Category: logic apps

Performing a Security Audit on Logic Apps

As DevOps move toward no-code apps in the cloud, there becomes a need for security reviews and controls to prevent risky

This is nothing new, but the need for better security reviews is becoming clear as more people try to rush to get their apps done in the easiest way possible.

Here’s a simple approach to identifying security risks in your logic apps:

  1. Create an architecture diagram of your logic app. This can be a simplified version that just shows the high level logic.
  2. Break down the logic app by it’s components:
  • The individual logic app components – you likely won’t find too many security problems here.
  • all the parameters – don’t hardcode passwords into parameters!
  • connectors – Often the culprit of weak security in logic apps. Really understand what these connectors are communicating with. Don’t allow public access. Limit the roles/permissions.
  • app registrations – another culprit of weak security. If app registrations are needed for your logic apps, be sure permissions are set to their most restrictive settings. avoid read.all readwrite.all settings.
  • managed identities – if possible, use managed identities instead of user accounts for your connectors. Many logic apps don’t yet support managed identities, so those apps will require additional monitor and possibly frequent password/secret changes.

3. Use Resource Locks to prevent changes. If someone tries to turn off resource logs be sure it’s logged and alerted on.

4. Restrict user/admin access to your logic apps. Some apps can have really powerful permissions/access, so you don’t want users to ever have the ability to change logic apps unless they’ve been given specific short-term permissions to do so.

5. LOG EVERYTHING – wherever possible, enable logging within logic apps and connectors. Store logs in a Log Analytics Workspace. Use Azure Monitor alerts ore Microsoft Sentinel to monitor/report/alert on all activities.

6. Perform ‘attack simulations‘. Run your logic apps through test conditions which will trigger your alerts. Validate your alerts work as expected.

7. Build a ‘logic app security audit’ spreadsheet. Use this as a template for repeated audits for future logic app security testing. Use the above ideas as the initial framework for your spreadsheet.

2 ways to get (free) Threat Intelligence feeds into Microsoft Sentinel

Like most things in life, there’s an easy way and a hard way…

The Easy Way

Anomali has a threat feed that supports Sentinel’s TAXII connector.

If you open a linux shell you can run this command to get the available channels:

curl -u guest https://limo.anomali.com/api/v1/taxii2/feeds/collections/

To configure one or more of the threat feeds in Sentinel, go to Connectors > Threat intelligence – TAXII. Note the API root URL will be:

https://limo.anomali.com/api/v1/taxii2/feeds

Once the threat data is loaded you can use it in your alerting and kql searches, eg:

ThreatIntelligenceIndicator| where NetworkIP != “”

The Hard(er) Way

You can pull in the TI data from Anomali or any other TAXII server using a playbook.

Although there’s a learning curve around using playbooks (Logic Apps), they’ve very powerful, and you can do things like filter out undesired data from your TI feed before it’s stored in Sentinel.

Here’s a great example:

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/use-microsoft-azure-sentinel-and-anomali-match-for-actionable/ba-p/2080763

Azure Logic Apps can automate so much of your Microsoft Security world..

I’ve spent a lot of time in Azure Logic Apps over the past few months.

Give me a reason and I’ll put together a vlog on getting started with Azure Sentinel and Logic Apps.

In the meantime here are some good references:

https://docs.microsoft.com/en-us/azure/logic-apps/quickstart-create-first-logic-app-workflow

https://docs.microsoft.com/en-us/azure/logic-apps/

Azure Sentinel webinar: Unleash the automation Jedi tricks & build Logic Apps Playbooks like a Boss

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-examples-and-scenarios

Azure Monitor Alert LogicApps
Understanding The Trigger: When a HTTP request is received

Functions Reference Guide

https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference