Share via

Azure Logic Apps plugin in Microsoft Security Copilot

Logic Apps is a cloud-based platform that lets you automate business processes as workflows. You create and deploy a Logic App resource in Microsoft Azure, then use the workflow designer to arrange prebuilt connectors in the sequence that you need.

When Logic Apps is integrated with Microsoft Security Copilot, you can extend automation capabilities to security operations, making it easier to trigger investigations, run playbooks, and respond to incidents directly from Security Copilot.

Security Copilot capabilities such as prompts and promptbooks can be used through the Security Copilot connector in Logic Apps in an in-bound fashion. You can submit prompts from services outside Security Copilot. With this enhancement, you can now bring Logic App workflows as invokable tools (skills) or capabilities. After you define the workflow and generate the skillset manifest, these Logic App-based tools can be invoked from within Security Copilot prompts, promptbooks, or agents.

This document explains how to invoke an outbound Logic app workflow from Security Copilot using a prompt.

Scenarios

A few outbound Logic app scenarios are as follows:

  • Create a Sentinel/Jira/ServiceNow incident using prompt in Security Copilot.

  • Create a promptbook that analyzes a risky user, reports on it, and then upon confirmation sends an email with two options:

    • Add the user to the watchlist in Microsoft Sentinel or

    • Update Microsoft Entra using a variety of different logic, based on the unique conditions.

Terminology

Term Description
Action An action is an operation that executes a specific task in your workflow. Actions run after a trigger activates or another action completes.
Trigger A trigger is an event that happens when a specific condition is met. Triggers automatically activate when a condition is met. For example, when a timer expires or data becomes available.
Workflow A series of operations that define a task, business process, or workload. Each workflow always starts with a single trigger operation, after which you must add one or more action operations.

Prerequisites

  1. The tenant that you use for Security Copilot needs to be the same tenant that your Logic App is in and you must have access to it. Otherwise, you cannot invoke the Logic App from Security Copilot.

  2. Provisioned SCUs for Security Copilot.

Steps to invoke a Logic App workflow

This quickstart tutorial shows you how to trigger a Logic App workflow using Security Copilot. You create a Logic App that has an HTTP Request trigger, which takes a single GroupId argument in the JSON request body, and uses the built-in AAD connector to list properties of that group.

Step 1: Create the Logic App workflow

  1. Go to the Azure portal and create a new Logic App resource. For details on the Consumption plan and creating a resource and samples, see Logic Apps.

  2. Go to the newly created Logic App resource, open the Logic App designer, and create your workflow.

  • Add an HTTP Request trigger.

    Image to show adding a request trigger on the designer screen

  • Skill inputs are passed as top-level fields of the HTTP request body. This skill accepts an input named GroupId.

  • Set the Request Body JSON Schema for the trigger as follows:

    
    {
      "properties": {
        "GroupId": {
          "type": "string"
        }
      },
      "type": "object"
    }

    Image to show adding the request JSON payload

    Note

    Currently, all Security Copilot Logic App skills are required to use an HTTP Request trigger. We're also working on a new Security Copilot trigger for Logic Apps that will be even easier to use and will automatically register the Logic App as a skill in Security Copilot.

  1. Add a Get Group Properties action.

    Image to show adding an action

  2. The Get Group Properties action takes an AAD Object Id of a group as a parameter. Set that to be the GroupId variable from the trigger step.

    Image to show adding an Object id from Entra

    Image to show adding an groupId input parameter

  3. Save the workflow. The completed workflow should be similar to this.

    Image to show the completed Logic app workflow

Step 2: Create the skillset manifest

Create a new skillset manifest file skillset.yaml and specify the following parameters for Settings for the Logic App defined in Step 1:

SubscriptionId,ResourceGroup,WorkflowName,TriggerName

You can choose either of the two options for configuring the manifest:

  • Option 1: You can enable users to supply the configuration values for settings such as SubscriptionId, ResourceGroup, WorkflowName, TriggerName. Add the Settings in the Descriptor section of the manifest and reference them as variables in the Skills section. You can provide values in the platform after upload.

