Azure Logic Apps is at the heart of Microsoft Sentinel’s SOAR capability, allowing our customers and partners to create automated workflows for any scenario required in the SOC. When you create Sentinel playbooks, you are leveraging a robust platform which handles billions of requests every day and drives business productivity in multiple verticals. It can integrate with almost any service or product out there, in particular natively with 450+ connectors and a growing library of security-oriented integrations.
Logic Apps Standard plan, the new offering released last May, provides an even more flexible, containerized, modern cloud-scale workflow engine you can run anywhere. It also features higher performance and a set of new capabilities. Although most of our customers are currently using the original/classic Logic Apps Consumption plan, we now allow working with both options, allowing each organization to choose its preferred plan.
What’s new with this integration?
Across automation features, we added visibility and functionality for Logic Apps Standard. Each workflow within your Logic App is treated as a playbook and presented in the format <Logic App name> / <Workflow name>.
Automation rules can now run playbooks created with Logic Apps Standard plan. Your Logic Apps Standard plan workflows now appear in the Run playbook drop-down, and they can be attached via API.
You can run playbooks on demand. A new column and filter for plan helps you to choose between Consumption and Standard.
You can manage your Logic Apps Standard playbooks under the Active playbooks tab. A new column and a filter for plan helps you to choose between Consumption and Standard.
You can create Logic Apps Standard playbooks using the Create blank playbook button under Create.
Microsoft Sentinel Logic Apps connector is available in Stateful workflows (Stateless workflows are not supported).
What is not supported yet in Microsoft Sentinel for Logic Apps Standard:
Logic Apps custom connectors are not supported in Standard
Microsoft Sentinel Repositories doesn’t support this resource type
Integration with the networking capabilities of Logic Apps Standard
What’s new with Logic Apps Standard?
We recommend to review this doc to see the most accurate comparison between Consumption and Standard plans; it can be found there. However, we collected for you some highlights that Microsoft Sentinel customers who tried this feature liked the most:
Multiple workflows, one Logic App, better performance
Logic App Standard allows you to create and run multiple workflows in the same single app. With this 1-to-many mapping, these workflows share resources, such as compute, processing, storage, and network, providing better performance due to their proximity. This structure differs from the Consumption resource where you have a 1-to-1 mapping between a logic app resource and a workflow.
Fixed pricing model
Although for most of Sentinel use cases, Logic Apps Consumption pricing is very low, it is priced by the metered execution of actions. Logic Apps Standard plan has a fixed price for compute and storage. Some MSSPs that run lots of playbooks for multiple customers, or those heavy users that run long, complex workflows, may prefer this model.
Easier API connections management and centralized managed identity
Whenever you authenticate to Logic Apps connectors, API connections resources are created in the background and maintain your connection secrets. Although even in Consumption-based Logic Apps, multiple playbooks can share the same API connections, the management and configuration experience in Logic Apps Standard is easier thanks to having them all in the same app, which also allows customers to edit them in one JSON file. In addition, it supports having the system-assigned managed identity and multiple user-assigned managed identities enabled at the same time. The shared Logic Apps managed identity, which works for multiple workflows, can be granted permissions once for all the workflows.
Secure your Logic App with integrated networking capabilities
By default, Logic Apps are accessible directly through the internet and can reach only internet-hosted endpoints. But for many use cases, you need to control the inbound and outbound network traffic. Logic Apps Standard allows setting up private endpoints for inbound traffic and using VNet integration for outbound traffic. Learn more
Please note: Logic Apps Standard networking capabilities are not supported with Microsoft Sentinel integration at this point.
Visual Studio development
With a new extension for Visual Studio, you can debug and test workflows on your local machine, set breakpoints, examine variables values and more. Directly publish or deploy logic apps and their workflows from Visual Studio Code to various hosting environments such as Azure and Azure Arc-enabled Logic Apps. Learn more
Logic App Standard resources are hosted in single-tenant Azure Logic Apps, which doesn't store, process, or replicate data outside the region where you deploy these logic app resources, meaning data in your logic app workflows stays in the same region where you create and deploy their parent resources.
One of the great features Logic Apps Standard derives from App Service is Deployment Center, which allows continuous deployment from GitHub, Bitbucket, and Azure Repos repositories by pulling in the latest updates.
Run inline code
When you want to run a piece of code inside your logic app workflow, you can add the built in Inline Code action as a step. Unlike Logic Apps consumption, in Logic Apps Standard this action doesn’t require an integration account to be set. It can be found as Inline code operations. Learn more