Azure Security Center

Integration version: 9.0

Use cases

Ingest security alerts into Google Security Operations SOAR for investigation.
Update alerts.
Retrieve information about standard compliance.

Prerequisites

Before configuring the integration in the Google Security Operations SOAR platform, make sure to grant required permissions to the Azure user account and configure either a password authentication or an OAuth authentication.

Configure permissions

This integration requires delegated access to the Azure resources. Make sure to grant the following required permissions to the Azure user account used to configure the integration:

User account must be an active member for the following Azure roles:
- Security Reader
- Security Admin
On the Azure subscription level, make sure to grant the user the following IAM role: Management Group Reader.

Configure password authentication

To configure the password authentication for Microsoft Defender for Cloud, complete the following steps:

Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.
Use your Azure subscription ID as a value for the corresponding integration parameter.

Create Microsoft Entra app

Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the app.
Click Register.
Save the Application (client) ID and Directory (tenant) ID values to use them later when configuring the integration parameters.

Configure API permissions

Go to API Permissions > Add a permission.
Select Azure Service Management > Delegated permissions.
In the Select Permissions section, select the following permission:
- user_impersonation
Select Microsoft Graph > Delegated permissions.
In the Select Permissions section, select the following permissions:
- SecurityEvents.Read.All
- SecurityEvents.ReadWrite.All
- User.Read
Select Microsoft Graph > Application permissions.
In the Select Permissions section, select the following permissions:
- SecurityEvents.Read.All
- SecurityEvents.ReadWrite.All
Click Add permissions.
Click Grant admin consent for YOUR_ORGANIZATION_NAME.

When the Grant admin consent confirmation dialog appears, click Yes.

Create client secret

Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the Client Secret parameter value when configuring the integration. The client secret value is only displayed once.

Configure integration with Azure subscription ID

In Microsoft Defender for Cloud, go the Overview tab.
Click Azure subscriptions.
Copy the Azure subscription ID value and input it in the Subscription ID parameter when configuring the integration parameters.

Configure OAuth authentication

To configure the OAuth authentication for Microsoft Defender for Cloud, complete the following steps:

Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.
Use your Azure subscription ID as a value for the corresponding integration parameter.

Create Microsoft Entra app

To create an application and impersonate the chosen user, follow these steps:

Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the app.
Select suitable Supported account types.
For the Redirect URL, provide the following value: http://localhost.
Click Register.
Save the Application (client) ID and Directory (tenant) ID values to use them later to configure the integration.

Configure API permissions

Go to API Permissions > Add a permission.
Select Azure Service Management > Delegated permissions.
In the Select Permissions section, select the following permission:
- user_impersonation
Select Microsoft Graph > Delegated permissions.
In the Select Permissions section, select the following permissions:
- SecurityEvents.Read.All
- SecurityEvents.ReadWrite.All
- User.Read
Select Microsoft Graph > Application permissions.
In the Select Permissions section, select the following permissions:
- SecurityEvents.Read.All
- SecurityEvents.ReadWrite.All
Click Add permissions.
Click Grant admin consent for YOUR_ORGANIZATION_NAME.

When the Grant admin consent confirmation dialog appears, click Yes.

Create client secret

Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the Client Secret parameter value when configuring the integration. The client secret value is only displayed once.

Configure integration with Azure subscription ID

In Microsoft Defender for Cloud, go the Overview tab.
Click Azure subscriptions.
Copy the Azure subscription ID value and input it in the Subscription ID parameter when configuring the integration.

Configure OAuth authentication in Google Security Operations SOAR

To configure the OAuth authentication for Microsoft Defender for Cloud in Google Security Operations SOAR platform, complete the following steps:

Configure the integration parameters and save them.
Generate a refresh token:
- Optional: Simulate a case in Google Security Operations SOAR.
- Manually run the Get OAuth Authorization Code action.
- Manually run the Generate Token action.
Input the obtained refresh token as the Refresh Token parameter value and save the configuration.

Configure integration parameters

In Google Security Operations SOAR, configure the integration parameters with Client ID, Client secret, Tenant ID, and Subscription ID values that you've obtained in previous steps.

