Complete guide for Integrating Azure Security Center Alerts with MS Teams!

This the second part of the POC focusing on the configuration of the Azure Security Center alerts to Team via webhooks.

Read the introduction from my previous post if you are interested about the project and possible use cases: PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!

This post is mainly about deploying and testing the solution in test environments

• What should be the technical end result of this blog? (JUMP HERE)

As this is a POC type project I only recommend completing this guide in test environment. This project uses webhooks for posting alerts into Teams, and SAS tokens for Azure Storage. Both are just URL’s which have ”embedded” authentication // Nothing wrong with using either of these intrinsically. Benefit of using test environment is that you get to see how they work, in case you are not familiar with either; This helps to understand possible ramifications of such options. // Azure internal services use also SAS tokens embedded in various uses. The main thing is not to save them to unsecured locations. In this project all secrets are stored in Azure Key Vault, which the Azure Functions accesses with system assigned identity.

Services utilized

Prerequirements

• Time to complete 10-60 minutes depending on prerequisites and state of environments

pre-reqs

• VScode
• Azure Security Center Standard enabled
• Azure Functions Extension
• Git
• NodeJS runtime (this installs depedencies such as NPM which is used in our deployment method, also Node.exe, if you run it locally)

Optional but recommended for debugging the function locally

• Azure Functions Core Tools (this is for local debugging, good to have it)

Deployment guide

Deployment steps

Create Test alert

Create test alert Jump to previous blog to create test alert

• In order to have threat detection and alerts available the subscription has to be enabled for Azure Security Center Standard. I’ve written about benefits of Azure Security Standard here in case you are wondering why to enable it 🙂

• Create Azure Function
• Create Azure Key Vault
• Create and store Teams Webhook to Azure Key Vault
• Create Azure Storage Account and store account key to Azure Key Vault
• Clone and install the Azure Functions project Code
• Create and configure Azure Logic App
• Create Azure Security Center Workflow Automation

Configuration guide

Create Azure Function

We create Azure Function which will parse and enhance contents destined for the Teams Webhook

• While we create Azure Key Vault we create new resource group to encapsulate different resources used in the blog.
  • This helps to ensure, that some limitations regarding using resources across multiple subscriptions or resource groups in Logic Apps wont make following this guide harder
  • For example if you want to ”natively” (without using the generic HTTP action) configure function to work with logic app, it has to be in the same resource group

• After function is created we enable system assigned identity for it, which we can then add to Azure Key Vaults Access Policy

Create Azure Key Vault

We create Key Vault to store values that require protection for this project. These secrets are consumed in the Azure Function which we previously created

Create Teams Webhook

We create Teams Webhook in order to be available receive alerts via the webhook to Azure Security Center

• From Teams click the ’three dots’, and select ’Connectors’

• From Connectors ’select’

• Name the connector, and then click create
  • upload image if you want to change the default image on the alert, and click ’Done’ after copying the webhook url

• Store the webhook url in Azure Key Vault (Secrets, new secret, and name the secret ’webhook’

Create new secret from copied value

• Copy the ’Secret Uri’

Create App Setting in Azure Function

@Microsoft.KeyVault(SecretUri=https://ascalertskv.vault.azure.net/secrets/webhook/f6a403b9f36e4e4e966dd956b032a474)

• Node.JS will use Process.env[o365Webhook] to access the secret which was exposed from Azure Key Vault reference to the NodeJS runtime. If you update the value, remember to get new Azure Key Vault ’Secret Uri’ as the version of the Secret also changes

Create Azure Storage

We create Azure Storage Account to store alerts JSON blobs, which will be used in the export feature

• After creating Azure Storage create new container ’ascalerts’ in the storage account

• Copy Storage Connection String to Azure Key vault

@Microsoft.KeyVault(SecretUri=https://ascalertskv.vault.azure.net/secrets/storageaccess/b484fcd8bb4f491194feb594ddd55931)

• In Key Vault and Azure Function settings repeat steps
  • Create new secret from copied value
  • Create App Setting in Azure Function

At this point you should have app settings showing following values within the Functions settings: With

Deploy the code from Github to Azure Function via VScode

Clone the package and run code to install recommended extensions

git clone https://github.com/jsa2/ascintegration.git
code .\ascintegration\

Deploy the function to existing Azure Function

• Sign in to Azure from the Functions extension blade

• Deploy the code to Azure Function we created in earlier step
  • Yes, we are using the infamous ’Right click’ style (friends don’t let…) deploy

Create and configure Azure Logic App

We create logic app which will act as the automation point of Azure Security Center alert, this is the part completes the main logic of this PoC

• Create the Logic App with following actions and settings

• First step
  • Add Security Center Trigger for the aforementioned action

• Second step
  • This is the blob export, for which the Azure Function creates SAS link of five days
  • Select the storage account and container we created earlier

Blob name has the following expression

concat(triggerBody()?['SystemAlertId'],'.JSON')

• Third step
  • add compose action from data operations, and copy the following content into it

{
"asc": @{triggerBody()},
"storagemetadata": @{body('Create_blob')}
}

• Fourth step
  • Select the function we created in step Create Azure Function
  • Select ’LogicAppAlerts’

• The payload is ’Outputs’ from dynamic content

Create Azure Security Center Workflow Automation

Before we create the alert automation, we will trigger the logic apps manually with alert we created in previous step

We are expecting to:

1. Get notification to teams
2. Have working ’export’ and ’triage’ actions from the notification

Trigger test alert

• Select test alert

• Select ’take action’

• Select ’Trigger Logic App’ from ’Trigger Automated Response’

• Select the logic app we created in step

• You can now take a peek into teams and Logic App run history to see if the trigger was successful

• Successful triggering of Logic App will look like this

Configure alerts on Azure Security Center

We create alert in security center now to get automatically alerts, instead of triggering them, as we did earlier, we configure them to be triggered on alert events

• For testing the alert, ensure that you configure the alert for each subscription
  • The scope seems to indicate the source of resources for which the alert was generated. Besides this the scope indicates

• Select ’Add workflow automation’ with the following settings

• After creation of the workflow you should have something resembling the picture below:

• At this point its recommended to test the automatic triggering of the alert, for which you can use

Ending words

If you followed this far, then thank you for reading. I plan to update this blog if I find production use cases for this or new ideas

About the chosen services for this integration: Logic Apps and Azure Functions

Logic app is the first point of contact between Azure Security Center and workflows, so it was very natural choice for the first step. From there I proceeded with Logic Apps as far as I felt comfortable. I pivoted to Functions when I needed to create SAS token for JSON export and dynamically populate some attributes of the message which was going to be posted into the teams webhook