The "Remediate Wiz Alert on Azure VM with Open SSH Access - Teams" workflow template offers a systematized response to alerts on Azure VMs with open SSH. It streamlines the detection and remediation process by first retrieving VM details and attempting to identify the instance owner via Teams. It then engages with the owner or a designated Teams channel to seek approval for modifying the Network Security Group (NSG). On agreement, the workflow blocks SSH access by adding a rule to the NSG. If declined, or any other failures occur, it opens a Jira issue while updating Wiz with detailed notes regarding actions taken.
Trigger
Wiz
Use Cases
CSPM
Workflow Breakdown
Retrieve VM details including tags
Try to find the instance owner via Teams, if not, use a Teams channel
Reach out to the channel or owner and ask to modify the Network Security Group
If the user agrees, add a rule to the NSG to block the access
If the user does not agree, open a Jira issue and update the Wiz issue with a note
If any other failure occurs open a Jira issue and update the Wiz issue note
Vendors
Microsoft Azure, Utils, Wiz, Microsoft Teams, Microsoft 365, Microsoft Teams Bot, Jira Cloud
Workflow Output
Teams updates, Jira ticket and Wiz notes on remediation or other outcomes.
Tips
Ensure Azure App Registration has permissions needed to access and modify VMs, Network Settings, and Teams users