Generate refresh token

Generating a refresh token requires running manual actions on any existing case. If your Google Security Operations instance is new and has no existing cases, simulate one.

Simulate case

To simulate a case in Google Security Operations SOAR, follow these steps:

In the left navigation, select Cases.
On the Cases page, click add > Simulate Cases.
Select any of the default cases and click Create. It doesn't matter what case you choose to simulate.
Click Simulate.

If you have an environment other than default and would like to use it, select the correct environment and click Simulate.
In the Cases tab, click Refresh. The case you have simulated appears in the case list.

Run the Get OAuth Authorization Code action

Use the Google Security Operations SOAR case you've simulated or any existing one to run the Get OAuth Authorization Code action manually.

In the Cases tab, select your simulated case to open a Case View.
Click Manual Action.
In the Manual Action Search field, input Azure Security Center.
In the results under the Azure Security Center integration, select Get OAuth Authorization Code. This action returns an authorization link used to interactively sign in to the Microsoft Entra app.
In the Redirect URL parameter field, input the URL that you've used when creating the Microsoft Entra app.
Click Execute.
After the action is executed, navigate to the Case Wall of your simulated case. In the Azure Security Center_Get OAuth Authorization Code action record, click View More and copy the authorization link.
Open a new browser window in the incognito mode and paste the generated authorization URL. The Azure sign-in page opens.
Sign in with the user credentials you selected for the integration. After signing in, your browser should be redirected with a code in the address bar.

An example of the resulting URL with the code is as follows:
```
http://localhost/?code=0.ATwAylKP1BpbCEeO0Ou5iiakalBV.......nIAA&state=12345&session_state=28084547-3dea-449a-8b4c-c1671342a39d#
```
From the URL, copy the access code part that comes after http://localhost/?code=. You need this access code to run the Get OAuth Refresh Token action.

Run the Get OAuth Refresh Token action

Use a the Google Security Operations SOAR case you've simulated to run the Get OAuth Refresh Token action manually.

In the Cases tab, select your simulated case to open a Case View.
Click Manual Action.
In the Manual Action Search field, type in Azure Security Center.
In the results under the Azure Security Center integration, select Get OAuth Refresh Token.
In the Authorization Code parameter field, input the access code that you've obtained after running the Get OAuth Authorization Code action.
Click Execute.
After the action is executed, navigate to the Case Wall of your simulated case. In the Azure Security Center_Get OAuth Refresh Token action record, click View More.
Copy the entire value of the generated refresh token.

Configure the Refresh Token parameter

Navigate to the configuration dialog for the Azure Security Center integration.
Input the refresh token value from the previous step into the Refresh Token field.
Click Save.

Integrate Azure Security Center with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration inputs

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Client ID	String	N/A	Yes	Client ID of the Microsoft Entra application.
Client Secret	Password	N/A	Yes	Client Secret of the Microsoft Entra application.
Username	String	N/A	No	Username of the Microsoft Entra account.
Password	Password	N/A	No	Password of the Microsoft Entra account.
Subscription ID	String	N/A	Yes	The ID of the subscription for which you want to query information. Note: If subscription ID is provided at the integration level and action level, priority is given to the action configuration.
Tenant ID	String	N/A	Yes	Tenant ID of the Microsoft Entra application.
Refresh Token	Password	N/A	Yes	Refresh token for the OAuth authorization.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verifies that the SSL certificate for the connection to the Microsoft Defender for Cloud server is valid.

Actions

Get OAuth Authorization Code

Generate an OAuth authorization code to obtain a refresh token.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Redirect URL	String	https://localhost	Yes	Specify the redirect URL that was used when the Microsoft Entra app was created.

