febery/blog
Back to thoughts
2 min read

argus part 6: orchestration and enterprise rbac

concluding the series with a look at playbook orchestration and how argus manages secure access in an enterprise environment.

in the final part of this series, we move beyond notifications and ticketing into the most powerful capability of argus: orchestration.

argus is designed to be the "remote control" for your security operation centre. it doesn't just tell you there is a problem; it provides the tools to fix it.

playbook orchestration from teams

the "holy grail" of security automation is reaching a state where common incidents can be resolved with a single click. argus makes this possible by triggering sentinel playbooks directly from adaptive cards.

  • one-click remediation: isolate a host, reset a user password, or block an ip address without leaving teams.
  • granular triggers: the bot identifies which playbooks are appropriate for a specific alert type and surfaces them as interactive buttons.
  • audit trail: every time a playbook is triggered from teams, argus logs the action, the user, and the correlation id into azure table storage, ensuring full compliance.

enterprise-grade rbac

orchestration is powerful, and with power comes the need for strict control. i have built argus with an enterprise-grade rbac (role-based access control) system to ensure that only the right people can trigger high-impact actions.

  1. internal users: engineers within the primary tenant have full access to interactive features and playbook triggers.
  2. federated users: argus supports secure interaction for users from federated tenants, allowing for seamless collaboration during cross-organisational incidents.
  3. identity validation: every interaction is checked against microsoft entra id security groups. if you are not in the "argus administrators" or "soc engineers" group, the "isolate host" button simply won't work for you.

wrapping up: the omniscient overseer

building argus has been a journey into the intersection of security telemetry and human-centric design. by bridging the gap between raw data, itsm workflows, and automated orchestration, argus has transformed how we manage security incidents.

to summarise the architecture:

  • the engine: a node.js event router on azure app service.
  • the security: hardened api management with azure key vault.
  • the UI: decoupled layouts using sharepoint and adaptive cards.
  • the workflow: bidirectional itsm integration and one-click playbook orchestration.

argus is more than just a bot—it is an automated enterprise overseer. it cuts through the noise, manages the state, and gives security engineers their time back.

i hope this series has provided some insight into building high-tier security automation. if you are building something similar, i would love to hear about it.

Previous postthe architecture of this blogNext postargus part 5: the bidirectional itsm bridge