工作流自动化Workflow automation

每个安全计划都包含事件响应的多个工作流。Every security program includes multiple workflows for incident response. 这些流程可能包含通知相关利益干系人、启动更改管理进程,以及应用特定的修正步骤。These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. 安全专家建议你尽可能多地将这些流程自动化。Security experts recommend that you automate as many steps of those procedures as you can. 自动化可减少开销,Automation reduces overhead. 还可确保根据你预定义的要求快速、一致地执行处理步骤,从而增强安全性。It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.

本文介绍 Azure 安全中心的工作流自动化功能。This article describes the workflow automation feature of Azure Security Center. 此功能可根据安全警报和建议触发逻辑应用。This feature can trigger Logic Apps on security alerts and recommendations. 例如,你可能希望安全中心在出现警报时向特定用户发送电子邮件。For example, you might want Security Center to email a specific user when an alert occurs. 你还将了解如何使用 Azure 逻辑应用创建逻辑应用。You'll also learn how to create Logic Apps using Azure Logic Apps.

备注

如果你之前使用过边栏上的 Playbook(预览)视图,则将在新的工作流自动化页面中找到相同的功能以及扩展功能。If you previously used the Playbooks (Preview) view on the sidebar, you'll find the same features together with the expanded functionality in the new workflow automation page.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式版Generally Available
定价:Pricing: 免费层Free tier
所需角色和权限:Required roles and permissions: 资源组上的安全管理员角色或所有者角色 Security admin role or Owner on the resource group
还必须具有对目标资源的写入权限Must also have write permissions for the target resource

若要使用 Azure 逻辑应用工作流,还必须具有以下逻辑应用角色/权限:To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:
逻辑应用读取/触发访问需要- 逻辑应用操作员权限(此角色无法创建或编辑逻辑应用,仅可运行现有应用)- Logic App Operator permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only run existing ones)
创建和修改逻辑应用需要- 逻辑应用参与者权限- Logic App Contributor permissions are required for Logic App creation and modification
如果要使用逻辑应用连接器,可能需要使用额外的凭据登录到各自的服务(例如 Outlook/Teams/Slack 实例)If you want to use Logic App connectors, you may need additional credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)
云:Clouds: 是 中国云China cloud

创建一个逻辑应用,并定义它应自动运行的时间Create a Logic App and define when it should automatically run

  1. 从安全中心的边栏选择“工作流自动化”。From Security Center's sidebar, select Workflow automation.

    工作流自动化列表List of workflow automations

    在此页上,你可创建新的自动化规则,还可启用、禁用或删除现有规则。From this page you can create new automation rules, as well as enable, disable, or delete existing ones.

  2. 若要定义新工作流,请单击“添加工作流自动化”。To define a new workflow, click Add workflow automation.

    此时会出现一个窗格,其中包含用于新的自动化的选项。A pane appears with the options for your new automation. 可在此处输入:Here you can enter:

    1. 自动化的名称和说明。A name and description for the automation.

    2. 将启动此自动工作流的触发器。The triggers that will initiate this automatic workflow. 例如,你可能希望在生成包含“SQL”的安全警报时运行逻辑应用。For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.

    3. 满足触发条件时将运行的逻辑应用。The Logic App that will run when your trigger conditions are met.

      工作流自动化列表List of workflow automations

  3. 在“操作”部分中单击“访问逻辑应用页面”,创建新的逻辑应用。From the Actions section, click visit the Logic Apps page to create a new Logic App.

    你将转到 Azure 逻辑应用。You'll be taken to Azure Logic Apps.

    创建新的逻辑应用Creating a new Logic App

  4. 输入名称、资源组和位置,然后单击“创建”。Enter a name, resource group, and location, and click Create.

  5. 在新的逻辑应用中,可从安全类别中选择内置的预定义模板。In your new Logic App, you can choose from built-in, predefined templates from the security category. 也可定义在触发此进程时要发生的自定义事件流。Or you can define a custom flow of events to occur when this process is triggered.

    在逻辑应用设计器中,支持以下来自安全中心连接器的触发器:In the Logic App designer the following triggers from the Security Center connectors are supported:

    • 创建或触发 Azure 安全中心建议时When an Azure Security Center Recommendation is created or triggered
    • 创建或触发 Azure 安全中心警报时When an Azure Security Center Alert is created or triggered

    提示

    你可自定义触发器,使其仅与你关注的严重性级别的警报关联。You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

    备注

    如果使用名为“触发 Azure 安全中心警报的响应时”的旧触发器,逻辑应用不会通过工作流自动化功能启动。If you are using the legacy trigger "When a response to an Azure Security Center alert is triggered", your Logic Apps will not be launched by the Workflow Automation feature. 请改用上述的任一触发器。Instead, use either of the triggers mentioned above.

    示例逻辑应用Sample Logic App

  6. 定义逻辑应用后,回到工作流自动化定义窗格(“添加工作流自动化”)。After you've defined your Logic App, return to the workflow automation definition pane ("Add workflow automation"). 单击“刷新”,确保新的逻辑应用可供选择。Click Refresh to ensure your new Logic App is available for selection.

    刷新

  7. 选择逻辑应用并保存自动化。Select your Logic App and save the automation. 请注意,“逻辑应用”下拉列表仅显示支持上述安全中心连接器的逻辑应用。Note that the Logic App dropdown only shows Logic Apps with supporting Security Center connectors mentioned above.

手动触发逻辑应用Manually trigger a Logic App

查看任何安全警报或建议时,还可手动运行逻辑应用。You can also run Logic Apps manually when viewing any security alert or recommendation.

若要手动运行逻辑应用,请打开警报或建议,然后单击“触发逻辑应用”:To manually run a Logic App, open an alert or a recommendation and click Trigger Logic App:

手动触发逻辑应用Manually trigger a Logic App

数据类型架构Data types schemas

若要查看传递到逻辑应用实例的安全警报或建议事件的原始事件架构,请访问工作流自动化数据类型架构To view the raw event schemas of the security alerts or recommendations events passed to the Logic App instance, visit the Workflow automation data types schemas. 如果你没有使用上述安全中心的内置逻辑应用连接器,而是使用逻辑应用的通用 HTTP 连接器,这将非常有用,而且你可根据需要使用事件 JSON 架构手动分析它。This can be useful in cases where you are not using Security Center's built-in Logic App connectors mentioned above, but instead are using Logic App's generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.

后续步骤Next steps

在本文中,你学习了如何创建逻辑应用、如何在安全中心自动执行这些应用以及如何手动运行它们。In this article, you learned about creating Logic Apps, automating their execution in Security Center, and running them manually.

有关其他相关资料,请参阅:For other related material, see: