WEBVTT

0:00:02.680000 --> 0:00:07.620000
 When it comes to your IT security,
 it's always better to be proactive

0:00:07.620000 --> 0:00:10.780000
 rather than passive.

0:00:10.780000 --> 0:00:14.680000
 And in this video, we're going to take
 a look at one way that you can

0:00:14.680000 --> 0:00:18.060000
 do that. One way that you can be
 proactive is to have alerts.

0:00:18.060000 --> 0:00:21.880000
 Alerts are going to look for specific
 security conditions and they're

0:00:21.880000 --> 0:00:26.560000
 going to trigger a process, let you
 know, send you an email that there's

0:00:26.560000 --> 0:00:29.960000
 a problem. But we also have
 this concept of playbooks.

0:00:29.960000 --> 0:00:33.540000
 And that's what we're going to look
 at here, security event playbooks.

0:00:33.540000 --> 0:00:37.060000
 Now the two topics that we're going to
 look at, first of all, I'll describe

0:00:37.060000 --> 0:00:41.300000
 security playbooks and then I am going
 to demonstrate how you can set

0:00:41.300000 --> 0:00:46.640000
 up security center automation with
 a very, very simple playbook.

0:00:46.640000 --> 0:00:49.440000
 All right, let's go ahead
 and jump right in.

0:00:49.440000 --> 0:00:51.900000
 Now, when we're talking about security
 playbooks, first thing you should

0:00:51.900000 --> 0:00:56.540000
 know is that this is a concept that's
 becoming a little bit more universal

0:00:56.540000 --> 0:01:00.560000
 across many different sectors
 of the Azure environment.

0:01:00.560000 --> 0:01:03.780000
 In this case, it is
 security center.

0:01:03.780000 --> 0:01:06.900000
 But what you'll see is that it is workflow
 automation and you're going

0:01:06.900000 --> 0:01:10.760000
 to see playbooks and workflow automation
 in a number of places.

0:01:10.760000 --> 0:01:15.700000
 And what this does is it lets you
 automate custom responses, right?

0:01:15.700000 --> 0:01:19.660000
 So beyond just having an alert, this
 is going to let you have your own

0:01:19.660000 --> 0:01:23.500000
 custom response that is built
 on Azure logic apps.

0:01:23.500000 --> 0:01:26.460000
 Now why is wire logic
 apps important?

0:01:26.460000 --> 0:01:30.580000
 Because there are literally hundreds
 of integrated providers.

0:01:30.580000 --> 0:01:36.340000
 So if you have an SEIM, if you've got
 a general alerting system, if you

0:01:36.340000 --> 0:01:41.000000
 just have a database of issues that
 you're tracking and you can have all

0:01:41.000000 --> 0:01:45.720000
 of those and you want them all to have
 some kind of activity based on

0:01:45.720000 --> 0:01:50.860000
 some kind of security situation,
 you can do that with a logic app.

0:01:50.860000 --> 0:01:52.740000
 A logic app is a workflow.

0:01:52.740000 --> 0:01:57.500000
 It's a no code workflow that allows you
 to define responses to activities.

0:01:57.500000 --> 0:02:00.680000
 And that's absolutely
 generic to Azure.

0:02:00.680000 --> 0:02:04.860000
 The twist here is that you can trigger
 them based off of conditions, based

0:02:04.860000 --> 0:02:10.340000
 off of alerts within security center,
 which is pretty cool stuff.

0:02:10.340000 --> 0:02:14.900000
 All right. Oh, one too many there.


0:02:14.900000 --> 0:02:22.460000
 There we go. There's literally
 hundreds of providers.

0:02:22.460000 --> 0:02:26.900000
 They're triggered by security conditions,
 either a threat detection or

0:02:26.900000 --> 0:02:28.660000
 a recommendation.

0:02:28.660000 --> 0:02:30.520000
 Now why would you do this?

0:02:30.520000 --> 0:02:32.840000
 Maybe you've got remediation,
 right?

0:02:32.840000 --> 0:02:38.720000
 Maybe I've got a security center recommendation
 and I've got a logic app

0:02:38.720000 --> 0:02:46.360000
 that can have, you know, it interacts
 with the Azure system, the ARM system

0:02:46.360000 --> 0:02:47.680000
 as a resource management.

0:02:47.680000 --> 0:02:51.940000
 There we go. And or maybe like I said,
 audit in and log in or maybe you

0:02:51.940000 --> 0:02:54.640000
 want alerting that goes beyond
 just what's built in.

0:02:54.640000 --> 0:02:59.220000
 So these are all options that are available
 to you with security playbooks.

0:02:59.220000 --> 0:03:02.800000
 Now what I want to do is go
 ahead and demonstrate them.

0:03:02.800000 --> 0:03:06.020000
 Again, I'm going to go through a very
 simple demonstration, but I think

0:03:06.020000 --> 0:03:09.440000
 it shows you exactly what you can do
 with this where you take it beyond

0:03:09.440000 --> 0:03:12.460000
 the initial triggering
 is really up to you.

