Microsoft-DevOps-Feedback-Loop

Azure Logic Apps that create Azure DevOps work items from Microsoft Sentinel and Defender for Cloud alerts, and dismiss the alert upon completion of the workitem.

Pre-requisites

Please read the ff. articles to understand the context and usage of the playbooks in this repository.

• Operations Task Management for Azure Alerts
• Operations Task Management Feedback Loop

Before deploying the playbooks, the following are required

• Azure DevOps Account
  • Azure DevOps Custom Process with Issue and Problem work item types containing the following custom properties:
    • Source (string)
    • SourceType (string)
    • SourceID (string)
    • SubscriptionId (string)
  • Azure DevOps Project
  • Service Hook configured on Work item updated
• Microsoft Defender for Cloud
• Microsoft Sentinel
• Azure Subscription and AD access to create managed identities and grant permissions (for the feedback loop)

Playbooks

Microsoft Sentinel --> Create Azure DevOps Workitems

Creating from Sentinel Incidents

Creating from Sentinel Alerts

Microsoft Defender for Cloud --> Create Azure DevOps Workitems

Note: After deploying the logic apps below, the Workflow Automation in Microsoft Defender for Cloud must be configured. Creating from Defender Alerts

Creating from Defender Recommendations

Creating from Defender Regulatory Compliance

Azure DevOps Workitems --> Sentinel and Defender (feedback loop)

Since the Azure DevOps work item can be from Sentinel or Defender, this playbook is combined for both.