Mar 31 2020 10:47 AM
Mar 31 2020 10:47 AM
We have the following recommendation in ASC - Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys) (Preview) - that has some VMs that need the agent.
Within the recommendation I can remediate, but is there anyway to use Workflow automation to look for VMs that do not have the Qualys agent and to install it?
I tried creating a Logic app and copied and pasted the remediation logic from the recommendation, but it did not work.
Mar 31 2020 11:57 AMSolution
Yes. i just created a working sample here
Mar 31 2020 12:18 PM
Thx a million - I just tried to deploy the playbook and got the following error:
Mar 31 2020 01:05 PM
whoops forgot the dependson. in the resource.
just fixed the template.
Apr 01 2020 04:48 AM
Thx again Nick - for my edification, the workflow will kick in when it sees an unhealthy resource in the Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys) (Preview) recommendation, correct?
We have some VMs that are powered off so I am assuming when they get powered on, the workflow will run to install the Qualys agent.
And last question, can you point me to some documentation about ASC workflow?
Apr 01 2020 04:54 AM
yes but you need to create the workflow automation like this
here is the docs page https://docs.microsoft.com/en-us/azure/security-center/workflow-automation
Apr 01 2020 05:05 AM
Perfect as that's how I configured it,
Thx for the link
Apr 01 2020 06:55 AM
@Nicholas DiCola (SECURITY JEDI
Sorry to be a pain, but I ran into an error as I turned on a VM and then checked the logic app and saw that it failed
Apr 01 2020 08:11 AM
the template creates two api connection resources. you have to authorize them. go to the resource. click edit api connection. click authorize. login in the new window. click save.
Apr 01 2020 08:42 AM
API now authorized and when I do a 'Run Trigger' I get the following error message:
Apr 01 2020 08:49 AM
you cant just run trigger from logic apps as no data is passed to the ASC trigger step.
go to the recommendation in ASC and click run playbook. that will push the recommendation data to the trigger.
Apr 01 2020 10:11 AM
@Nicholas DiCola (SECURITY JEDI) - thx as it's working now. Appreciate all the help!
Aug 21 2020 09:30 AM
Hi Nicholas, thanks for super usefull logic app.
I made the setup you have described, I used automation workflow for ASC recommendation (A vulnerability assessment solution should be enabled on your virtual machines) with logic app to create ARM deployment. And it works well when I trigger Logic App from ASC (Azure Portal) but the automation workflow does not trigger my logic app at all. Is it possible that when the recommendation exist with many VM's in state not-applicable and unhealthy then any new VM which appear with unhealthy state will not trigger automation ? because the recommendation exist ? In short for existing recommendation new resource won't trigger the workflow automation ?
Thanks in advance for any insides ...