Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP) that offers crucial insights and protective measures through its Attack Path risk analysis feature. A frequent requirement from customers is the ability to receive notifications whenever new attack paths are detected. This article presents an automated solution utilizing Azure Logic Apps to address this need. By deploying a custom Logic App using an Azure Resource Manager (ARM) template, organizations can establish a streamlined notification system for newly reported attack paths by Microsoft Defender for Cloud. This solution guarantees that security teams receive prompt alerts, empowering them to promptly respond and safeguard their cloud resources efficiently.
One of the key challenges faced by organizations using Microsoft Defender for Cloud Attack Path analysis is the lack of built-in notification functionality for new attack paths. Attack paths provide crucial information about potential vulnerabilities and the paths that attackers can exploit to infiltrate cloud environments. However, without timely notifications, security teams may not be aware of these new attack paths, leaving their cloud infrastructure exposed to potential threats.
Moreover, the data stored within the Azure Resource Graph, where attack path information is collected, does not include timestamps indicating when attack paths were first generated or updated. As a result, organizations lack visibility into the recency of attack path reports, further hindering their ability to prioritize and respond to potential risks effectively.
One way to overcome this challenge is to use Azure Logic Apps and custom notifications to provide security teams with real-time updates on new attack paths. By deploying the Logic App using the provided ARM template, organizations can establish a reliable and automated process for receiving notifications whenever Microsoft Defender for Cloud reports new attack paths. This empowers security teams to stay ahead of potential vulnerabilities and take proactive measures to secure their cloud environments effectively.
Next, we will delve into the details of the solution, explaining how the Logic App works and the benefits it offers in terms of timely attack path notifications.
Let's walk through the process of how this solution works:
Trigger: The Logic App is set to run daily using a recurring trigger. This ensures that Attack Paths are evaluated regularly.
Query Attack Paths: The Logic App retrieves Attack Paths data by making an API request to the Azure Resource Graph. It fetches important details such as Attack Path ID, display name, description, and attack path type.
Evaluate Attack Paths: The Logic App processes each Attack Path using a loop. For each path, it performs the following steps:
Notification Body: The Logic App constructs the email notification body using HTML formatting, making it visually appealing and informative.
Storage Account and Table: It's important to have a storage account and table in place for the Logic App to function correctly. Attack Path entities are stored in this table, enabling the Logic App to query and update them. This is necessary because the Azure Resource Graph data for Attack Paths lacks the specific date and time of their generation and update.
Recurring Frequency: It is recommended to set the Logic App's recurrence frequency to once a day. This aligns with the frequency at which Attack Paths are evaluated and reported by Defender for Cloud.
For the Logic App to work and utilize its capabilities to send Attack Path notifications, there are several prerequisites that need to be in place. Here are the prerequisites you need to consider:
Optional Step: Populating Azure Storage Account and Table with Existing Attack Paths
As part of the solution, we provide an optional PowerShell script that enables you to create an Azure Storage Account and Table, and populate it with the existing Attack Paths. This step is particularly useful if you have multiple Attack Paths already present and you prefer not to receive notifications for all of them. By populating the table, you can set the state to zero and ensure that only new Attack Paths detected from that moment onward trigger notifications.
To use the provided script, follow these instructions:
Ensure that you have the Azure PowerShell modules "Az", “Az.ResourceGraph”, “AzTable” installed.
Replace <Subscription ID> with the ID of the Azure subscription you want to work with. Replace <Storage Account Name> with the Azure Storage Account Name of your choice.
After executing the script, you will see a success message indicating that the data has been successfully populated in the specified table.
By following these steps and populating the Azure Storage Account and Table with existing Attack Paths, you can ensure that only new Attack Paths trigger notifications while excluding the ones already present in the table.
Please note that this step is optional and only necessary if you have existing Attack Paths that you want to exclude from the initial notification process.
Once you have deployed the Logic App, it is essential to verify and configure the API connections used within the Logic App to ensure their proper functioning. The API connections, namely "Azuretables" and "Office365," require attention to establish successful communication with the corresponding services. Follow the steps below to verify and configure the API connections:
a. Confirm that the connection is enabled.
b. Verify the connection details, including the storage account and table, to ensure they align with your configuration.
c. Make any necessary modifications to the connection settings as per your requirements.
a. Enable the connection if it is not already enabled.
b. Validate the connection details, such as the M365 Outlook account and other settings.
c. Adjust the connection settings if needed to match your specific configuration.
a. Within the Logic App designer, locate the "Test" button at the top of the screen.
b. Follow the provided prompts to supply any required inputs for the test.
c. Execute the test and carefully examine the results for any errors or issues.
By diligently following these steps, you can verify and configure the API connections used within the Logic App. This process guarantees seamless communication between the Logic App and the corresponding services, enabling the accurate and timely delivery of notifications based on the Attack Path data.
Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.