Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Automate Azure Security Center actions with Playbooks and ServiceNow
Published Oct 01 2018 01:02 AM 7,547 Views

Logic Apps provides an excellent way to automate Azure Security Center actions like responding to alerts or recommendations.

In this blogpost, we will create a Logic Apps playbook that will create a record in ServiceNow. This prevents you from manually creating a ticket in ServiceNow and populate the fields that the playbook can automatically fill in for you.


Add a Security Center playbook to integrate ServiceNow

Logic Apps has out of the box integrations with third party vendors like ServiceNow, this makes it very easy to integrate Azure Security Center. We can leverage ServiceNow Record actions like Create, Delete, Get, Update, etc.

  1. Navigate to the Azure Security Center portal and under Automation and Orchestration, select Playbooks
  2. Click on Add Playbook
  3. Provide a name for your new playbook like “ASC-Alert-To-ServiceNow” and fill in the resource group and location fields. The Log Analytics integration offers capabilities like using search to query the status and history of your playbooks. Click on Create
  4. In the Logic Apps Designer select the Blank Logic App template
  5. Search for Azure Security Center and select When a response to an Azure Security Center alert is triggered as the trigger

 Triggers and Actions.png

Note: adding the Azure Security Center trigger makes your playbook visible in the Azure Security Center alerts blade

6. Click on + New Step and search for ServiceNow

7. Select Create Record as the action

create record action.png

8. To continue, you need to create a ServiceNow connection

Note: if you don’t have a ServiceNow environment you can sign up here for a developer instance

9. Fill in the required fields to create the connection

Create ServiceNow connection.png


10. Now you need to pass values from the Security Center alert trigger so that we can automatically populate the ServiceNow record. For creating a new incident record, we need to populate at least the Caller and Short description field as shown in the ServiceNow Incident New Record screen:

create incident in SNOW.png


11. Back to your Logic Apps Playbook ServiceNow action, select Incident as your Record Type:

create incident 1 in LogicApps.png


12. Fill in the values for at least Caller and Short Description, but you can add any alert fields which are of interest:

create incident 2 in LogicApps.png


13. Save your Logic Apps playbook, your playbook should look like this:

playbook highlevel view.png


14. Switch to Security Alerts in Azure Security Center (under Threat Protection).

15. Click on the security alert, you should see something similar like this:

DMZ-1 alert.png


16. Click on the alert one more time, which reveals the alert details, and the View playbooks button becomes available:

Investige View Playbooks button.png

17. Click on the View playbooks This shows which playbooks are available in Azure Security Center

18. Click on the Run button to start the playbook you have created. This will pass the alert information and context.

Run playbook.png

Note: The Run history tab shows previously invoked playbooks and status


19. After the playbook has ran successfully, you can see the record created in ServiceNow:

Snow Incident.png


How to automate this end to end? Look at this blogpost 


Version history
Last update:
‎Nov 29 2021 12:03 PM
Updated by: