☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  1. Automation
  2. Logic Apps

External Service Integration

Azure Logic Apps allows seamless integration with a wide range of external services, which is essential for automating complex workflows in threat-hunting, security automation, and incident response scenarios. In this module, we will focus on how you can connect Logic Apps with external services, both within and outside of the Azure ecosystem, to streamline your security operations.

1. Overview of External Service Integration

Azure Logic Apps provides built-in connectors for a wide range of third-party services and APIs. This integration allows you to automate tasks such as retrieving data from external systems, sending notifications, or interacting with security tools that are not native to Azure.

Common services you might integrate with Logic Apps include:

  • Threat Intelligence Platforms: VirusTotal, IBM X-Force, AlienVault OTX

  • Incident Management Systems: ServiceNow, Jira

  • Communication Platforms: Microsoft Teams, Slack, PagerDuty

  • Security Tools: Firewalls, SIEMs, Endpoint Protection Systems

  • Cloud Services: AWS, Google Cloud, SaaS applications

2. Integrating with Azure Services

Logic Apps can easily integrate with other Azure services, which is especially useful for threat-hunting and security automation. Some of the most commonly used Azure services in security workflows are Azure Sentinel, Azure Monitor, Azure Active Directory, and Microsoft Defender for Cloud.

Example: Integrating with Azure Sentinel for Incident Response

You can build a Logic App that automatically responds to incidents generated in Azure Sentinel.

Steps:

  1. Trigger:

    • Use the When an alert is generated trigger from Azure Sentinel to start the workflow when a new security incident occurs.

  2. Query Logs:

    • Use the Azure Monitor Logs connector to query security logs related to the incident from various sources such as Azure Monitor, Office 365, or third-party SIEM systems.

  3. Automated Actions:

    • Add actions to remediate the incident, such as quarantining the affected resource, disabling compromised user accounts, or blocking malicious IP addresses.

  4. Send Notifications:

    • Use the Microsoft Teams or Outlook connectors to notify your security operations team with detailed information about the incident.

3. Connecting to Third-Party Security Tools

Azure Logic Apps can integrate with various third-party security tools that your organization uses for threat intelligence, SIEM, endpoint protection, or incident response. You can either use built-in connectors or use the HTTP action to call external APIs.

Example: Integrating with VirusTotal for Threat Intelligence Enrichment

You can enrich security alerts by querying the VirusTotal API to check the reputation of a suspicious IP address, domain, or file.

Steps:

  1. Trigger:

    • Use an Azure Sentinel Alert as a trigger to start the workflow when an alert involves a suspicious IP address or file.

  2. HTTP Action:

    • Add an HTTP action to call the VirusTotal API.

    • Configure the HTTP action as a GET request with the following URI:

      plaintextCopy codehttps://www.virustotal.com/vtapi/v2/ip-address/report?apikey=YOUR_API_KEY&ip=@{triggerBody()?['IpAddress']}

    • Pass the IP address from the alert as a parameter in the API call.

  3. Process the Response:

    • Use Condition logic to evaluate the response. If the IP is flagged as malicious, trigger further remediation steps such as blocking the IP or notifying the security team.

  4. Automated Remediation:

    • Based on the reputation score returned by VirusTotal, trigger an action to block the IP address in your firewall using another API call.

4. Integrating with Incident Management Systems

Incident management systems like ServiceNow, Jira, or PagerDuty are often used to track and manage security incidents. Integrating these systems with Logic Apps can automate the creation, tracking, and closure of security incidents.

Example: Automating Incident Management with ServiceNow

You can automate the process of creating and updating incidents in ServiceNow based on security alerts generated by Azure Sentinel.

Steps:

  1. Trigger:

    • Use the Azure Sentinel connector to start the workflow when an alert is triggered.

  2. Create an Incident in ServiceNow:

    • Use the ServiceNow connector to automatically create an incident in ServiceNow when the workflow is triggered.

    • Include details such as the alert name, severity, and relevant data in the ServiceNow ticket.

  3. Update Incident Status:

    • As the incident is investigated, use additional actions to update the status of the incident in ServiceNow automatically based on other conditions (e.g., when a related security alert is resolved).

  4. Close the Incident:

    • Once the workflow has successfully remediated the threat, close the incident in ServiceNow by sending an API request or using the ServiceNow connector.

5. Integrating with Communication and Notification Platforms

Communication platforms like Microsoft Teams, Slack, and PagerDuty are commonly used to notify security teams of incidents or important alerts. Azure Logic Apps can be configured to send real-time notifications to these platforms whenever a security event occurs.

Example: Sending Real-Time Alerts to Microsoft Teams

You can create a Logic App that sends a message to a Teams channel whenever a high-severity security alert is generated in Azure Sentinel.

Steps:

  1. Trigger:

    • Use the Azure Sentinel trigger to detect when a high-severity alert is raised.

  2. Add Microsoft Teams Action:

    • Use the Microsoft Teams connector to send a message to a specific Teams channel with the details of the security alert.

  3. Customize the Message:

    • Use dynamic content from the alert to populate the message. For example:

      • Alert Name: @{triggerBody()?['AlertName']}

      • Severity: @{triggerBody()?['Severity']}

      • Alert Description: @{triggerBody()?['Description']}

  4. Test the Workflow:

    • Test the workflow by generating an alert in Azure Sentinel and verifying that the Teams message is sent correctly.

6. Hybrid Integration with On-Premises Systems

In many organizations, critical systems may still be on-premises, but you can still use Azure Logic Apps to integrate with them. By using the On-Premises Data Gateway, you can securely connect your Logic Apps workflows with on-premises databases, file systems, and security tools.

Example: Accessing On-Premises Logs for Threat Hunting

If your organization stores logs on-premises, you can configure a Logic App to securely access and analyze these logs during threat-hunting workflows.

Steps:

  1. Set Up On-Premises Data Gateway:

    • Install and configure the On-Premises Data Gateway to allow secure communication between Azure Logic Apps and your on-premises network.

  2. Trigger the Logic App:

    • Use a recurrence trigger to query logs from an on-premises SQL Server database or file system every hour for suspicious activity.

  3. Query the On-Premises Data:

    • Use the SQL Server or File System connectors to query the on-premises data for indicators of compromise, such as repeated failed login attempts or unauthorized file access.

  4. Automated Remediation:

    • Based on the findings, the Logic App can take automated actions such as notifying the security team or blocking user accounts.

7. Authentication and Security Considerations

When integrating with external services, it’s important to ensure that authentication and security are handled properly. Logic Apps supports several authentication mechanisms to secure communications between services, including:

  • OAuth 2.0: For APIs that require token-based authentication.

  • Managed Identity: For services within Azure that support Azure AD authentication.

  • API Keys: For external APIs that require key-based authentication.

Example: Securing API Calls with Managed Identity

If your Logic App needs to access a service like Azure Key Vault or Azure Storage, you can use Managed Identity for secure authentication without having to manage credentials manually.

Steps:

  1. Enable Managed Identity:

    • In your Logic App settings, enable Managed Identity.

  2. Grant Permissions:

    • Assign the necessary roles (e.g., Key Vault Reader) to the Logic App’s Managed Identity to allow it to access secure resources.

  3. Use Managed Identity in Actions:

    • In the actions that access secure services (e.g., retrieving secrets from Key Vault), select Managed Identity as the authentication method.

Last updated 8 months ago