  • Option 2: You can hardcode these configurations for users in your workspace, where the values are configured in the manifest itself.

Option 1: Descriptor level

  
  Descriptor:
    Name: SampleLogicApp
    DisplayName: My Sample Logic App Skillset
    Description: Skills to query AAD group properties
    Settings:
      - Name: SubscriptionId
        Label: SubscriptionId
        Description: Subscription Id
        HintText: The subscription Id 
        SettingType: String
        Required: true
  
      - Name: ResourceGroup
        Label: ResourceGroup
        Description: Resource group 
        HintText: The resource group 
        SettingType: String
        Required: true
  
      - Name: WorkflowName
        Label: WorkflowName
        Description: Workflow Name 
        HintText: The workflow name 
        SettingType: String
        Required: true
  
      - Name: TriggerName
        Label: TriggerName
        Description: Trigger Name
        HintText: The Trigger name 
        SettingType: String
        Required: true
  
  SkillGroups:
    - Format: LogicApp
      Skills:
        - Name: GetAadGroupProperties
          DisplayName: Get AAD Group Properties
          Description: Queries properties of an AAD group by its ObjectId
          Inputs:
            - Name: GroupId
              Description: AAD ObjectId of the group to query
              Required: true
          Settings:
            SubscriptionId: "{{SubscriptionId}}"
            ResourceGroup: "{{ResourceGroup}}"
            WorkflowName: "{{WorkflowName}}"
            TriggerName: "{{TriggerName}}"

Option 2: Skill level

  
  Descriptor:
    Name: SampleLogicApp
    DisplayName: My Sample Logic App Skillset
    Description: Skills to query AAD group properties
  
  SkillGroups:
    - Format: LogicApp
      Skills:
        - Name: GetAadGroupProperties
          DisplayName: Get AAD Group Properties
          Description: Queries properties of an AAD group by its ObjectId
          Inputs:
            - Name: GroupId
              Description: AAD ObjectId of the group to query
              Required: true
          Settings:
            SubscriptionId: a5testabc-89df-460e-8cd7-abcdefg
            ResourceGroup: sample-logic-app-skill-rg
            WorkflowName: sample-logic-app-skill
            TriggerName: testTrigger

Step 3: Upload the skillset manifest

Follow the upload instructions to upload the manifest as a plugin to Security Copilot.

If you specified settings at the Descriptor level in Step 2, you must provide your setting values after upload and save them. You can edit these setting values anytime and it will be used wherever you've specified them in the manifest.

Step 4: Test the Logic App capability through a prompt

Get groupId from Microsoft Azure: To test the Logic App plugin, you need the groupId.

  • On the Azure portal, search Microsoft Entra ID.

  • Navigate to Manage > Groups. Select an Object Id to use as the groupId for the input.

Select your skill:

  • On Security Copilot, navigate to the prompt bar.

  • Type your skill name or the skill display name to invoke the skill. Here, it is GetAadGroupProperties, which is the Skills.Name from the YAML or the Get AAD Group Properties, which is the Skills.DisplayName.

    Image to show how to invoke the skill

  • If you configured your manifest using Option 1 (Descriptor level) in Step 2, you have to provide the settings.

  • Navigate to Logic Apps to get the values for:

    • SubscriptionId and ResourceGroup details from the Overview page
    • WorkflowName is the Logic App workflow
    • TriggerName is testTrigger

  • Populate the required skill input parameters. Here, you enter the groupId.

  • You can try the prompt, "Can you share the properties of AAD group groupId?".

    The following image shows the results of a prompt execution when a Logic App workflow is triggered. For the input groupId, three properties were retrieved: GroupId, Name, and Mail from Entra.

    Image to show the results of a prompt execution

  • Select View in Azure Portal to see the workflow in Azure.

  • You can optionally test the capability through a promptbook as well.

Sample YAML for creating an incident in Sentinel

The following is a YAML example for creating an incident in Microsoft Sentinel using the prompt. When the prompt is executed, the Logic App workflow is invoked.

Image to show create incident YAML

Tip

Be descriptive when you provide the description in the manifest.

  • Last updated on