Forum Discussion

lucabergonzoni's avatar
lucabergonzoni
Copper Contributor
Sep 30, 2024

Automation rule based on a specific Security Alert

Dear Community,

is it possible to apply automation rules on particular Security Alerts?

I have created an automation flow that disable a compromised User on Azure AD /  onPrem AD and send a mail to Helpdesk.

I want to apply this automation on these kind of events since I know 100% that the user was compromised:

User compromised in AiTM phishing attack
User compromised via a known AitM phishing kit
BEC-related authentication

Thank you
Luca

automation

4 Replies

  • balasubramanim's avatar
    balasubramanim
    Iron Contributor
    Oct 03, 2024

    lucabergonzoni 

    Yes, we can apply automation rules based on specific Security Alerts in Azure Security Center (ASC). 

    • Create a new automation rule
    • Choose the alert type (e.g. "User compromised in AiTM phishing attack")
    • Select the action (e.g. disable user, send email to Helpdesk)

    ASC will then automatically trigger the action when the alert occurs.

    Document Reference: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/Microsoft.AzureSecurityCenter?tab=Overview

  • Ankit's avatar
    Ankit
    Brass Contributor
    Oct 01, 2024
    Hi lucabergonzoni,

    Yes you can apply automation rule to specific alert none the less if security alert is generating from Identity Protection.

    Thanks 🙂
    • lucabergonzoni's avatar
      lucabergonzoni
      Copper Contributor
      Oct 03, 2024

      Dear Ankit,.

      can you please explain me how can I do that?

      When I create the new automation rule, I cannot select the "Security Alert" family in the conditions.

       

      I want to create an automation rule that occures everytime I hit the Security Alert "User compromised in AiTM phishing attack".

       

      Thank you!
      Luca

      • Ankit's avatar
        Ankit
        Brass Contributor
        Oct 03, 2024

        Hi,

        I'd be happy to help you with creating an automation rule that triggers on a specific Security Alert.

        Trigger and Conditions

        To create an automation rule that occurs every time you hit a specific Security Alert, you need to select the correct trigger and conditions.

        You should select the When an Incident is created trigger and then define the conditions using the Analytic rule name property.

        Why "Security Alert" Family is Not Available

        As these alerts are generated by Defender for Endpoint that's the reason these are not showing in SecurityAlerts table as like alerts being generated by Identity Protection.

        Solution:

        You have to create an scheduled or NRT analytic rule so that you can select that in condition.

        Select the When an alert is created trigger.
        Add a condition using the Analytic rule name property.
        Select Contains as the operator.
        Enter the exact name of the Security Incident you want to trigger the automation rule, such as "User compromised in AiTM phishing attack".

        Let me know if you have any question.

        Thanks

         

Resources