0:03:12.460000 --> 0:03:16.980000
 And with a logic app, to me, that's
 really important part to see is the

0:03:16.980000 --> 0:03:22.380000
 fact that, okay, I can have some activity
 trigger this logic app and then

0:03:22.380000 --> 0:03:26.640000
 I just literally write the logic or
 define the logic that it needs.

0:03:26.640000 --> 0:03:30.660000
 So let's go ahead and
 let's jump into this.

0:03:30.660000 --> 0:03:37.480000
 Okay, here I am in security center and it
 doesn't say anything about playbooks.

0:03:37.480000 --> 0:03:39.700000
 That's because it is under
 workflow automation.

0:03:39.700000 --> 0:03:44.380000
 One thing I will tell you is that there
 is some inconsistency in the terminology

0:03:44.380000 --> 0:03:50.320000
 that I find in the dashboard for workflow
 automation, workflow automation,

0:03:50.320000 --> 0:03:52.500000
 playbook, same thing.

0:03:52.500000 --> 0:03:55.040000
 It's a way to tie
 into a logic app.

0:03:55.040000 --> 0:03:58.200000
 So I'm going to go ahead and
 add workflow automation.

0:03:58.200000 --> 0:03:59.900000
 I'm going to give this a name.

0:03:59.900000 --> 0:04:05.720000
 Demo security. Whoa, apparently
 I'm going to give it all caps.

0:04:05.720000 --> 0:04:09.700000
 Let's try that again.

0:04:09.700000 --> 0:04:13.360000
 Demo security playbook.

0:04:13.360000 --> 0:04:20.720000
 Okay, and we won't say description
 because hopefully you get the idea.

0:04:20.720000 --> 0:04:23.160000
 I'll put it into a resource group.


0:04:23.160000 --> 0:04:27.560000
 Now what I do is say, okay,
 I have two options.

0:04:27.560000 --> 0:04:30.780000
 I have threat detection alerts or
 security center recommendations.

0:04:30.780000 --> 0:04:34.800000
 Now if I have a threat detection, I
 can look for an alert name, alert

0:04:34.800000 --> 0:04:45.700000
 severity. Okay. And I can
 go and pick logic apps.

0:04:45.700000 --> 0:04:51.260000
 But what I want to do is go to security
 center recommendations.

0:04:51.260000 --> 0:04:55.940000
 So essentially I've got whatever
 recommendations I want.

0:04:55.940000 --> 0:05:00.800000
 Let's say I want, there you go, web application
 should only be accessible

0:05:00.800000 --> 0:05:09.380000
 over HTTPS. And then no recommendation
 severity because it's already picked.

0:05:09.380000 --> 0:05:13.800000
 Recommendation state,
 we will take those.

0:05:13.800000 --> 0:05:23.140000
 Now actions. So I've got
 what subscription I want.

0:05:23.140000 --> 0:05:27.020000
 And then the name of the logic app,
 which I don't have any logic apps

0:05:27.020000 --> 0:05:30.260000
 currently available to tie into.

0:05:30.260000 --> 0:05:34.100000
 So what I'm going to have to do, cancel
 out of there, that's where you

0:05:34.100000 --> 0:05:43.980000
 set it up, I'm going to go ahead and
 I am going to create a logic app.

0:05:43.980000 --> 0:05:48.560000
 Here's my logic app.

0:05:48.560000 --> 0:05:59.300000
 Create. Logic app name.

0:05:59.300000 --> 0:06:06.920000
 Playbook. And create.

0:06:06.920000 --> 0:06:13.000000
 Now that's going to take a moment to
 create and then we'll be right back

0:06:13.000000 --> 0:06:17.520000
 and flesh it out and
 then tie it in.

0:06:17.520000 --> 0:06:23.220000
 There we go. I'm going
 to go to the resource.

0:06:23.220000 --> 0:06:27.820000
 I'm in my logic app designer.

0:06:27.820000 --> 0:06:33.980000
 And what I'm going to do is
 create a blank logic app.

0:06:33.980000 --> 0:06:40.280000
 Now when I go in and create a blank
 logic app, because I've done this

0:06:40.280000 --> 0:06:44.620000
 before, I get this security center alert
 and security center recommendation.

0:06:44.620000 --> 0:06:47.140000
 If you don't have those, because you
 hadn't done it before, you can just

0:06:47.140000 --> 0:06:54.660000
 go up here and do a search for security
 center and they would come up.

0:06:54.660000 --> 0:06:57.240000
 Go on there and type in security
 center and there we go.

0:06:57.240000 --> 0:07:00.240000
 So we're going to go with
 the recommendation.

0:07:00.240000 --> 0:07:04.720000
 When an Azure security center recommendation
 is created or triggered.

0:07:04.720000 --> 0:07:12.580000
 Cool. So that is setting up and it's
 going to tell me nothing is needed.

0:07:12.580000 --> 0:07:15.860000
 I've got that. Now at that point, I'm
 going to do whatever it is I want

0:07:15.860000 --> 0:07:17.280000
 to do. All right.

0:07:17.280000 --> 0:07:21.820000
 I'm going to just do something very,
 very simple because I'm a fan of

0:07:21.820000 --> 0:07:26.000000
 very simple. I'm going to
 go to an Azure queue.

