{"id":4726,"date":"2021-03-06T21:45:28","date_gmt":"2021-03-06T20:45:28","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=4726"},"modified":"2021-03-06T21:46:42","modified_gmt":"2021-03-06T20:46:42","slug":"trigger-a-runbook-based-on-an-azure-monitor-alert-and-pass-alert-data-to-the-runbook","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=4726","title":{"rendered":"Trigger a runbook based on an Azure Monitor alert, and pass alert data to the runbook"},"content":{"rendered":"\n

Last week Vanessa and I worked on a scenario to trigger Azure automation based on Azure Monitor alerts. We notice the lack of documentation around this, so we thought we could share our settings. We will not go into recommended practices around trigger automation jobs for faster response and remediation. Still, we would recommend you read the Management Baseline chapter in the Cloud Adoption Framework, found here. Enhanced management baseline in Azure – Cloud Adoption Framework | Microsoft Docs<\/a>. The chapter covers designing a management baseline for your organization and how to design enhancements, such as automatic alert remediation with Azure Automation.<\/p>\n\n\n\n

The scenario is that a new user account is created in Active Directory. A data collection rule collects the audit event of the new user account. An alert rule triggers an alert based on the latest event and triggers an Azure Automation Runbook.<\/p>\n\n\n\n

The blog post will show how to transfer data from the alert to the runbook, such as information about the new user account.<\/p>\n\n\n\n

A new user account is created, named Sara Connor.<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

A security event is generated in the audit log. <\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

The event is collected and sent to Log Analytics by a data collection run.<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

An alert rule runs every five minutes to look for newly created accounts. The alert rule triggers the runbook. Note that the alert rule uses the Common Alert Schema to forward event information.<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n

Information about the common alert schema at Microsoft Docs<\/a>. Below is the query used in the alert rule, and the runbook code. <\/p>\n\n\n\n

<\/code>Event
| where EventLog == \"Security\"
| where EventID == \"4720\"
| parse EventData with * 'SamAccountName\">' SamAccountName '' *
| parse EventData with * 'UserPrincipalName\">' UserPrincipalName '' *
| parse EventData with * 'DisplayName\">' DisplayName '' *
| project SamAccountName, DisplayName, UserPrincipalName<\/code><\/pre>\n\n\n\n
Runbook:<\/p>\n\n\n\n
<\/p>\n\n\n\n
param\n(\n[Parameter (Mandatory=$false)]\n[object] $WebhookData\n)\n\n# Collect properties of WebhookData.\n$WebhookName    =   $WebhookData.WebhookName\n$WebhookBody    =   $WebhookData.RequestBody\n$WebhookHeaders =   $WebhookData.RequestHeader\n\n# Information on the webhook name that called This\nWrite-Output \"This runbook was started from webhook $WebhookName.\"\n\n# Obtain the WebhookBody containing the AlertContext\n$WebhookBody = (ConvertFrom-Json -InputObject $WebhookBody)\nWrite-output \"####### New User Created #########\" -Verbos\n\nWrite-Output \"Username: \" $WebhookBody.data.alertContext.SearchResults.tables.rows[0] -Verbos\nWrite-Output \"Display Name: \" $WebhookBody.data.alertContext.SearchResults.tables.rows[1] -Verbos\nWrite-Output \"User UPN: \" $WebhookBody.data.alertContext.SearchResults.tables.rows[2] -Verbos\n<\/code><\/pre>\n\n\n\n
This is the output from the runbook, including details about the new user account.<\/p>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"
Last week Vanessa and I worked on a scenario to trigger Azure automation based on Azure Monitor alerts. We notice the lack of documentation around this, so we thought we could share our settings. We will not go into recommended practices around trigger automation jobs for faster response and remediation. Still, we would recommend you … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":4728,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[64,75,71,70,13],"tags":[],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4726"}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4726"}],"version-history":[{"count":5,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4726\/revisions"}],"predecessor-version":[{"id":4739,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4726\/revisions\/4739"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/media\/4728"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4726"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}