Hunting Threats with Azure Security Center

Hunting Threats with Azure Security Center

In February I had the chance to attend a session by Yuri Diogenes, Program Manager at Microsoft, on how Azure Security Center works and how to demo it in a real life scenario.

The session he gave ended up as one of the excellent Azure Security Center Playbooks that are available for download on Microsoft TechNet Gallery.

After the talk I needed to prepare a few demos myself. As I’m notoriously lazy and a proponent of automation, I wrote a ARM template and PowerShell DSC resources that will prep the environment for demo. The only thing you need to do is deliver the demo according to the script.


You can find the resources in my GitHub repository. You can also deploy this directly to a subscription you have access to.

Once the deployment is completed you will have a set of resources deployed to your environment:

List of resources deployed

Among those resource is a Logic App that can be used as a playbook to react to alerts in Azure Security Center. Before this Logic App can be used you need to re-establish the authorization (this can’t be serialized to the template).

Unauthorized actions in Logic App

To re-authenticate select the respective API connection in the list of resources:

API connections

When you click on the resource you’ll be presented with a toast that this connection is not authenticated:

Toast showing the authentication state

Hit that notification to authorize the connection against your Office 365/Teams tenant.