0:07:26.000000 --> 0:07:29.620000
 And what I want to do is
 put a message on a queue.

0:07:29.620000 --> 0:07:34.940000
 All right. And so I need to
 find a storage account.

0:07:34.940000 --> 0:07:36.180000
 That one should be good.

0:07:36.180000 --> 0:07:40.620000
 That actually has.

0:07:40.620000 --> 0:07:47.920000
 Oh, have to give it a name and
 that's going to be playbook.

0:07:47.920000 --> 0:07:53.320000
 Cue. I just can connect
 up to that queue.

0:07:53.320000 --> 0:07:57.360000
 Now what cue or that?

0:07:57.360000 --> 0:08:02.820000
 It's going to connect
 up to that particular.

0:08:02.820000 --> 0:08:04.040000
 Geez, storage accounts.

0:08:04.040000 --> 0:08:05.100000
 Excuse me. All right.

0:08:05.100000 --> 0:08:11.080000
 And then I have to pick a queue and
 this is, we'll just say response.

0:08:11.080000 --> 0:08:12.840000
 All right. Then I'm going
 to set up the message.

0:08:12.840000 --> 0:08:15.300000
 Okay. I'm setting up a message
 to go to the queue.

0:08:15.300000 --> 0:08:19.080000
 What do I want? Well, what I really
 want to do is I'm going to go ahead

0:08:19.080000 --> 0:08:22.500000
 and set up just a little
 bit of JSON here.

0:08:22.500000 --> 0:08:27.300000
 And it could really be
 just whatever I want.

0:08:27.300000 --> 0:08:37.040000
 And let's say, alert.

0:08:37.040000 --> 0:08:39.340000
 And I'm going to put in the alert.


0:08:39.340000 --> 0:08:46.600000
 We'll say type. And then the other things,
 you can see all of these properties

0:08:46.600000 --> 0:08:58.300000
 down here. Display name.

0:08:58.300000 --> 0:09:04.560000
 Put that in. I'm not going to bore you
 with putting a whole bunch of stuff

0:09:04.560000 --> 0:09:08.380000
 except I do want status cause.

0:09:08.380000 --> 0:09:21.500000
 So I'm going to bore
 you a little bit.

0:09:21.500000 --> 0:09:23.680000
 And description.

0:09:23.680000 --> 0:09:28.500000
 I have a little fun with it.

0:09:28.500000 --> 0:09:30.760000
 And I need some commas.

0:09:30.760000 --> 0:09:34.580000
 And then I need to actually
 insert what I'm looking for.

0:09:34.580000 --> 0:09:38.420000
 So I want status cause.

0:09:38.420000 --> 0:09:42.140000
 And then I want status code.

0:09:42.140000 --> 0:09:46.260000
 And then I want status
 description.

0:09:46.260000 --> 0:09:49.980000
 All right. And now this is ready.

0:09:49.980000 --> 0:09:51.860000
 So I'm going to save this.

0:09:51.860000 --> 0:09:58.100000
 So my logic app that I want
 to use is now saved.

0:09:58.100000 --> 0:10:01.280000
 So if I go to security center.

0:10:01.280000 --> 0:10:05.120000
 Go back to workflow automation.

0:10:05.120000 --> 0:10:08.280000
 Add a workflow automation.

0:10:08.280000 --> 0:10:14.860000
 Even sloppy and it's
 designation there.

0:10:14.860000 --> 0:10:22.280000
 Call it demo. For security
 center recommendations.

0:10:22.280000 --> 0:10:27.040000
 I don't have any of these.

0:10:27.040000 --> 0:10:31.340000
 And then logic app.

0:10:31.340000 --> 0:10:34.680000
 I should be able to pull
 up that logic app now.

0:10:34.680000 --> 0:10:38.060000
 There we go. There's my
 playbook logic app.

0:10:38.060000 --> 0:10:43.360000
 And create. And there we go.

0:10:43.360000 --> 0:10:48.300000
 At this point, any time I get an alert
 for that particular condition,

0:10:48.300000 --> 0:10:53.080000
 the web app was allowing for HTTP, then
 what that's going to do is it's

0:10:53.080000 --> 0:10:54.400000
 going to trigger that logic app.

0:10:54.400000 --> 0:10:57.720000
 And in this case, it's just going
 to dump a message into a queue.

0:10:57.720000 --> 0:11:03.340000
 But as I said, there are hundreds of
 integrated systems that you can just

0:11:03.340000 --> 0:11:05.560000
 as easily as I added in the queue.


0:11:05.560000 --> 0:11:07.420000
 You can add in other
 systems as well.

0:11:07.420000 --> 0:11:09.160000
 And there are other videos
 on logic apps.

0:11:09.160000 --> 0:11:11.120000
 If you're not super
 familiar with those.

0:11:11.120000 --> 0:11:14.360000
 And you can go through and
 get a better understanding.

0:11:14.360000 --> 0:11:16.780000
 But again, security playbook,
 very simple.

0:11:16.780000 --> 0:11:21.680000
 It's a logic app tied to an
 alert or a recommendation.