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: "Successfully generated Authorization code URL in Azure Security Center. Please copy paste it in the browser. After that, copy the "code" part from the URL. This authorization code is used in action "Get OAuth Refresh Token". ".	General
Link	Name: Authorization Code Link URL: {generated link}

Get OAuth Refresh Token

Generate the refresh token that is needed for the integration configuration. Authorization code can be generated using the Get OAuth Authorization Code action.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Redirect URL	String	https://localhost	Yes	Specify the redirect URL that was used when the app was created.
Authorization Code	String		Yes	Specify the authorization code from action "Get OAuth Authorization Code"

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON result

{
    "token_type": "Bearer",
    "scope": "user_impersonation",
    "expires_in": "3599",
    "ext_expires_in": "3599",
    "expires_on": "1628514482",
    "not_before": "1628510582",
    "resource": "https://management.azure.com",
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRH",
    "refresh_token": "0.ATwAylKP1BpbCEeO0Ou5iiakalBVs4hy5YpMhS4OVguFb9Y8AGw",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiI4OGIzNTU1MC1"
}

Case wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success = true): "Successfully generated refresh token in Azure Security Center.". The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Get OAuth Refresh Token". Reason: {0}''.format(error.Stacktrace) If non 200 status code: "Error executing action "Get OAuth Refresh Token". Reason: {0}''.format(error_description)	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success = true): "Successfully generated refresh token in Azure Security Center.".

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Get OAuth Refresh Token". Reason: {0}''.format(error.Stacktrace)

If non 200 status code: "Error executing action "Get OAuth Refresh Token". Reason: {0}''.format(error_description)

General

List Regulatory Standards

List available regulatory standards in Microsoft Defender for Cloud.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Subscription ID

String

N/A

Specify the ID of the subscription for which you want to query information.

Note: If subscription ID is provided at the integration level and action level, priority is given to the action configuration.

State Filter

CSV

Failed

Specify the comma-separated list of states. Example: Failed, Skipped. Only standards with the matching state will be returned. For example, if you specify "Failed", action will only return failed standards.

Possible values: Passed,Failed,Unsupported,Skipped

Max Standards To Return

String

Specify how many standards to return.

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON result

{
    "value": [
        {
            "id": "/subscriptions/a052d33b-b7c4-4dc7-9e17-5c89ea594669/providers/Microsoft.Security/regulatoryComplianceStandards/Azure-CIS-1.1.0",
            "name": "Azure-CIS-1.1.0",
            "type": "Microsoft.Security/regulatoryComplianceStandards",
            "properties": {
                "state": "Failed",
                "passedControls": 21,
                "failedControls": 3,
                "skippedControls": 0,
                "unsupportedControls": 87
            }
        }
    ]
}

Case wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If status code 200 and after filtering we have data : "Successfully retrieved regulatory controls for the provided standards in Microsoft Azure Security Center" If status code 200 and after filtering we have no data : "No regulatory standards were found in Microsoft Azure Security Center" The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regulatory Standards". Reason: {0}''.format(error.Stacktrace) If State Filter contains invalid values: "Error executing action "List Regulatory Standards". Reason: 'State Filter' parameter should only contain the following values: 'Passed', 'Failed', 'Skipped', 'Unsupported'.''	General
Case Wall Table	Name: Regulatory Standards Column: Name State Passed Controls Failed Controls Skipped Controls Unsupported Controls	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If status code 200 and after filtering we have data : "Successfully retrieved regulatory controls for the provided standards in Microsoft Azure Security Center"

If status code 200 and after filtering we have no data : "No regulatory standards were found in Microsoft Azure Security Center"

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regulatory Standards". Reason: {0}''.format(error.Stacktrace)

If State Filter contains invalid values: "Error executing action "List Regulatory Standards". Reason: 'State Filter' parameter should only contain the following values: 'Passed', 'Failed', 'Skipped', 'Unsupported'.''

General

Case Wall Table

Name: Regulatory Standards

Column:

Name
State
Passed Controls
Failed Controls
Skipped Controls
Unsupported Controls

General

List Regulatory Standard Controls

List available controls related to standards in Microsoft Defender for Cloud.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Subscription ID	String	N/A	No	Specify the ID of the subscription for which you want to query information. Note: If subscription ID is provided at the integration level and action level, priority is given to the action configuration.
Standard Names	CSV		Yes	Specify a comma-separated list of standard names for which you want to retrieve details. Example: Azure-CIS-1.1.0
State Filter	CSV	Failed	No	Specify the comma-separated list of states. Example: Failed, Skipped. Only controls with the matching state will be returned. For example, if you specify "Failed", action will only return failed controls. Possible values: Passed,Failed,Unsupported,Skipped
Max Controls To Return	String	50	No	Specify how many controls to return per standard.

