Export Microsoft Sentinel Playbooks or Azure Logic Apps with Ease

Published May 04 2022 12:10 PM 1,832 Views
Microsoft

Azure Logic Apps/Microsoft Sentinel Playbooks are a great beneficiary of the capabilities of elastic compute and uses the power of the Azure Cloud platform to automatically scale and meet demand. You do not have to worry about the complexity of infrastructure capacity, hosting, maintenance, or availability for your workflows. Playbooks help automate and orchestrate response actions that would typically be undertaken by security analysts to better control incidents. These can be triggered manually or set to run automatically when specific alerts are triggered.

 

Problem Statement

Despite the very visual, no-code aspect of Logic Apps, the business logic and connections contained within a Logic App/Playbook will be recorded as JSON. This JSON contains organizational information such as tenant ID, subscription information, connection strings, and other items that make sharing a Playbook a potential security risk.

 

Unlike, for example, Workbooks, where you can simply copy and paste the JSON code, you can’t quickly deploy a Microsoft Sentinel Playbook due to the litany of tenant-specific information and Logic App connector dependencies contained in the code. There are instructions for sanitizing or templatizing a Playbook to remove the organization-specific information to make it shareable, but it takes some effort and time to accomplish, making it almost unattainable and in most cases not worthwhile.

 

In this blog post we’ll introduce you to a PowerShell utility that can enable you to quickly and easily export Azure Logic Apps/Playbooks as Azure Resource Manager (ARM) templates so that you can set up and automate deployments across multiple environments in the quickest amount of time.

 

Solution: Azure Logic App/Playbook ARM Template Generator

Creating ARM template for distribution is no longer a daunting technical challenge. This PowerShell utility first evaluates your Logic App and any connections that the Logic App uses then generates template resources with the necessary parameters for deployment. You can use this ARM template for your own business scenarios or customize the template to meet your requirements. You can share it safely knowing that your organization’s information is stripped from the code and that it will work correctly in the recipient environment.

For example, suppose you built a logic app/playbook for Microsoft Sentinel which enables the SecOps team to automate incident response workflows. This tool preserves all the orchestration logic and parameterizes the API connection strings so that you can provide and change those values based on your deployment needs.

 

Deployment

  1. Download Azure Logic App/Playbook ARM Template Generator tool from Azure Sentinel GitHub repository
  2. Extract the folder and open "Playbook_ARM_Template_Generator.ps1" in Visual Studio Code/PowerShell.

Note
The script runs from the user's machine. You must allow PowerShell script execution. To do so, run the following command:

 

 

 

 

 

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

 

 

 

 

  1. The script will prompt you to enter Azure Tenant Id.
  2. The script then prompts you to authenticate with credentials, once the user is authenticated, it prompts you to choose:
    • Subscription
    • Playbooks
    • After selecting playbooks, the script prompts you to select a location on your machine to save ARM Template

 

Testing

You can deploy your ARM template in different ways, for more information please click here.

 

Demo

 

Summary

This post outlines the key components that are necessary to create ARM Templates for Azure Logic Apps/Playbooks for easier distribution. Try it out and let us know what you think! If you run into any issues, please create issue\PR in Azure Sentinel GitHub Repo.

 

We hope you find this article useful. Please leave us your feedback and questions in the comments section.

 

Special thanks to @Javier Soriano @Rod Trent for reviewing and providing feedback on article

