

  • Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub)

 

Create a Logic App to Create an ADO Work Item

  1. Login to Azure and search for or click Logic Apps
  2. Click + Add
  3. Choose a Subscription and Resource group
  4. Enter a name for your Logic App
  5. Under Plan, choose Consumption

 

  1. Click Review + create
  2. Click Create
  3. Go to the Logic App you created and click Logic app designer in the left menu
  4. Click Blank Logic App

 

  1. In the search box, type Recommendation

  Choose When a Microsoft Defender for Cloud Recommendation is created or triggered

  1. Click + New step

   Type variable in the search box

   Choose Initialize variable

   For Name, type org_name

   For Type, choose String

  1. Click + New step

   Type variable in the search box

   Choose Initialize variable

   For Name, type project_name

   For Type, choose String

  1. Click + New step

   Type variable in the search box

   Choose Initialize variable

   For Name, type repo_name

   For Type, choose String

  1. Click + New step

   Type variable in the search box

   Choose Set variable

   For Name, choose org_name from the dropdown menu

   For Value, click in the empty box 

   In the Add dynamic content flyout, click Expression and type the following:    first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK

  1. Click + New step

   Type variable in the search box

   Choose Set variable

   For Name, choose project_name from the dropdown menu

   For Value, click in the empty box

   In the Add dynamic content flyout, click Expression and type the following:    first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK

  1. Click + New step

   Type variable in the search box

   Choose Set variable

   For Name, choose repo_name from the dropdown menu

   For Value, click in the empty box

   In the Add dynamic content flyout, click Expression and type the following:    first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),14)) and click OK

  1. Click + New step

   Type azure devops in the search box

   Click Create a work item

   Click Sign in

   Click Accept to allow the App request for the Logic App to write to Azure DevOps

   For Organization Name, click in the box, click Enter custom value

   In the Add dynamic content flyout, click org_name

   For Project name, click Enter custom value

   In the Add dynamic content flyout, click project_name

   For Work Item Type, type task

   For Title, click in the box, type the title of the work item you want to create for your Developers, such as: A security issue needs to be remediated from the following repo:

   In the Add dynamic content flyout, click repo_name

   For Description, type Description:

   In the Add dynamic content flyout, click Properties Metadata Description, then hit enter twice

   Type Remediation steps: then hit enter

   In the Add dynamic content flyout, click Properties Metadata Remediation Description

 

   Your Logic App should now look like the following:

 

Your no code Logic App is now complete and needs to be tested.

 

Test the Logic App

  1. Navigate to Microsoft Defender for Cloud
  2. Click Recommendations

   Expand Remediate vulnerabilities, click Code repositories should have secret scanning findings resolved

   Expand Affected resources, tick an Azure DevOps repository

   Click Trigger logic app

  1. In the Selected subscription dropdown, choose the Subscription that contains the Logic App

   Tick the box next to the Logic app

   Click Trigger

 

Now let’s verify that your work item has been created

 

  1. Login to Azure DevOps and navigate to the Project with the repository you tested

   Click Boards, then click Work items to see the work item that you created

   Your work item should look similar to the following work item:

 

Conclusion

To review, we’ve walked through creating a Logic App that creates a Work Item in Azure DevOps to communicate with Developers so they can remediate security findings discovered by Microsoft Defender for Cloud.  This Logic App can be executed on any Azure DevOps repository. It injects the location, description, and remediation steps in the Work Item description body so that Developers can quickly find and fix the security issue. This helps Security Operators automate communication with Developers by creating a Work Item that the Development Team can then prioritize in their Sprint Planning sessions. 

 

Additional Resources

  • To learn more about DevOps security in Defender for Cloud, read this documentation
  • Download (free) a special Appendix about DevOps security in Defender for Cloud from the latest Microsoft Defender for Cloud book published by Microsoft Press
  • To learn how to onboard your Azure DevOps Source Code Management System to Defender for Cloud, read this documentation for Azure DevOps
Updated Dec 07, 2023
Version 4.0
No CommentsBe the first to comment