/Microsoft-DevOps-Feedback-Loop

Azure Logic Apps that create Azure DevOps work items from Microsoft Sentinel and Defender for Cloud alerts, and dismiss the alert upon completion of the workitem.

MIT LicenseMIT

Microsoft-DevOps-Feedback-Loop

Azure Logic Apps that create Azure DevOps work items from Microsoft Sentinel and Defender for Cloud alerts, and dismiss the alert upon completion of the workitem.

Pre-requisites

Please read the ff. articles to understand the context and usage of the playbooks in this repository.

Before deploying the playbooks, the following are required

  • Azure DevOps Account
    • Azure DevOps Custom Process with Issue and Problem work item types containing the following custom properties:
      • Source (string)
      • SourceType (string)
      • SourceID (string)
      • SubscriptionId (string)
    • Azure DevOps Project
    • Service Hook configured on Work item updated
  • Microsoft Defender for Cloud
  • Microsoft Sentinel
  • Azure Subscription and AD access to create managed identities and grant permissions (for the feedback loop)

Playbooks

Microsoft Sentinel --> Create Azure DevOps Workitems

Creating from Sentinel Incidents

Deploy to Azure

Creating from Sentinel Alerts

Deploy to Azure

Microsoft Defender for Cloud --> Create Azure DevOps Workitems

Note: After deploying the logic apps below, the Workflow Automation in Microsoft Defender for Cloud must be configured. Creating from Defender Alerts

Deploy to Azure

Creating from Defender Recommendations

Deploy to Azure

Creating from Defender Regulatory Compliance

Deploy to Azure

Azure DevOps Workitems --> Sentinel and Defender (feedback loop)

Since the Azure DevOps work item can be from Sentinel or Defender, this playbook is combined for both.

Deploy to Azure