%3CLINGO-SUB%20id%3D%22lingo-sub-3275898%22%20slang%3D%22en-US%22%3EExport%20Microsoft%20Sentinel%20Playbooks%20or%20Azure%20Logic%20Apps%20with%20Ease%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3275898%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Logic%20Apps%2FMicrosoft%20Sentinel%20Playbooks%20are%20a%20great%20beneficiary%20of%20the%20capabilities%20of%20elastic%20compute%20and%20uses%20the%20power%20of%20the%20Azure%20Cloud%20platform%20to%20automatically%20scale%20and%20meet%20demand.%20You%20do%20not%20have%20to%20worry%20about%20the%20complexity%20of%20infrastructure%20capacity%2C%20hosting%2C%20maintenance%2C%20or%20availability%20for%20your%20workflows.%20Playbooks%20help%20automate%20and%20orchestrate%20response%20actions%20that%20would%20typically%20be%20undertaken%20by%20security%20analysts%20to%20better%20control%20incidents.%20These%20can%20be%20triggered%20manually%20or%20set%20to%20run%20automatically%20when%20specific%20alerts%20are%20triggered.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--2104224231%22%20id%3D%22toc-hId--2081199670%22%3E%26nbsp%3B%3C%2FH1%3E%0A%3CH1%20id%3D%22toc-hId-383288602%22%20id%3D%22toc-hId-406313163%22%3EProblem%20Statement%3C%2FH1%3E%0A%3CP%3EDespite%20the%20very%20visual%2C%20no-code%20aspect%20of%20Logic%20Apps%2C%20the%20business%20logic%20and%20connections%20contained%20within%20a%20Logic%20App%2FPlaybook%20will%20be%20recorded%20as%20JSON.%20This%20JSON%20contains%20organizational%20information%20such%20as%20tenant%20ID%2C%20subscription%20information%2C%20connection%20strings%2C%20and%20other%20items%20that%20make%20sharing%20a%20Playbook%20a%20potential%20security%20risk.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnlike%2C%20for%20example%2C%20Workbooks%2C%20where%20you%20can%20simply%20copy%20and%20paste%20the%20JSON%20code%2C%20you%20can%E2%80%99t%20quickly%20deploy%20a%20Microsoft%20Sentinel%20Playbook%20due%20to%20the%20litany%20of%20tenant-specific%20information%20and%20Logic%20App%20connector%20dependencies%20contained%20in%20the%20code.%20There%20are%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%23instructions-for-deploying-a-custom-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Einstructions%20for%20sanitizing%20or%20templatizing%20a%20Playbook%3C%2FA%3E%20to%20remove%20the%20organization-specific%20information%20to%20make%20it%20shareable%2C%20but%20it%20takes%20some%20effort%20and%20time%20to%20accomplish%2C%20making%20it%20almost%20unattainable%20and%20in%20most%20cases%20not%20worthwhile.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20blog%20post%20we%E2%80%99ll%20introduce%20you%20to%20a%20PowerShell%20utility%20that%20can%20enable%20you%20to%20quickly%20and%20easily%20export%20Azure%20Logic%20Apps%2FPlaybooks%20as%20Azure%20Resource%20Manager%20(ARM)%20templates%20so%20that%20you%20can%20set%20up%20and%20automate%20deployments%20across%20multiple%20environments%20in%20the%20quickest%20amount%20of%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--1424165861%22%20id%3D%22toc-hId--1401141300%22%3ESolution%3A%20Azure%20Logic%20App%2FPlaybook%20ARM%20Template%20Generator%3C%2FH1%3E%0A%3CP%3E%3CSPAN%3ECreating%20ARM%20template%20for%20distribution%20is%20no%20longer%20a%20daunting%20technical%20challenge.%20%3C%2FSPAN%3E%3CSPAN%3EThis%20PowerShell%20utility%20first%20evaluates%20your%20Logic%20App%20and%20any%20connections%20that%20the%20Logic%20App%20uses%20then%20generates%20template%20resources%20with%20the%20necessary%20parameters%20for%20deployment.%20%3C%2FSPAN%3EYou%20can%20use%20this%20ARM%20template%20for%20your%20own%20business%20scenarios%20or%20customize%20the%20template%20to%20meet%20your%20requirements.%20You%20can%20share%20it%20safely%20knowing%20that%20your%20organization%E2%80%99s%20information%20is%20stripped%20from%20the%20code%20and%20that%20it%20will%20work%20correctly%20in%20the%20recipient%20environment.%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20suppose%20you%20built%20a%20logic%20app%2Fplaybook%20for%20Microsoft%20Sentinel%20which%20enables%20the%20SecOps%20team%20to%20automate%20incident%20response%20workflows.%20This%20tool%20preserves%20all%20the%20orchestration%20logic%20and%20parameterizes%20the%20API%20connection%20strings%20so%20that%20you%20can%20provide%20and%20change%20those%20values%20based%20on%20your%20deployment%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1063346972%22%20id%3D%22toc-hId-1086371533%22%3EDeployment%3C%2FH1%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EDownload%20%3C%2FSPAN%3EAzure%20Logic%20App%2FPlaybook%20ARM%20Template%20Generator%20tool%20from%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FTools%2FPlaybook-ARM-Template-Generator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20GitHub%20repository%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EExtract%20the%20folder%20and%20open%20%22Playbook_ARM_Template_Generator.ps1%22%20in%20Visual%20Studio%20Code%2FPowerShell.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3CBR%20%2F%3EThe%20script%20runs%20from%20the%20user's%20machine.%20You%20must%20allow%20PowerShell%20script%20execution.%20To%20do%20so%2C%20run%20the%20following%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-ExecutionPolicy%20-Scope%20Process%20-ExecutionPolicy%20Bypass%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EThe%20script%20will%20prompt%20you%20to%20enter%20Azure%20Tenant%20Id.%3C%2FLI%3E%0A%3CLI%3EThe%20script%20then%20prompts%20you%20to%20authenticate%20with%20credentials%2C%20once%20the%20user%20is%20authenticated%2C%20it%20prompts%20you%20to%20choose%3A%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%3ESubscription%3C%2FLI%3E%0A%3CLI%3EPlaybooks%3C%2FLI%3E%0A%3CLI%3EAfter%20selecting%20playbooks%2C%20the%20script%20prompts%20you%20to%20select%20a%20location%20on%20your%20machine%20to%20save%20ARM%20Template%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--744107491%22%20id%3D%22toc-hId--721082930%22%3ETesting%3C%2FH1%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20deploy%20your%20ARM%20template%20in%20different%20ways%2C%20for%20more%20information%20please%20click%20%3C%2FSPAN%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-deploy-azure-resource-manager-templates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1743405342%22%20id%3D%22toc-hId-1766429903%22%3EDemo%3C%2FH1%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DscTtVHVzrQw%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3C%2FA%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-center%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252FscTtVHVzrQw%253Ffeature%253Doembed%26amp%3Bdisplay_name%3DYouTube%26amp%3Burl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253DscTtVHVzrQw%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252FscTtVHVzrQw%252Fhqdefault.jpg%26amp%3Bkey%3Dfad07bfa4bd747d3bdea27e17b533c0e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22400%22%20height%3D%22225%22%20scrolling%3D%22no%22%20title%3D%22Export%20your%20SOAR%20Playbooks%20with%20ease%20%7C%20Microsoft%20Sentinel%20in%20the%20Field%20%237%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--64049121%22%20id%3D%22toc-hId--41024560%22%3E%26nbsp%3B%3C%2FH1%3E%0A%3CH1%20id%3D%22toc-hId--1871503584%22%20id%3D%22toc-hId--1848479023%22%3ESummary%3C%2FH1%3E%0A%3CP%3EThis%20post%20outlines%20the%20key%20components%20that%20are%20necessary%20to%20create%20ARM%20Templates%20for%20Azure%20Logic%20Apps%2FPlaybooks%20for%20easier%20distribution.%20Try%20it%20out%20and%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbd-p%2FAzureSentinel%22%20target%3D%22_self%22%3E%26nbsp%3Blet%20us%20know%3C%2FA%3E%26nbsp%3Bwhat%20you%20think!%20If%20you%20run%20into%20any%20issues%2C%20please%20create%20issue%5CPR%20in%20Azure%20Sentinel%20GitHub%20Repo.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20you%20find%20this%20article%20useful.%20Please%20leave%20us%20your%20feedback%20and%20questions%20in%20the%20comments%20section.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpecial%20thanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11412%22%20target%3D%22_blank%22%3E%40Rod%20Trent%3C%2FA%3E%26nbsp%3Bfor%20reviewing%20and%20providing%20feedback%20on%20article%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3275898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22SentineExport.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F369308i195DF773037CC5A6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SentineExport.png%22%20alt%3D%22SentineExport.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎May 04 2022 02:13 PM
Updated by: