To the page content
Security Cave Blog

Automate security communications with Azure Logic Apps & AI

How Azure Logic Apps and Azure OpenAI help to communicate security incidents automatically and in a way that is understandable for end users and IT teams.

T-Administrator works on a pull-out laptop in front of a server cabinet in a data centre.

In brief

  • It describes how communication relating to the isolation of users or devices (towards users, helpdesk, etc.) can be improved and made clearer in a security project.
  • Instead of rigid text templates, AI is used to generate understandable, scenario-dependent messages; an Azure Open AI instance is integrated for this purpose.

Comprehensible security communication thanks to automation and AI

In one of my recent projects, there was a requirement to optimise communication in the course of isolating users or devices – for example, communication with the affected user, communication with the helpdesk, etc.

We had already created the automations in the form of Logic Apps for isolating a device/user some time ago. Of course, we could have created static text templates, some of which would have had empty columns. Or we could have thrilled users with the message "Your device has been isolated".

AI enables us to make this communication much clearer and adapt it to the specific scenario. The only additional requirement for this was the provision of an Azure Open AI instance.

Screenshot "Authorising the managed identity of the Logic App on Az Open AI as 'Cognitive Services OpenAI User'"

There, we create our model via "Deployments" / "Deploy Model". The dialogue should be similar to the following:

Once deployment is complete, switch to the model and copy the target URI. Now we will add an HTTP connector to our existing Logic App. This will allow us to access our Az Open AI model from within the Logic App.

You can use the following as a body:


"max_tokens": 4096,
"messages": [ { "content": "You are an employee in the SOC. You analyse, process and resolve incidents. Your focus is on communication with the end user.", 
"role": "system" 
}, 
{ "content": "Using the following incident information %Dynamic Content from Incident%, generate a very brief, concise technical description to inform the affected end user that their device will be isolated due to this incident. The end user does not need to contact IT support.", 
"role": "user" 

], 
"temperature": 0.8, 
"top_p": 0.95 
}

In the "role:System" section, we describe the role that the AI should play in this case. In the "role:user" section, on the other hand, we describe the specific task. In the next step, we now use the Logic App function "Parse JSON" to break down the HTTP response.

Screenshot of the Logic App function "Parse JSON" in Azure

The easiest way to obtain the schema is to import the HTTP response from a run via "Use sample payload to generate schema". Now we just need to inform the user(s). To do this, we need to perform two actions: first, create the chat and then post a message.

Screenshot of the menu for creating a chat in Azure

In the second step, the message is written in the chat.

Screenshot of the menu for posting a message in Azure

The relevant part of your Logic App should now look like this:

Screenshot of the Logic App

And that's all there is to it. With this simple solution, we can inform end users, help desks, etc. about the isolation of the machine with a comprehensible text that is reduced to the essentials. In one of the next posts, I will discuss further use cases, such as interacting with end users, generating KQL queries, and much more.

A holistic approach to security: Telekom's consulting services

Modern IT and cloud scenarios place new demands on security, governance and operations. Telekom's consulting services on Microsoft security help you analyse your environment in a structured manner and develop it in a targeted way – from initial classification to concrete implementation.

Start with a no-obligation orientation meeting or a Microsoft 365 Security Assessment and receive clear recommendations for action to improve security.

Telekom: Your partner for the entire Microsoft world

Licences & Software

All Microsoft licences from a single source – simple, secure and reliable.

übergreifend-Teaser-Telekom-Partner-Lizenzen-Software-Link-CMP

Free support

We are always there for you: quick assistance, personal support – at no extra cost.

Contact

Tested quality & safety

ISG and Microsoft-certified services for maximum security and reliability.

About the Microsoft portfolio

Your contact for questions and advice

Do you have questions about Telekom's Microsoft service offering or would you like personal advice? Simply contact our experts without obligation using the consultation form.

Image shows Telekom author Julien Cléro discussing Microsoft Copilot.

Author: Marcus Henker

Marcus began working with Microsoft Office 365 in 2014. Since then, he has focused on various projects and supported customers from a wide range of industries. In recent years, Marcus has concentrated on Microsoft security issues.