In this blog post we will explore how to use Azure Security Center’s – Workflow automation (now generally available) to identify a recommendation and create a Change Request in ServiceNow.
At the crossroads of security posture and configuration drift lies IT Service Management (ITSM). In a fast and ever-changing world of modern enterprises, organizations struggle to meet security and compliance requirements while preventing unwanted change. Many organizations use a strict change management process to ensure change is tracked, approved and well documented. When cyber security recommendations come to light that effect an organization’s posture, this change process is sometimes bypassed or seen as a hinderance. This blog post is designed to show the efficacy of using Azure Security Center to not only identify a Security recommendation, but to create a change request based on the related relevant information and resources. These same principles can be used to create incidents, problems, etc. from both Security Center “Recommendations” and/or “Alerts”.
In this scenario we are going to use the recommendation of Adaptive Application Control (AAC). The title of the recommendation is: “Adaptive Application Controls should be enabled on virtual machines”.
This recommendation falls under the “Apply adaptive application control” and is worth 2 points, a potential 3% score increase under the new Enhanced Secure Score (in preview).
Workflow automation is a feature that can trigger Logic Apps on both “Threat detection alerts” and “Security Center recommendations”. Workflow automation is located in the left navigation pane of Azure Security Center dashboard as shown below:
Azure Logic Apps contains out of the box templates for third-party vendors like ServiceNow, which makes them very easy to integrate Azure Security Center. We can leverage ServiceNow Record actions like Create, Delete, Get, Update, etc. Follow the steps below to configure the Logic App for this scenario:
Note: if you don’t have a ServiceNow environment you can sign up here for a developer instance
Read this blog post here for additional information about ServiceNow integration.
Now we are going to fill out the necessary fields and select the trigger conditions. For this scenario, we want to trigger the Logic App based on the Security Center recommendation named “Adaptive Application Control should be enabled on virtual machines”. References for the all of Security Center’s recommendations can be found here.
Once the Workflow automation is saved, we can either trigger the Logic App from the Logic App Overview blade or wait for it to fire on its own. After the trigger action has taken place the Change Request will show up in ServiceNow as seen below.
This logic app as well as many other can be found here:
Start automating Security Center Alerts with Workflow automation and ServiceNow today. For more information on Azure Security Center, Workflow automation, and ServiceNow, visit our documentation below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.