diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-DefenderXDR.json b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-DefenderXDR.json new file mode 100644 index 00000000..a47beb2e --- /dev/null +++ b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-DefenderXDR.json @@ -0,0 +1,231 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Security Analyst Agent - OuterLoop Automation (Email + Defender XDR)", + "description": "Logic App that invokes the SecurityAnalysisAgentOuterLoop skill in Security Copilot using Defender XDR as the data source on a recurring schedule, generates an executive HTML dashboard, and emails the results.", + "prerequisites": "1. Security Copilot license enabled on the tenant. 2. Microsoft Defender XDR enabled. 3. Contributor role on the target resource group.", + "postDeployment": [ + "1. Authorize the Security Copilot and Office 365 API connections.", + "2. Adjust the recurrence schedule as needed.", + "3. Run the Logic App and verify the email output." + ], + "lastUpdateTime": "2026-06-05", + "tags": [ + "Security Copilot", + "Security Analyst Agent", + "Defender XDR", + "OuterLoop", + "Email" + ], + "support": { + "tier": "community" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "SecurityAnalysisAgent-OuterLoop-Email-DefenderXDR", + "type": "string", + "metadata": { + "description": "Name of the Logic App to deploy." + } + }, + "UserRequest": { + "type": "string", + "defaultValue": "Identify suspicious sign-in patterns involving failed login attempts across multiple user accounts.", + "metadata": { + "description": "The security analysis prompt to send to the SecurityAnalysisAgentOuterLoop skill. The template automatically appends 'This is the final intent, do not ask clarification questions.' to your prompt." + } + }, + "email": { + "type": "string", + "metadata": { + "description": "Recipient email address for the report." + } + }, + "RecurrenceIntervalInDays": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "How often (in days) the Logic App should run." + } + }, + "RecurrenceTimeZone": { + "type": "string", + "defaultValue": "India Standard Time", + "metadata": { + "description": "Time zone for the recurrence schedule (e.g. 'India Standard Time', 'UTC', 'Pacific Standard Time')." + } + } + }, + "variables": { + "SecurityCopilotConnectionName": "[concat('SecurityCopilot-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", + "FinalUserRequest": "[concat(parameters('UserRequest'), ' This is the final intent, do not ask clarification questions.')]", + "SkillInputsJson": "[concat('{\"UserRequest\":\"', variables('FinalUserRequest'), '\",\"ProductName\":\"Defender\",\"DataSource\":\"DefenderXDR\"}')]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "SecurityAnalysisAgent-OuterLoop-Email-DefenderXDR", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "evaluatedRecurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "type": "Recurrence" + } + }, + "actions": { + "Submit_a_Security_Copilot_prompt": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "[variables('FinalUserRequest')]", + "Skillsets": [ + "Microsoft.Security.AdvancedAnalystAgent" + ], + "SkillName": "SecurityAnalysisAgentOuterLoop", + "SkillInputs": "[concat('@json(''', variables('SkillInputsJson'), ''')')]" + }, + "path": "/process-prompt" + } + }, + "Submit_a_Security_Copilot_prompt_1": { + "runAfter": { + "Submit_a_Security_Copilot_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot-1']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "/AskGpt Task: Produce a self-contained, executive-quality HTML dashboard from the input text.\\nOutput rules (critical):\\n\\nReturn ONLY the final HTML document as plain text. No explanations, no markdown fences.\\nThe output must be a complete HTML page (doctype + html/head/body) with inline CSS only.\\n\\nMandatory global tags (non-negotiable):\\n\\nThe dashboard MUST include two visible tags/badges, labeled exactly:\\n\\nSecurity Analyst Agent\\nSecurity Copilot\\n\\nBoth tags must always be rendered.\\nPlacement: Near the main title or in the header area (top-right or top-left).\\nStyling: Dashboard-style badges/pills (rounded corners, subtle background). Visually consistent with each other. Informational, not decorative.\\n\\nPrimary objective:\\nTransform the input into a clean, modern, dashboard-style layout that is easy to scan, visually structured, and suitable for leadership or review contexts.\\n\\nLayout & structure guidelines:\\nInfer the best structure from the content:\\n- Metrics / numbers: KPI cards or stat tiles\\n- Status / comparisons: compact tables with badges\\n- Progress / trends: horizontal indicators (CSS only)\\n- Events: timeline layout\\n- Risks / notes / callouts: clearly separated panels\\n\\nGroup related information into cards or sections using a grid layout.\\nEstablish strong visual hierarchy: headline insights first, supporting detail second.\\n\\nVisual & aesthetic requirements:\\n- Neutral background, elevated cards, soft borders or shadows\\n- Consistent spacing and alignment\\n- Subtle accent color used consistently across badges and highlights\\n- Professional typography with clear hierarchy\\n- Responsive and readable on smaller screens\\n- No JavaScript, no external libraries\\n\\nContent rules:\\n- Preserve facts and meaning exactly\\n- Rewrite only to improve clarity, scannability, and layout fit\\n- Do not introduce new data or interpretation\\n\\nEmpty or invalid input:\\nOutput a simple HTML page stating: \\\"No data returned\\\".\\n\\nInput:\\n@{body('Submit_a_Security_Copilot_prompt')?['EvaluationResultContent']}", + "SessionId": "@body('Submit_a_Security_Copilot_prompt')?['sessionId']" + }, + "path": "/process-prompt" + } + }, + "Send_an_email_(V2)": { + "runAfter": { + "Submit_a_Security_Copilot_prompt_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "body": { + "To": "[parameters('email')]", + "Subject": "Security Analyst Agent - Executive Report (Defender XDR)", + "Body": "
@{body('Submit_a_Security_Copilot_prompt_1')?['EvaluationResultContent']}
", + "Importance": "Normal" + }, + "path": "/v2/Mail" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "securitycopilot": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "securitycopilot-1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[variables('Office365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SecurityCopilotConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('SecurityCopilotConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Office365ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Office365ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + ] +} diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-LAW.json b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-LAW.json new file mode 100644 index 00000000..47c04e12 --- /dev/null +++ b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-LAW.json @@ -0,0 +1,249 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Security Analyst Agent - OuterLoop Automation (Email)", + "description": "Logic App that invokes the SecurityAnalysisAgentOuterLoop skill in Security Copilot on a recurring schedule, generates an executive HTML dashboard, and emails the results.", + "prerequisites": "1. Security Copilot license enabled on the tenant. 2. A Microsoft Sentinel Log Analytics workspace. 3. Contributor role on the target resource group.", + "postDeployment": [ + "1. Authorize the Security Copilot and Office 365 API connections.", + "2. Adjust the recurrence schedule as needed.", + "3. Run the Logic App and verify the email output." + ], + "lastUpdateTime": "2026-02-25", + "tags": [ + "Security Copilot", + "Security Analyst Agent", + "Sentinel", + "OuterLoop", + "Email" + ], + "support": { + "tier": "community" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "SecurityAnalysisAgent-OuterLoop-Email", + "type": "string", + "metadata": { + "description": "Name of the Logic App to deploy." + } + }, + "UserRequest": { + "type": "string", + "defaultValue": "Identify suspicious sign-in patterns involving failed login attempts across multiple user accounts.", + "metadata": { + "description": "The security analysis prompt to send to the SecurityAnalysisAgentOuterLoop skill. The template automatically appends 'This is the final intent, do not ask clarification questions.' to your prompt." + } + }, + "email": { + "type": "string", + "metadata": { + "description": "Recipient email address for the report." + } + }, + "LogAnalyticsWorkspaceSubscriptionId": { + "type": "string", + "metadata": { + "description": "Subscription ID of the Log Analytics workspace connected to Microsoft Sentinel." + } + }, + "LogAnalyticsWorkspaceResourceGroupName": { + "type": "string", + "metadata": { + "description": "Resource Group name of the Log Analytics workspace." + } + }, + "LogAnalyticsWorkspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Log Analytics workspace." + } + }, + "RecurrenceIntervalInDays": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "How often (in days) the Logic App should run." + } + }, + "RecurrenceTimeZone": { + "type": "string", + "defaultValue": "India Standard Time", + "metadata": { + "description": "Time zone for the recurrence schedule (e.g. 'India Standard Time', 'UTC', 'Pacific Standard Time')." + } + } + }, + "variables": { + "SecurityCopilotConnectionName": "[concat('SecurityCopilot-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", + "FinalUserRequest": "[concat(parameters('UserRequest'), ' This is the final intent, do not ask clarification questions.')]", + "SkillInputsJson": "[concat('{\"UserRequest\":\"', variables('FinalUserRequest'), '\",\"DataSource\":\"SentinelLogAnalyticsWorkspace\",\"LogAnalyticsWorkspaceSubscriptionId\":\"', parameters('LogAnalyticsWorkspaceSubscriptionId'), '\",\"LogAnalyticsWorkspaceResourceGroupName\":\"', parameters('LogAnalyticsWorkspaceResourceGroupName'), '\",\"LogAnalyticsWorkspaceName\":\"', parameters('LogAnalyticsWorkspaceName'), '\"}')]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "SecurityAnalysisAgent-OuterLoop-Email", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "evaluatedRecurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "type": "Recurrence" + } + }, + "actions": { + "Submit_a_Security_Copilot_prompt": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "[variables('FinalUserRequest')]", + "Skillsets": [ + "Microsoft.Security.AdvancedAnalystAgent" + ], + "SkillName": "SecurityAnalysisAgentOuterLoop", + "SkillInputs": "[concat('@json(''', variables('SkillInputsJson'), ''')')]" + }, + "path": "/process-prompt" + } + }, + "Submit_a_Security_Copilot_prompt_1": { + "runAfter": { + "Submit_a_Security_Copilot_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot-1']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "/AskGpt Task: Produce a self-contained, executive-quality HTML dashboard from the input text.\\nOutput rules (critical):\\n\\nReturn ONLY the final HTML document as plain text. No explanations, no markdown fences.\\nThe output must be a complete HTML page (doctype + html/head/body) with inline CSS only.\\n\\nMandatory global tags (non-negotiable):\\n\\nThe dashboard MUST include two visible tags/badges, labeled exactly:\\n\\nSecurity Analyst Agent\\nSecurity Copilot\\n\\nBoth tags must always be rendered.\\nPlacement: Near the main title or in the header area (top-right or top-left).\\nStyling: Dashboard-style badges/pills (rounded corners, subtle background). Visually consistent with each other. Informational, not decorative.\\n\\nPrimary objective:\\nTransform the input into a clean, modern, dashboard-style layout that is easy to scan, visually structured, and suitable for leadership or review contexts.\\n\\nLayout & structure guidelines:\\nInfer the best structure from the content:\\n- Metrics / numbers: KPI cards or stat tiles\\n- Status / comparisons: compact tables with badges\\n- Progress / trends: horizontal indicators (CSS only)\\n- Events: timeline layout\\n- Risks / notes / callouts: clearly separated panels\\n\\nGroup related information into cards or sections using a grid layout.\\nEstablish strong visual hierarchy: headline insights first, supporting detail second.\\n\\nVisual & aesthetic requirements:\\n- Neutral background, elevated cards, soft borders or shadows\\n- Consistent spacing and alignment\\n- Subtle accent color used consistently across badges and highlights\\n- Professional typography with clear hierarchy\\n- Responsive and readable on smaller screens\\n- No JavaScript, no external libraries\\n\\nContent rules:\\n- Preserve facts and meaning exactly\\n- Rewrite only to improve clarity, scannability, and layout fit\\n- Do not introduce new data or interpretation\\n\\nEmpty or invalid input:\\nOutput a simple HTML page stating: \\\"No data returned\\\".\\n\\nInput:\\n@{body('Submit_a_Security_Copilot_prompt')?['EvaluationResultContent']}", + "SessionId": "@body('Submit_a_Security_Copilot_prompt')?['sessionId']" + }, + "path": "/process-prompt" + } + }, + "Send_an_email_(V2)": { + "runAfter": { + "Submit_a_Security_Copilot_prompt_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "body": { + "To": "[parameters('email')]", + "Subject": "Security Analyst Agent - Executive Report", + "Body": "@{body('Submit_a_Security_Copilot_prompt_1')?['EvaluationResultContent']}
", + "Importance": "Normal" + }, + "path": "/v2/Mail" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "securitycopilot": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "securitycopilot-1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[variables('Office365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SecurityCopilotConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('SecurityCopilotConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Office365ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Office365ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + ] +} diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-datalake.json b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-datalake.json new file mode 100644 index 00000000..7c8bbb27 --- /dev/null +++ b/Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-datalake.json @@ -0,0 +1,238 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Security Analyst Agent - OuterLoop Automation (Email + Data Lake)", + "description": "Logic App that invokes the SecurityAnalysisAgentOuterLoop skill in Security Copilot using a Sentinel Data Lake workspace on a recurring schedule, generates an executive HTML dashboard, and emails the results.", + "prerequisites": "1. Security Copilot license enabled on the tenant. 2. A Microsoft Sentinel Data Lake workspace. 3. Contributor role on the target resource group.", + "postDeployment": [ + "1. Authorize the Security Copilot and Office 365 API connections.", + "2. Adjust the recurrence schedule as needed.", + "3. Run the Logic App and verify the email output." + ], + "lastUpdateTime": "2026-02-25", + "tags": [ + "Security Copilot", + "Security Analyst Agent", + "Sentinel", + "OuterLoop", + "Email", + "Data Lake" + ], + "support": { + "tier": "community" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "SecurityAnalysisAgent-OuterLoop-Email-DataLake", + "type": "string", + "metadata": { + "description": "Name of the Logic App to deploy." + } + }, + "UserRequest": { + "type": "string", + "defaultValue": "Identify suspicious sign-in patterns involving failed login attempts across multiple user accounts.", + "metadata": { + "description": "The security analysis prompt to send to the SecurityAnalysisAgentOuterLoop skill. The template automatically appends 'This is the final intent, do not ask clarification questions.' to your prompt." + } + }, + "email": { + "type": "string", + "metadata": { + "description": "Recipient email address for the report." + } + }, + "SentinelDataLakeWorkspaceName": { + "type": "string", + "metadata": { + "description": "Name of the Microsoft Sentinel Data Lake workspace." + } + }, + "RecurrenceIntervalInDays": { + "type": "int", + "defaultValue": 3, + "metadata": { + "description": "How often (in days) the Logic App should run." + } + }, + "RecurrenceTimeZone": { + "type": "string", + "defaultValue": "India Standard Time", + "metadata": { + "description": "Time zone for the recurrence schedule (e.g. 'India Standard Time', 'UTC', 'Pacific Standard Time')." + } + } + }, + "variables": { + "SecurityCopilotConnectionName": "[concat('SecurityCopilot-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", + "FinalUserRequest": "[concat(parameters('UserRequest'), ' This is the final intent, do not ask clarification questions.')]", + "SkillInputsJson": "[concat('{\"UserRequest\":\"', variables('FinalUserRequest'), '\",\"DataSource\":\"SentinelDataLake\",\"SentinelDataLakeWorkspaceName\":\"', parameters('SentinelDataLakeWorkspaceName'), '\"}')]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "SecurityAnalysisAgent-OuterLoop-Email-DataLake", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "evaluatedRecurrence": { + "interval": "[parameters('RecurrenceIntervalInDays')]", + "frequency": "Day", + "timeZone": "[parameters('RecurrenceTimeZone')]" + }, + "type": "Recurrence" + } + }, + "actions": { + "Submit_a_Security_Copilot_prompt": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "[variables('FinalUserRequest')]", + "Skillsets": [ + "Microsoft.Security.AdvancedAnalystAgent" + ], + "SkillName": "SecurityAnalysisAgentOuterLoop", + "SkillInputs": "[concat('@json(''', variables('SkillInputsJson'), ''')')]" + }, + "path": "/process-prompt" + } + }, + "Submit_a_Security_Copilot_prompt_1": { + "runAfter": { + "Submit_a_Security_Copilot_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot-1']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "/AskGpt Task: Produce a self-contained, executive-quality HTML dashboard from the input text.\\nOutput rules (critical):\\n\\nReturn ONLY the final HTML document as plain text. No explanations, no markdown fences.\\nThe output must be a complete HTML page (doctype + html/head/body) with inline CSS only.\\n\\nMandatory global tags (non-negotiable):\\n\\nThe dashboard MUST include two visible tags/badges, labeled exactly:\\n\\nSecurity Analyst Agent\\nSecurity Copilot\\n\\nBoth tags must always be rendered.\\nPlacement: Near the main title or in the header area (top-right or top-left).\\nStyling: Dashboard-style badges/pills (rounded corners, subtle background). Visually consistent with each other. Informational, not decorative.\\n\\nPrimary objective:\\nTransform the input into a clean, modern, dashboard-style layout that is easy to scan, visually structured, and suitable for leadership or review contexts.