Easily isolate compromised VMs with Azure Security Center and Logic Apps

Lateral movements are typically the first thing that hackers do after compromising a system in order to spread their attack to other valuable targets, so isolating systems that have been compromised is of paramount importance for an organization from a security perspective.

In a previous blog (here) we saw a possibility of having abstract policies in Azure such as “permit SSH to all my VMs running a Linux OS” or “permit HTTP to all my VMs whose name contains the string ‘web’“, and having those policies dynamically evaluated in real time. A very interesting application of this sort of dynamic policies is for quickly isolating machines that have been compromised.

Essentially, you could define a rule that says something like “deny all traffic for VMs tagged as ‘Compromised’“. Now the only thing you need to do is detecting an attack, setting the corresponding tag on the attacked VM (to flag it as compromised), and regenerating the NSGs out of the security policy. Easy, right?

Azure Security Center can detect many of the security problems that can appear on a VM, and it even automatically remediates some of them. I actually had some trouble to test this, since when autoremediation kicks in (such as to remove malware-infected files I placed on my VMs), the user does not need to do anything, since no remediation is required any more.

But let’s assume that Azure Security Center finds a security threat, and it requires that the user does something about it. Today a very interesting feature is in preview that allows the user to kick off Logic Apps (called “playbooks” in Azure Security Center) to remediate security issues (note the “Run Playbooks” button, you can find the documentation for this feature¬†here):


That is mostly all what we need. Well, besides a very simple Logic App that calls an Azure Function to set the ‘compromised’ tag for the VM in question, and another one to recalculate the NSGs. Easy peasy, right?

You can see a demo of what all this looks like in this short 5-minute video:

Besides that, I will be posting the source code into this repo, if you feel like reusing this stuff.

What do you think? Do you have further ideas to automate remediation actions with Azure Security Center and Logic Apps?

1 thought on “Easily isolate compromised VMs with Azure Security Center and Logic Apps

Leave a Reply to Orco Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: