This blogpost is authored by Itai Norman and Tiander Turpijn.
Thanks to the Azure Sentinel PM team for the great help.
In the world of cybersecurity and Security Information and Event Management (SIEM) systems, security orchestration, automation, and response (SOAR) plays a crucial role.
To provide you SOAR capabilities, Azure Sentinel integrates with Azure Logic Apps - a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows.
An Azure Logic App can be used in Azure Sentinel as a Playbook to be automatically invoked when an incident is created or when triaging and working with incidents. To provide insights into the health, performance and usage of these Playbooks, we are providing a new Azure Workbook called “Playbooks health monitoring”.
Azure Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports. These can be custom built, although Azure Sentinel provides a number of out of the box Azure Workbooks, which typically are provided with an Azure Sentinel connector. Additional Logic Apps and Workbooks samples can be found on our Azure Sentinel GitHub repo.
You can use the Playbooks health monitoring workbook to monitor the health of your Playbooks, look for anomalies in the amount of succeeded or failed runs. Spot unordinary Playbooks with a long duration run time, monitor, and manage changes made by different users, specifically for critical Playbooks. At a glance, you can also view the execution time of a Logic App which helps you getting an estimate of the usage costs.
The workbook is now available in your “Templates” gallery under the name “Playbooks health monitoring”.
The following insights are provided:
Success and failure over time to detect anomalies
Average run time
All failed Logic Apps and drill down capability to detect the error
Changes made and who performed them
Billable related information
The workbook is divided into 3 different tabs for easier navigation. Under Overview you can find the overall health and status for your Logic Apps Playbooks. More specifically:
Success and failure over time
Success and failure runs
An overtime success/failure line chart to spot anomalies. Choose a time range with the “Time brush” option to drilldown to a more specific time range without changing the workbook time range. The following grids and charts will filter accordingly.
Failure percentage per Logic App
This grid is built on top of the built-in metrics saved by Logic Apps. For each Logic App you can view failure percent/over time, run started/runs completed count and latency (Logic Apps’ duration runtime).
Logic Apps by status
The Logic Apps status views are context driven, which means that based on a selection, the views will be updated related to your selection.
To drill down on a specific Logic App, you can view the count and trends by status:
Choose a status by clicking one of the icons (Failed, Succeeded, etc.), which will filter the grid below based on the status you picked.
From the filtered grid, you can click on a specific Logic App by clicking on a row. That will automatically filter the two grids below, which presents you with the Logic App trigger and status.
Note:At any time if you want to unpick an object you should click the curved arrow on the top right corner of the grid or chart.
The Activity tab contains three grids which derives the information from the Azure Activity table and provides insights into the following:
Logic Apps activities by user -View different logic apps activities by user (Email address)
API Connection Activities - View different API connection activities by user (Email address)
Logic Apps activities by Logic App - View different activities by logic app, also you can see who performed the activities
Note: Note: when switching tabs, you need to click on the refresh button for the data to show:
The Billable Info tab contains one grid, derived from the built-in Logic Apps metrics, and shows the total billable executions per subscription. If you collapse the subscription, details per Logic App become visible and allow you to estimate your costs by using the pricing calculator.
The billable triggers and actions per Logic App can help you to become more cost effective.
For Logic Apps data to be available in your workbook, you need to enable the diagnostic settings for all the Logic Apps you would like to monitor. Ensure that you have selected the Send to Log Analytics option in the diagnostics settings. This will send the data to a Log Analytics workspace of your choice, which does not have to be your Azure Sentinel workspace. The data will be stored in the AzureDiagnostics table. Please visit the page Set up diagnostics logs for Azure Logic Apps for a thorough explanation on the several diagnostic settings.
The Activity tab in the workbook is based on Activity logs. Like the diagnostics settings, this needs to be configured to send the data to your Log Analytics workspace of choice.