\\n\\nLayout & structure guidelines:\\nInfer the best structure from the content:\\n- Metrics / numbers: KPI cards or stat tiles\\n- Status / comparisons: compact tables with badges\\n- Progress / trends: horizontal indicators (CSS only)\\n- Events: timeline layout\\n- Risks / notes / callouts: clearly separated panels\\n\\nGroup related information into cards or sections using a grid layout.\\nEstablish strong visual hierarchy: headline insights first, supporting detail second.\\n\\nVisual & aesthetic requirements:\\n- Neutral background, elevated cards, soft borders or shadows\\n- Consistent spacing and alignment\\n- Subtle accent color used consistently across badges and highlights\\n- Professional typography with clear hierarchy\\n- Responsive and readable on smaller screens\\n- No JavaScript, no external libraries\\n\\nContent rules:\\n- Preserve facts and meaning exactly\\n- Rewrite only to improve clarity, scannability, and layout fit\\n- Do not introduce new data or interpretation\\n\\nEmpty or invalid input:\\nOutput a simple HTML page stating: \\\"No data returned\\\".\\n\\nInput:\\n@{body('Submit_a_Security_Copilot_prompt')?['EvaluationResultContent']}", + "SessionId": "@body('Submit_a_Security_Copilot_prompt')?['sessionId']" + }, + "path": "/process-prompt" + } + }, + "Send_an_email_(V2)": { + "runAfter": { + "Submit_a_Security_Copilot_prompt_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "body": { + "To": "[parameters('email')]", + "Subject": "Security Analyst Agent - Executive Report", + "Body": "@{body('Submit_a_Security_Copilot_prompt_1')?['EvaluationResultContent']}
", + "Importance": "Normal" + }, + "path": "/v2/Mail" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "securitycopilot": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "securitycopilot-1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecurityCopilotConnectionName'))]", + "connectionName": "[variables('SecurityCopilotConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + }, + "office365": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[variables('Office365ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SecurityCopilotConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('SecurityCopilotConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('Office365ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('Office365ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/office365')]" + } + } + } + ] +} diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page1.png b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page1.png new file mode 100644 index 00000000..6e897334 Binary files /dev/null and b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page1.png differ diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page2.png b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page2.png new file mode 100644 index 00000000..a5ff1eb8 Binary files /dev/null and b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-1-page2.png differ diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page1.png b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page1.png new file mode 100644 index 00000000..7a1bd22f Binary files /dev/null and b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page1.png differ diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page2.png b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page2.png new file mode 100644 index 00000000..d8165e8d Binary files /dev/null and b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page2.png differ diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page3.png b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page3.png new file mode 100644 index 00000000..1002e4d8 Binary files /dev/null and b/Logic Apps/SecurityAnalysisAgent-OuterLoop/images/Logic-App-output-example-2-page3.png differ diff --git a/Logic Apps/SecurityAnalysisAgent-OuterLoop/readme.md b/Logic Apps/SecurityAnalysisAgent-OuterLoop/readme.md new file mode 100644 index 00000000..a594d7fe --- /dev/null +++ b/Logic Apps/SecurityAnalysisAgent-OuterLoop/readme.md @@ -0,0 +1,115 @@ +# Security Analyst Agent — OuterLoop Automation + +**Author:** Hariram Subramanian Gopal + +## Overview + +This folder contains three Azure Logic App ARM templates that automate the **Security Analyst Agent** (OuterLoop) in Microsoft Security Copilot. Each template: + +1. Runs on a **recurring schedule** (configurable). +2. Sends a natural-language security analysis prompt to the `SecurityAnalysisAgentOuterLoop` skill. +3. Generates an **executive HTML dashboard** from the agent's findings. +4. **Emails the report** via Office 365. + +Three variants are provided, depending on your data