Logic Apps provides an excellent way to automate Azure Security Center actions like responding to alerts or recommendations.
In this blogpost, we will create a Logic Apps playbook that will create a record in ServiceNow. This prevents you from manually creating a ticket in ServiceNow and populate the fields that the playbook can automatically fill in for you.
Add a Security Center playbook to integrate ServiceNow
Logic Apps has out of the box integrations with third party vendors like ServiceNow, this makes it very easy to integrate Azure Security Center. We can leverage ServiceNow Record actions like Create, Delete, Get, Update, etc.
- Navigate to the Azure Security Center portal and under Automation and Orchestration, select Playbooks
- Click on Add Playbook
- Provide a name for your new playbook like “ASC-Alert-To-ServiceNow” and fill in the resource group and location fields. The Log Analytics integration offers capabilities like using search to query the status and history of your playbooks. Click on Create
- In the Logic Apps Designer select the Blank Logic App template
- Search for Azure Security Center and select When a response to an Azure Security Center alert is triggered as the trigger
Note: adding the Azure Security Center trigger makes your playbook visible in the Azure Security Center alerts blade
6. Click on + New Step and search for ServiceNow
7. Select Create Record as the action
8. To continue, you need to create a ServiceNow connection
Note: if you don’t have a ServiceNow environment you can sign up here for a developer instance
9. Fill in the required fields to create the connection
10. Now you need to pass values from the Security Center alert trigger so that we can automatically populate the ServiceNow record. For creating a new incident record, we need to populate at least the Caller and Short description field as shown in the ServiceNow Incident New Record screen:
11. Back to your Logic Apps Playbook ServiceNow action, select Incident as your Record Type:
12. Fill in the values for at least Caller and Short Description, but you can add any alert fields which are of interest:
13. Save your Logic Apps playbook, your playbook should look like this:
14. Switch to Security Alerts in Azure Security Center (under Threat Protection).
15. Click on the security alert, you should see something similar like this:
16. Click on the alert one more time, which reveals the alert details, and the View playbooks button becomes available:
17. Click on the View playbooks This shows which playbooks are available in Azure Security Center
18. Click on the Run button to start the playbook you have created. This will pass the alert information and context.
Note: The Run history tab shows previously invoked playbooks and status
19. After the playbook has ran successfully, you can see the record created in ServiceNow:
How to automate this end to end? Look at this blogpost