Defender For Cloud - under the hood: Workflow Automations Deep Dive

Learn about automated responses to security recommendations generated by Defender for Cloud

Fixing security issues manually is like mowing the lawn with scissors. ✂️🌿
It’s technically possible, but there’s a much better way. Let’s talk about how automation makes cloud security a whole lot easier. In this blog we’ll cover workflow automations in Defender for Cloud.

I highly roecceomnd you read my blog Defender For Cloud - under the hood: Recommendations deep dive for more context.

‼️) This blog is part of a Defender For Cloud "Under the hood series" where we explore the various features, benefits and considerations that come with implementing Defender For Cloud (and other CNAPPs). You don't need any prior experience just a willingness to learn and develop. I don't quite know when the series will end but I hope you enjoy. 

---

What are workflow automations?

It’s simple really, workflow automations are automated processes to streamline security tasks and responses. Workflow automations allow you to automatically respond to security misconfigurations, alerts for example those generated by cloud workload prtiections or policy violations within your cloud environment.

What is the point and value of workflow automations?

Manual processes alone are insufficient in safeguarding against the increasing spectrum of threats. Workflow automations give your team more flexibility by freeing up time and removing repetitive tasks that should be automated anyway (nobody wants to remove public access to 100 S3 buckets or blobs manually 🤣). In the case of Defender for Cloud logic apps are available to quickly build automated workflows with low/no code experience. Most vendors have their own set of automation tools which integrate with cloud service providers (CSP).

While mature processes are helpful, they aren’t a prerequisite for automation success. Even smaller organizations can benefit from ­ automation. The more you automate, the more you start to refine your processes and the more efficient you become, allowing you to focus on complex tasks that require human expertise.

Automation options in Defender for Cloud

In a previous blog, Defender for Cloud "Under the Hood": Recommendations Deep Dive, we explored recommendations in Defender for Cloud how they work, where they come from, what they mean, and how you can use them. Now, let’s jump back into the Recommendations tab to explore pre-existing automated workflows.

Under the hood: As you can see below some of the recommendations in the dashboard have these thunder bolt icons these simply means Microsoft has included a workflow automation “out of the box“ for us to use.

Recommendations page existing workflows

I’ve chosen one as an example. For this recommendation "Diagnostic logs in Key Vault should be enabled" we get the standard manual instructions for remediation.

Triggering existing workflows

After clicking "Fix", I was prompted to select parameters something common for all quick fixes. In this case, I needed to choose a custom workspace where the diagnostic logs for the Key Vault would be stored. I selected "CentralLogs", but I also had the option to create a new workspace if needed.

Defining parameters of the workflow

You'll receive a confirmation as soon as the remediation is complete. However, it may take a few minutes for the recommendation to update, as Defender for Cloud relies on periodic scans and recommendation freshness the time between scans.

Recommendation completion feedback

Within the recommendations page you're able to filter for “completed“ recommendations, as you can see bellow the automated workflow worked for the recommendation "Diagnostic logs in Key Vault should be enabled".

Remediation successful

Creating your own workflows

Now, let’s explore how you can create your own workflows, as every organisation has unique automation needs. First, in Defender for Cloud, navigate to the sidebar and select the "Workflow automation" page:

Creating Custom Workflows

1. From this page, create new automation rules, enable, disable, or delete existing ones. A scope refers to the subscription where the workflow automation is deployed.

2. To define a new workflow, select “Add workflow automation” the options pane for your new automation opens.

3. There are three trigger types that can be selected depending on the purpose of the workflow: Workflow automation for security alerts , Workflow automation for security recommendations ( including CSPM findings) , Workflow automation for regulatory compliance changes.

The above workflow automation will send me an email each time a new CSPM finding recommendation is triggered in Defender for Cloud. For this to work, I first need to set up a Logic App:

Creating a custom logic app

The Logic App is a basic example of what you can do. For instance, I’m currently receiving emails for all types of recommendations, but I could choose to receive only critical recommendations of a specific type:

Receiving recommendations via email

Under the hood back at the workflow automation page it's possible to specify the types of recommendations or severity this can also be edited from the logic app direct.

Defining workflow parameters

A more complex workflow:

To give you an even better perspective of what is possible let’s have a look at a more complex logic app.

The Logic App allows you to send a weekly vulnerability report for SQL databases on servers/machines. Once triggered, the defined recipients receive an email report for every SQL server (i.e. Azure SQL server and SQL server on VM/On-Premise) connected to Microsoft Defender for Cloud. The email report summarises the weekly vulnerability scan for every database.

This workflow automation can be found in the Defender for Cloud community repo: https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workflow%20automation/Notify-SQLVulnerabilityReport

Vulnerability report logic app flow

The output of the Logic App sends me a weekly email detailing the number of vulnerabilities. Remember, automating your organisation’s monitoring and incident response processes can significantly reduce the time it takes to investigate and mitigate security incidents, helping to minimise your attack surface.

Vulnerability Report email

Here’s the thing: each organisation is unique customising workflows ensures that security measures are effectively aligned with your organisation’s specific operational environment and processes. The following questions can help optimise the move towards automation for you and your organisation:

What are your existing policies and processes?

What tools do you use daily?

Who needs to be involved in resolving the incident or recommendation?

How can you standardise your processes so they’re repeatable and consistent?

What are your policies and procedures around incident assignment?

How are you communicating incidents internally?

---

Reference:

Introduction to Azure Logic Apps

Learn about KQL - A book by Rod Trent Must Learn KQL

Defender For Cloud GitHub Labs

Defender For Cloud Community

Defender for Cloud Feature requests

Defender for Cloud in the field show

Defender For Cloud Ninja training

---

Have blog ideas, want to engage on a topic, or explore collaboration? Let’s take it offline reach out on LinkedIn. I’d love to connect and continue the conversation!