Security Playbook in Azure Security Center
Keeping your cloud-based IT infrastructure secure is a constant effort. The people who want access to your data are always working on ways they can get in, so both you and Microsoft need to be working on ways to keep them out. Microsoft is aware of this responsibility, and since you are reading this blog I assume you are as well.
Security Playbooks in Azure Security Center are a new preview tool in your Azure tenant to assist with the task of keeping your data secure. Security Playbooks can help automate your response to specific security alerts as they are detected by Security Center. There are templates available, or you can create your own Playbook from scratch. Playbooks use Azure Logic Apps, so charges for that service do apply.
In this blog post, we’re going to look at the features and functionality available in the preview of Security Playbooks. We will step through setting up a playbook, and we’ll see what playbooks have to offer.
What is a Security Playbook?
A Security Playbook is a pre-established and scripted set of actions that can be taken in the event of a specific alert within your Azure tenant. Security Playbooks are intended to provide additional security for your cloud resources.
Security Playbooks are built on Azure Logic Apps. This means that you can use the templates provided therein to get you started building your own playbooks.
Security Playbooks are in public preview as this is being written, so there may be feature and functionality changes by the time you are reading this.
Creating your first Security Playbook
To create your first Security Playbook, you need to log into the Azure portal and navigate to the Security Center as shown below.
In the Security Center playbooks are currently located at the bottom of the menu on the left under “Automation & Orchestration.”
Creating a Playbook is as simple as using the “Add Playbook” button at the top of the interface.
At this point you are just creating a container. Don’t be alarmed when there isn’t anything useful to configure at this point. The wizard just askes for you to name your Playbook and put it in a resource group. You have the option to turn on Log Analytics, but I do not have an OMS workspace setup in my tenant, so I left that option as “Off.”
At the bottom of this screen there is an “Automation Options” button next to the “Create” button. This button will take you to a JSON editor that shows you the actual code to create this Playbook with Azure Resource Manager. ARM templates are a topic for another blog post, so I’ll move on to configuring Playbooks.
Configuring a Security Playbook
Once your Playbook is created, the real work of configuration begins. In the screenshot below, you can see I have two Playbooks in my tenant with one that has nothing defined yet.
Selecting the blue link for the Playbook name will take you into the configuration wizard for that playbook. That screen is shown below.
There is a lot to configure here, and I’m not going to go into deep detail on all the aspects of manage Azure Logic Apps in this blog post. For our purposes today, I’m going to focus on the Logic App Designer.
The Logic App Designer is built on a “if this happens then do that” flow.
When you first launch the Logic App Designer on a new Playbook you are shown the below wizard.
For this Playbook I’m going to select the second option “Post message to Teams channel and send email notification”.
The first step in configuring this template is to allow the Playbook to use your email and Teams for notifications. You must sign into your account for these two services.
This Playbook template will send you a notification when a security center alert is generated. It notifies you via email for low priority alerts, and via Teams for high priority alerts. Of course, you can change those around, or even set it to alert you via different methods if you’d like.
If those options don’t work for you, you can of course modify the Playbook. In this Playbook, I scrolled down and selected “Add a step” and choose an “Add an action”. This gave me a chooser with 290 separate actions I can add to this Playbook.
Playing with these Playbooks a little bit will quickly show you that they are potentially very powerful but will take some effort to figure out completely.
Playbooks in Action
I wanted to add a bit in here about what it looks like when a Playbook kicks in and does stuff. Let’s look at one of my test Playbooks.
This Playbook sends me an email when an alert is generated in the Azure Security Center.
This is a two step Playbook, and there really isn’t much to configure in that first step. I can dive into the actual code used by image designer, but I’m just not that good of a programmer. The real configuration I can do is on the second step.
The “Send an email” step is where I can configure what happens in this Playbook.
Here you can see the information I have choose to send to myself in this Playbook alert. You can see the content of the email that will be generated when there is a Security Center alert. In the screenshot above you can see I tried to send the email from Azure@Microsoft.com, but it turns out it won’t let me use that as a source address.
After modifying the email to send me the information I want about this alert, I’m going to test it. I can do that by hitting the “Run” button at the top of the page. When I do, I receive the email shown below.
There really isn’t anything in this email because there wasn’t a real security alert. If there had been a real security alert, there would be dynamically generated information in this email about that alert.
Security Playbooks are an exciting new feature in Azure that can help automate some of the responses you may want to take for specific events within your Azure tenant. Any powerful tool in a cloud service is going to take a bit of time to completely flesh out. Security Playbooks are still in preview as of this writing, so don’t expect a fully baked solution right now.
If you put some time into learning the possibilities, I think Security Playbooks can be a great new tool for Azure administrators.