SOLVED

Can I use ASC Workflow automation to install Qualys agent?

%3CLINGO-SUB%20id%3D%22lingo-sub-1268836%22%20slang%3D%22en-US%22%3ECan%20I%20use%20ASC%20Workflow%20automation%20to%20install%20Qualys%20agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268836%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000000%22%3EWe%20have%20the%20following%20recommendation%20in%20ASC%20-%26nbsp%3B%3C%2FFONT%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000000%22%3EEnable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)%20(Preview)%20-%20that%20has%20some%20VMs%20that%20need%20the%20agent.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000000%22%3EWithin%20the%20recommendation%26nbsp%3BI%20can%20remediate%2C%20but%20is%20there%20anyway%20to%20use%20Workflow%20automation%20to%20look%20for%20VMs%20that%20do%20not%20have%20the%20Qualys%20agent%20and%20to%20install%20it%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000000%22%3EI%20tried%20creating%20a%20Logic%20app%20and%20copied%20and%20pasted%20the%20remediation%20logic%20from%20the%20recommendation%2C%20but%20it%20did%20not%20work.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000000%22%3EThx%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269018%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20use%20ASC%20Workflow%20automation%20to%20install%20Qualys%20agent%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269018%22%20slang%3D%22en-US%22%3E%3CP%3EYes.%26nbsp%3B%20i%20just%20created%20a%20working%20sample%20here%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkflow%2520automation%2FInstall-VulnAssesmentAgent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FWorkflow%2520automation%2FInstall-VulnAssesmentAgent%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

We have the following recommendation in ASC - Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys) (Preview) - that has some VMs that need the agent.

 

Within the recommendation I can remediate, but is there anyway to use Workflow automation to look for VMs that do not have the Qualys agent and to install it?

 

I tried creating a Logic app and copied and pasted the remediation logic from the recommendation, but it did not work.

 

Thx 

12 Replies
best response confirmed by Jeff Walzer (Contributor)

@Nicholas DiCola (SECURITY JEDI) 

Thx a million - I just tried to deploy the playbook and got the following error:

Capture.JPG
 

whoops forgot the dependson. in the resource.

just fixed the template.

@Nicholas DiCola (SECURITY JEDI) 

 

Thx again Nick - for my edification, the workflow will kick in when it sees an unhealthy resource in the Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys) (Preview) recommendation, correct?

 

We have some VMs that are powered off so I am assuming when they get powered on, the workflow will run to install the Qualys agent.

 

And last question, can you point me to some documentation about ASC workflow?

 

TYVM

@Jeff Walzer 

yes but you need to create the workflow automation like this

 

2020-04-01_7-53-08.png

 

 here is the docs page https://docs.microsoft.com/en-us/azure/security-center/workflow-automation

@Nicholas DiCola (SECURITY JEDI)

 

Perfect as that's how I configured it,

 

Thx for the link 

@Nicholas DiCola (SECURITY JEDI

 

Sorry to be a pain, but I ran into an error as I turned on a VM and then checked the logic app and saw that it failed

 

Capture.JPG 

 

{
  "error": {
    "code": "AuthenticationFailed",
    "message": "Authentication failed. The 'Authorization' header is missing."
  }
}

@Jeff Walzer 

the template creates two api connection resources. you have to authorize them.  go to the resource.  click edit api connection.  click authorize.  login in the new window.  click save.

2020-04-01_11-10-10.png

 

 

 

@Nicholas DiCola (SECURITY JEDI)

 

API now authorized and when I do a 'Run Trigger' I get the following error message:

 

InvalidTemplate. Unable to process template language expressions in action 'Create_or_update_a_template_deployment' inputs at line '1' and column '3277': 'The template language function 'split' expects its first parameter to be of type string. The provided value is of type 'Null'. Please see https://aka.ms/logicexpressions#split for usage details.'.

 

@Jeff Walzer 

you cant just run trigger from logic apps as no data is passed to the ASC trigger step.

 

go to the recommendation in ASC and click run playbook.  that will push the recommendation data to the trigger.

@Nicholas DiCola (SECURITY JEDI) - thx as it's working now. Appreciate all the help!

@Nicholas DiCola (SECURITY JEDI) 

 

Hi Nicholas, thanks for super usefull logic app. 

I made the setup you have described, I used automation workflow for ASC recommendation (A vulnerability assessment solution should be enabled on your virtual machines) with logic app to create ARM deployment. And it works well when I trigger Logic App from ASC (Azure Portal) but the automation workflow does not trigger my logic app at all. Is it possible that when the recommendation exist with many VM's in state not-applicable and unhealthy then any new VM which appear with unhealthy state will not trigger automation ? because the recommendation exist ? In short for existing recommendation new resource won't trigger the workflow automation ? 

 

Thanks in advance for any insides ... 

Br, Kris