Skip to Content

How to setup Automated Threat Response in Microsoft Defender for Cloud (Azure Security Center)

What is Azure Security Center/Microsoft Defender for Cloud?

Microsoft Defender for Cloud (formerly known as Azure Security Center) is an important Azure service that ensures the security of cloud resources and workloads running in the cloud or on-premises. This service serves as a powerful Cloud Security Posture Management (CSPM) tool and Cloud Workload Protection Platform (CWPP) for not only Azure resources, but also multi-cloud and on-prem resources.

How to setup Automated Threat Response in Microsoft Defender for Cloud (Azure Security Center)

Content Summary

How does Defender for Cloud help in automating threat response?
Steps to use Microsoft Defender for Cloud for automated threat response
Creating a Logic App
Creating Workflow Automation

How does Defender for Cloud help in automating threat response?

As security teams receive numerous alerts every day, addressing each alert individually is not possible. To overcome this tedious task, Microsoft Defender for Cloud allows security professionals to use its workflow automation feature to automate workflows for incident response such as notifying stakeholders about security events, change management processes, and implementing certain remediation steps.

This feature triggers Logic Apps automatically based on security recommendations, alerts, and regulatory compliance changes to secure resources and workloads by taking appropriate actions (that are configured) or alerting security teams.

Steps to use Microsoft Defender for Cloud for automated threat response

The first step is to create a logic app, connect it to an email and Microsoft Defender for Cloud, and specify the actions to be taken when the app is triggered. Next, we must create workflow automation, specify triggers, and connect it with the logic app.

Creating a Logic App

Step 1: Go to the Azure portal and log in to your Azure account.

Step 2: Type logic app in the search bar on the top, and then select Logic apps Services.

Type logic app in the search bar on the top, and then select Logic apps Services.

Step 3: On the Logic apps page, click on Add option to start creating a logic app.

On the Logic apps page, click on Add option to start creating a logic app.

Step 4: On the Create Logic App pane, select a Resource Group, provide the name to the logic app, and select Plan type. You can create a new resource group if no group exists. Here, we are selecting Asian_group (an existing group) in Resource Group, naming the logic app as Securitylogicapp1, and selecting Consumption in Plan type, as shown in the below screenshot. Now, click Review + create button to move ahead.

On the Create Logic App pane, select a Resource Group, provide the name to the logic app, and select Plan type.

Step 5: Click Create option on the summary page to complete the creation of the logic app. A message saying, Deployment in progress appears.

Step 6: After the successful deployment of the logic app, click Go to resource button, as shown below.

After the successful deployment of the logic app, click Go to resource button.

Step 7: On the Logic Apps Designer page, choose Security for Category in the template section and select Get a notification email when Microsoft Defender for Cloud creates a recommendation. You can select any of the existing templates or create new templates apart from the one we selected here based on your requirements.

On the Logic Apps Designer page, choose Security for Category in the template section and select Get a notification email when Microsoft Defender for Cloud creates a recommendation.

Step 8: Click Use this template button to select the template.

Click Use this template button to select the template.

Step 9: Connect Office 365 email account to the logic app by clicking the + icon. After logging into your Office 365 account, the connection will be established and you will see a tick mark with your email id, as shown below. Click Create against Microsoft Defender for Cloud to connect it to the logic app.

Click Create against Microsoft Defender for Cloud to connect it to the logic app.

Step 10: After it is connected, click Continue button to move ahead.

After it is connected, click Continue button to move ahead.

Step 11: A series of events is displayed that will be performed/triggered in the case when a recommendation is generated by Defender for Cloud. You can add multiple steps, but we are not adding additional steps here. In the Send an email pane, provide your email address where you want to be alerted and the remaining fields are pre-populated by the logic app. Now, click Save option to finish creating the logic app.

In the Send an email pane, provide your email address where you want to be alerted and the remaining fields are pre-populated by the logic app. Now, click Save option to finish creating the logic app.

Creating Workflow Automation

Step 12: Type Defender in the search bar on the dashboard and then click Microsoft Defender for Cloud Services.

Type Defender in the search bar on the dashboard and then click Microsoft Defender for Cloud Services.

Step 13: Click Workflow automation on the Microsoft Defender for Cloud dashboard.

Click Workflow automation on the Microsoft Defender for Cloud dashboard.

Step 14: On the Workflow automation page, click Add workflow automation option.

On the Workflow automation page, click Add workflow automation option.

Step 15: Under the General section in the Add workflow automation pane, provide the required details like Name, Subscription (if you have more than one), and Resource Group, as shown in the below screenshot. Here, you can select any name but select the same resource group used for the logic app.

Under the General section in the Add workflow automation pane, provide the required details like Name, Subscription (if you have more than one), and Resource Group.

Step 16: Under the Trigger conditions section, choose a suitable option for Defender for Cloud data type. There are three options: Security alert, Recommendation, and Regulatory compliance standards. Choose any one option you need and enter the required details. By default, Security alert and Alert severity are selected. We are not changing anything here and retaining what is selected by default.

Under the Trigger conditions section, choose a suitable option for Defender for Cloud data type.

Step 17: Under the Actions section, select the newly created logic app (Securitylogicapp1) and click Create button. If the logic app is not visible, click the Refresh button and then select the app.

Under the Actions section, select the newly created logic app (Securitylogicapp1) and click Create button.

Step 18: After successful creation, the workflow automation is enabled and active, as shown below.

After successful creation, the workflow automation is enabled and active.

This completes the setup of automated threat response in Defender for Cloud.

Step 19: You will get an email notification automatically whenever the workflow automation is triggered, based on the conditions we chose in the 16th step.

Using this workflow automation feature, security teams can save their valuable time and concentrate on things that are more important.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.