source: + +| Template | Data Source | File | +|---|---|---| +| **Email + Data Lake** | Microsoft Sentinel Data Lake | `azuredeploy-email-datalake.json` | +| **Email + Log Analytics** | Microsoft Sentinel Log Analytics Workspace | `azuredeploy-email-LAW.json` | +| **Email + Defender XDR** | Microsoft Defender XDR | `azuredeploy-email-DefenderXDR.json` | + +> For more details on the Security Analyst Agent, see the [official documentation](https://learn.microsoft.com/en-us/copilot/security/security-analyst-agent). + +## How It Works + +``` +Recurrence ──▶ Security Copilot Prompt ──▶ HTML Dashboard ──▶ Email + Trigger (OuterLoop skill) Generation (O365) +``` + +The Logic App uses the `Microsoft.Security.AdvancedAnalystAgent` skillset and automatically appends *"This is the final intent, do not ask clarification questions."* to your prompt to ensure unattended execution. + +## Prerequisites + +- **Security Copilot** license enabled on the tenant. +- **Microsoft Sentinel** workspace (for Sentinel variants): + - **Data Lake** variant → a Sentinel Data Lake workspace name. + - **Log Analytics** variant → the Log Analytics workspace name, subscription ID, and resource group name. +- **Microsoft Defender XDR** enabled on the tenant (for Defender XDR variant). +- **Contributor** role on the target Azure resource group. +- An **Office 365** mailbox for sending the report email. + +## Deployment + +### Option 1 — Sentinel Data Lake + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Fmain%2FLogic%2520Apps%2FSecurityAnalysisAgent-OuterLoop%2Fazuredeploy-email-datalake.json) + +| Parameter | Description | Default | +|---|---|---| +| `PlaybookName` | Name of the Logic App | `SecurityAnalysisAgent-OuterLoop-Email-DataLake` | +| `UserRequest` | The security analysis prompt | *Identify suspicious sign-in patterns…* | +| `email` | Recipient email address | *(required)* | +| `SentinelDataLakeWorkspaceName` | Sentinel Data Lake workspace name | *(required)* | +| `RecurrenceIntervalInDays` | How often the Logic App runs (days) | `3` | +| `RecurrenceTimeZone` | Time zone for the schedule | `India Standard Time` | + +### Option 2 — Log Analytics Workspace + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Fmain%2FLogic%2520Apps%2FSecurityAnalysisAgent-OuterLoop%2Fazuredeploy-email-LAW.json) + + +| Parameter | Description | Default | +|---|---|---| +| `PlaybookName` | Name of the Logic App | `SecurityAnalysisAgent-OuterLoop-Email` | +| `UserRequest` | The security analysis prompt | *Identify suspicious sign-in patterns…* | +| `email` | Recipient email address | *(required)* | +| `LogAnalyticsWorkspaceSubscriptionId` | Subscription ID of the LAW | *(required)* | +| `LogAnalyticsWorkspaceResourceGroupName` | Resource group of the LAW | *(required)* | +| `LogAnalyticsWorkspaceName` | Name of the LAW | *(required)* | +| `RecurrenceIntervalInDays` | How often the Logic App runs (days) | `3` | +| `RecurrenceTimeZone` | Time zone for the schedule | `India Standard Time` | + +### Option 3 — Defender XDR + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FSecurity-Copilot%2Fmain%2FLogic%2520Apps%2FSecurityAnalysisAgent-OuterLoop%2Fazuredeploy-email-DefenderXDR.json) + +| Parameter | Description | Default | +|---|---|---| +| `PlaybookName` | Name of the Logic App | `SecurityAnalysisAgent-OuterLoop-Email-DefenderXDR` | +| `UserRequest` | The security analysis prompt | *Identify suspicious sign-in patterns…* | +| `email` | Recipient email address | *(required)* | +| `RecurrenceIntervalInDays` | How often the Logic App runs (days) | `3` | +| `RecurrenceTimeZone` | Time zone for the schedule | `India Standard Time` | + +> This variant uses Defender XDR as the data source with no additional workspace configuration required. + +## Post-Deployment Steps + +1. **Authorize API connections** — Open the Logic App in the Azure portal, go to **API connections**, and authorize both the **Security Copilot** and **Office 365** connectors. +2. **Adjust the recurrence schedule** — Modify the interval and time zone if needed. +3. **Run the Logic App** — Trigger a manual run and verify you receive the email report. + +## Sample Email Output + +The Logic App delivers an executive HTML dashboard directly to your inbox. Below are examples of the output: + +### Example 1 — Sentinel Data Lake (Brute Force Detection) + + + + + +### Example 2 — Log Analytics Workspace (Sign-In Pattern Analysis) + + + + + + + +## Related Resources + +- [Security Analyst Agent — Official Documentation](https://learn.microsoft.com/en-us/copilot/security/security-analyst-agent) +- [Security Copilot Logic Apps Connector](https://learn.microsoft.com/en-us/connectors/securitycopilot/)