☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • Working with APIs in Azure Logic Apps
  • 1. Overview of API Integration in Logic Apps
  • 2. Using the HTTP Action to Call External APIs
  • 3. Using Custom APIs in Logic Apps
  • 4. Securing API Calls
  • 5. Error Handling for API Calls
  • 6. Best Practices for Working with APIs in Logic Apps
  1. Automation
  2. Logic Apps

APIs in Logic Apps

Working with APIs in Azure Logic Apps

Azure Logic Apps is not only capable of automating workflows within the Azure ecosystem, but it can also interact with external systems and services through APIs. This module focuses on how you can use APIs to enhance your threat-hunting workflows by integrating third-party security tools, threat intelligence platforms, and custom APIs. These integrations allow you to enrich security incidents, automate threat detection, and streamline responses.

1. Overview of API Integration in Logic Apps

APIs (Application Programming Interfaces) allow different software applications to communicate and exchange data. Azure Logic Apps can interact with any service or application that exposes an API, enabling powerful integrations with external systems.

In Logic Apps, API calls are typically made through the HTTP action, which allows you to send requests to REST APIs, retrieve data, and execute actions on external services. Logic Apps also support a wide range of built-in and custom connectors that simplify API integrations.

Common Use Cases for API Integration in Threat Hunting:

  • Threat Intelligence Enrichment: Query external threat intelligence platforms (e.g., VirusTotal, IBM X-Force, AlienVault OTX) to get reputation data on suspicious IP addresses, file hashes, or domains.

  • Automated Remediation: Interact with APIs of firewall systems, endpoint security tools, or identity management platforms to automatically block IPs, isolate devices, or disable compromised user accounts.

  • Security Event Collection: Pull logs and alerts from third-party security systems and SIEMs that don’t have built-in connectors in Logic Apps.

2. Using the HTTP Action to Call External APIs

The HTTP action is the most direct way to interact with external APIs in Logic Apps. It allows you to send HTTP requests (GET, POST, PUT, DELETE) to RESTful APIs and process the response in your workflow.

Example: Querying a Threat Intelligence API (VirusTotal)

In this example, we’ll set up a Logic App that queries the VirusTotal API to get reputation data on a suspicious IP address. The workflow will trigger based on an Azure Sentinel alert and then call the VirusTotal API to determine if the IP is known to be malicious.

Steps:

  1. Add Trigger (Azure Sentinel Alert):

    • Use the Azure Sentinel trigger to detect when a new security alert is generated. This can be any security alert involving a suspicious IP address.

  2. Add HTTP Action:

    • After the trigger, add the HTTP action to call the VirusTotal API.

    • Configure the HTTP action with the following details:

      • Method: GET

      • URI: https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=YOUR_API_KEY&ip=@{triggerBody()?['IpAddress']}

      • Headers: Add any required headers, such as your API key for authentication.

  3. Handle the API Response:

    • The VirusTotal API will return data indicating whether the IP is flagged as malicious.

    • Use Condition logic to check the response and decide whether to take action (e.g., if the reputation score is above a certain threshold, block the IP).

  4. Define Remediation Actions:

    • If the IP is found to be malicious, add actions to notify the security team and block the IP using a firewall API (or similar).

Sample JSON for HTTP Action:

{
  "method": "GET",
  "uri": "https://www.virustotal.com/vtapi/v2/ip-address/report",
  "headers": {
    "Content-Type": "application/json",
    "apikey": "YOUR_API_KEY"
  },
  "queries": {
    "ip": "@{triggerBody()?['IpAddress']}"
  }
}

3. Using Custom APIs in Logic Apps

While many popular services have built-in connectors, you may need to interact with a custom API or a service that doesn’t have a pre-built connector. In this case, you can use Logic Apps to call the custom API directly via the HTTP action or create a Custom Connector to simplify integration.

Example: Automating Remediation via a Custom Firewall API

Let’s say you’re working with a firewall solution that provides an API for blocking IP addresses. You can create a Logic App that automatically blocks an IP when it’s flagged as malicious during a threat-hunting workflow.

Steps:

  1. Add HTTP Action:

    • After the threat intelligence enrichment (from VirusTotal or another source), add an HTTP action to call the firewall’s API.

    • Configure the HTTP action as a POST request to the firewall API’s block IP endpoint.

    • Pass the suspicious IP address as part of the request body.

  2. Configure Authentication:

    • If the API requires authentication (e.g., API key, OAuth), you’ll need to include the necessary headers or use an authentication service in Logic Apps.

  3. Error Handling:

    • Use Error Handling in Logic Apps to manage failed API requests. If the request fails, you can trigger alternative actions such as sending an error notification or retrying the request.

4. Securing API Calls

When working with sensitive security data and APIs, it’s important to ensure the calls are secure. This involves using proper authentication, such as OAuth, API keys, or Managed Identity, as well as securing data transmission using HTTPS.

Authentication Methods:

  • API Keys: Include the API key in the header or query parameters of the HTTP request. Be sure to store API keys securely in Azure Key Vault.

  • OAuth 2.0: For APIs that require OAuth, Logic Apps supports OAuth authentication. You can configure this during the connector or HTTP action setup.

  • Managed Identity: If your Logic App is running within Azure, you can leverage Managed Identity to authenticate with other Azure services without managing credentials manually.

Example: Using OAuth for API Authentication

If your Logic App needs to authenticate using OAuth 2.0, you can configure the HTTP action or Custom Connector to use OAuth as the authentication mechanism. Logic Apps will handle the token exchange automatically, allowing your workflow to securely interact with the API.

5. Error Handling for API Calls

When interacting with external APIs, it’s crucial to implement robust error handling to deal with network issues, authentication failures, or API downtime. Logic Apps provides built-in mechanisms to handle errors gracefully.

Example: Handling API Failures

  1. Configure Error Handling:

    • In the HTTP action, click on the ellipsis (three dots) and select Configure run after.

    • Set the action to run only if the previous step fails, allowing you to handle the error.

  2. Add Alternative Actions:

    • If an API call fails, you can trigger alternative actions, such as logging the failure, retrying the request, or notifying the security team.

  3. Retry Policies:

    • Logic Apps supports retry policies that allow failed HTTP actions to be retried automatically. You can configure the retry settings to specify how many times the action should be retried and the delay between retries.

6. Best Practices for Working with APIs in Logic Apps

  • Use Secure Connections: Always use HTTPS for API calls to ensure secure data transmission.

  • Handle Rate Limits: Be mindful of API rate limits. If you expect to make many requests, implement throttling mechanisms to avoid exceeding rate limits.

  • Test API Calls: Test API integrations in a development environment before deploying them to production to ensure they behave as expected.

  • Monitor API Responses: Use Logic Apps’ built-in monitoring to track API response times and failure rates. If an API starts performing poorly, you can adjust your workflows accordingly.

Last updated 8 months ago