• Dana Epp

How to integrate Azure Functions with an Azure Security Center Playbook

Let's imagine a scenario where a threat actor has triggered an alert in Security Center. This alert has the attacker's source IP and you want to dynamically configure a firewall rule in your NSG to block him. Is that possible in Azure? You bet! Tie the event in Security Center to a playbook that can drive an Azure Function and go to town!

Yuri wrote an interesting blog post showing how to exactly do that with Azure Functions and Logic Apps. In his example he actually changes a Palo Alto Firewall by API using webhooks with HTTP Triggers. What's cool is he also uses the Logic App to use an email "approval" workflow so human heuristics and approvals can be used. The possibilities are endless when use use Azure automation to assist in this.

We are just at the beginning where we can go BEYOND Infrastructure as Code (IaC). Now workflow automation can allow security operations to have more meaningful engagement and involve all business stakeholders while removing friction in the technology.

Fun stuff.