Azure Functions m365 Security Center Teams

PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!

Introduction

In this blog I wanted to share Proof-Of-Concept demo of security operator receiving Teams Notifications, and then access the message for quick triaging on the security groups Team channel.

The feature is relatively simple, so I was able to craft a demo on in a breeze. The last sentence summarizes in generally what I do with Azure these days 🙂 Crafting and fine tuning different security related concepts.

I have also created a deployment guide, if you want to test this feature in test environment

PoC components

  • The demo is built on NodeJS and Teams MessageCards concept and some prefetched security center events via the security center API
  • Going forward one could very likely do this all also as Logic Apps, and different Sentinel Views for triaging.
    • I opted for Node, because I can add small inline code chunks to achieve basically any feature with relatively low amount of effort.

PoC Video

Feature in action video
Version 2

Teams MessageCards

Teams has well known framework for receiving messages via the messageCards framework. Its hard to state how powerful this framework is, but I will try to do at least some justice to it by showing simple demo.

Ref: https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using

Benefits of an example scenario?

Scenario: New Security Center Alert pops up in Security Center; Event is also now visible in the Security Groups Teams channel.

Benefit: Security operators can now start triaging the event, and retain an coherent real-time messaging under the alert. Alert can be also dismissed/resolved/assigned, with justification/resolution text part.

Further background

  • I am keeping the scenario fairly simple, but know that the possibilities for extending this simple concept are virtually endless, and many better examples are probably out there. If you are interested, check the ”MessageCard PlayGround”
https://messagecardplayground.azurewebsites.net/

Testing setup

For testing we use Linux VM and ”eicar” alert example provided by Microsoft Validate alerts on Linux VMs

cp /bin/echo ./asc_alerttest_662jfi039n;./asc_alerttest_662jfi039n testing eicar pipe
In my testing the test alert was visible almost instantly, even though the article advises for longer waiting time (5-10mins)

Steps of the demo

  1. Member (operator) of the Security Group receives the alert

2. Operator opens the notification and submits the triage

3. Triage button takes user to the affected resources security pane

POC and architecture

For PoC I wanted test opening URI’s with MessageCard Actions. For this I lazied and used my existing ”AzExpress” test platform, which has Security Center API already. Once I proof the PoC the Architecture might look like this:

Ending words.

From here I will continue by creating further PoC matching the architecture above – Will also appreciate any input regarding what is useful information for the teams message for security operator to start the triage?

  • As disclaimer its good to understand, that there exists complete SOAR platforms, such as what Microsoft is now Offering around Sentinel, Security center and Logic Apps. Feature in this blog is really just about testing quick actions and reactions via modern communication and team work medium, such as MS Teams.
  • Using webhooks in MS Teams has some security implications, and I shall address those in further parts
  • My daily work revolves around Azure and due to this, I find myself sometimes discovering ”new” things productivity side. One of these ”things”, is the versatile extensibility of MS teams 🙂 – If you have any good ideas as using teams for security teams go-to-place for communication, don’t hesitate to ping!

To be continued!

Br, Joosua

5 comments on “PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!

  1. Paluuviite: MS teams and security center! – 365 admin service

  2. are you sharing the code?

    Liked by 1 henkilö

  3. Paluuviite: Complete guide for Integrating Azure Security Center Alerts 2 MS Teams! – SecureCloudBlog

Vastaa käyttäjälle Joosua Santasalo Peruuta vastaus

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: