Add SecurityAnalysisAgent-OuterLoop Logic Apps#221
Conversation
|
@microsoft-github-policy-service agree |
|
cc @divyamsingh97 for review |
|
@microsoft-github-policy-service agree |
There was a problem hiding this comment.
Pull request overview
Adds deployable Azure Logic App ARM templates plus documentation for scheduling and emailing Security Analyst Agent (OuterLoop) reports from Microsoft Security Copilot, supporting both Sentinel Data Lake and Log Analytics Workspace data sources.
Changes:
- Added two ARM templates to run the OuterLoop skill on a schedule and email an HTML dashboard report.
- Added documentation with Deploy-to-Azure links, parameters, and sample email screenshots.
Reviewed changes
Copilot reviewed 3 out of 8 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-LAW.json | New Logic App ARM template for Log Analytics Workspace-backed runs and email delivery. |
| Logic Apps/SecurityAnalysisAgent-OuterLoop/azuredeploy-email-datalake.json | New Logic App ARM template for Sentinel Data Lake-backed runs and email delivery. |
| Logic Apps/SecurityAnalysisAgent-OuterLoop/readme.md | New deployment and usage documentation for both template variants. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "SecurityCopilotConnectionName": "[concat('SecurityCopilot-', parameters('PlaybookName'))]", | ||
| "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", | ||
| "FinalUserRequest": "[concat(parameters('UserRequest'), ' This is the final intent, do not ask clarification questions.')]", | ||
| "SkillInputsJson": "[concat('{\"UserRequest\":\"', variables('FinalUserRequest'), '\",\"DataSource\":\"SentinelLogAnalyticsWorkspace\",\"LogAnalyticsWorkspaceSubscriptionId\":\"', parameters('LogAnalyticsWorkspaceSubscriptionId'), '\",\"LogAnalyticsWorkspaceResourceGroupName\":\"', parameters('LogAnalyticsWorkspaceResourceGroupName'), '\",\"LogAnalyticsWorkspaceName\":\"', parameters('LogAnalyticsWorkspaceName'), '\"}')]" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
| "SkillName": "SecurityAnalysisAgentOuterLoop", | ||
| "SkillInputs": "[concat('@json(''', variables('SkillInputsJson'), ''')')]" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
| "Subject": "Security Analyst Agent - Executive Report", | ||
| "Body": "<p>@{body('Submit_a_Security_Copilot_prompt_1')?['EvaluationResultContent']}</p>", | ||
| "Importance": "Normal" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
| "SecurityCopilotConnectionName": "[concat('SecurityCopilot-', parameters('PlaybookName'))]", | ||
| "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]", | ||
| "FinalUserRequest": "[concat(parameters('UserRequest'), ' This is the final intent, do not ask clarification questions.')]", | ||
| "SkillInputsJson": "[concat('{\"UserRequest\":\"', variables('FinalUserRequest'), '\",\"DataSource\":\"SentinelDataLake\",\"SentinelDataLakeWorkspaceName\":\"', parameters('SentinelDataLakeWorkspaceName'), '\"}')]" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
| "SkillName": "SecurityAnalysisAgentOuterLoop", | ||
| "SkillInputs": "[concat('@json(''', variables('SkillInputsJson'), ''')')]" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
| "Subject": "Security Analyst Agent - Executive Report", | ||
| "Body": "<p>@{body('Submit_a_Security_Copilot_prompt_1')?['EvaluationResultContent']}</p>", | ||
| "Importance": "Normal" |
There was a problem hiding this comment.
Acknowledged, will consider in a future iteration.
|
Re: Copilot review comments (all 6) Acknowledged. These are intentional design choices for this Logic App template:
Will consider refactoring in a future iteration. Thanks for the suggestions! |
|
Hi @divyamsingh97, could you please review this PR when you get a chance? Thank you. |
Summary
Adds two Azure Logic App ARM templates for the Security Analyst Agent (OuterLoop) automation in Microsoft Security Copilot.
What's included
azuredeploy-email-datalake.json— Logic App for Sentinel Data Lake variantazuredeploy-email-LAW.json— Logic App for Log Analytics Workspace variantreadme.md— Documentation with Deploy to Azure buttons, parameters, and sample outputimages/— Sample email report screenshotsHow it works
Each Logic App runs on a configurable schedule, sends a security analysis prompt to the SecurityAnalysisAgentOuterLoop skill, generates an HTML dashboard, and emails the report via Office 365.