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON result

{
    "results": [
      "Name": "{Standard_name}",
      "Controls":
[
        {
            "id": "/subscriptions/a052d33b-b7c4-4dc7-9e17-5c89ea594669/providers/Microsoft.Security/regulatoryComplianceStandards/Azure-CIS-1.1.0",
            "name": "Azure-CIS-1.1.0",
            "type": "Microsoft.Security/regulatoryComplianceStandards",
            "properties": {
                "state": "Failed",
                "passedControls": 21,
                "failedControls": 3,
                "skippedControls": 0,
                "unsupportedControls": 87
            }
        }
    ]
}

Case wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If status code 200 and after filtering we have data for at least one standard(is_success = true) : "Successfully retrieved regulatory controls for the following standards in Microsoft Azure Security Center:\n {0}".format(standard) If fail for standard(is_success = true) : "Action wasn't able to retrieve regulatory controls for the following standards in Microsoft Azure Security Center:\n {0}".format(standard) If no data is found for some standards after filter (is_success=true): "No regulatory controls were found for the following standards in Microsoft Azure Security Center:\n {0}".format(standard) If no data is found for all standards based on filters: "No regulatory controls were found for the provided standards." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regulatory Standard Controls". Reason: {0}''.format(error.Stacktrace) If State Filter contains invalid values: "Error executing action "List Regulatory Standard Controls". Reason: 'State Filter' parameter should only contain the following values: 'Passed', 'Failed', 'Skipped', 'Unsupported'.''	General
Case Wall Table	Table Name: "Regulatory Controls: {0}".format(Standard) Column: Name State Description Passed Assessments Failed Assessments Skipped Assessments	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If status code 200 and after filtering we have data for at least one standard(is_success = true) : "Successfully retrieved regulatory controls for the following standards in Microsoft Azure Security Center:\n {0}".format(standard)

If fail for standard(is_success = true) : "Action wasn't able to retrieve regulatory controls for the following standards in Microsoft Azure Security Center:\n {0}".format(standard)

If no data is found for some standards after filter (is_success=true): "No regulatory controls were found for the following standards in Microsoft Azure Security Center:\n {0}".format(standard)

If no data is found for all standards based on filters: "No regulatory controls were found for the provided standards."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regulatory Standard Controls". Reason: {0}''.format(error.Stacktrace)

If State Filter contains invalid values: "Error executing action "List Regulatory Standard Controls". Reason: 'State Filter' parameter should only contain the following values: 'Passed', 'Failed', 'Skipped', 'Unsupported'.''

General

Case Wall Table

Table Name: "Regulatory Controls: {0}".format(Standard)

Column:

Name
State
Description
Passed Assessments
Failed Assessments
Skipped Assessments

General

Ping

Test connectivity to Microsoft Defender for Cloud with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Azure Security Center server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Azure Security Center server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Azure Security Center server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Azure Security Center server! Error is {0}".format(exception.stacktrace)

General

Update Alert Status

Update status of the alert in Microsoft Defender for Cloud.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Subscription ID	String	N/A	No	Specify the ID of the subscription for which you want to query information. Note: If subscription ID is provided at the integration level and action level, priority is given to the action configuration.
Alert ID	String	N/A	Yes	Specify an ID of the alert, where you want to update status.
Location	String	N/A	Yes	Specify the location of the alert. Example: centralus.
Status	DDL	Resolve Possible values: Dismiss Reactivate Resolve	Yes	Specify the status for the alert.

Run on

This action doesn't run on entities.

Action results

Script result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If status code 204 (is_success = true) : "Successfully {0} alert with ID {1} in Microsoft Azure Security Center:\n {0}".format(dismissed/resolved/reactivated, alert_id) If "errors" in the response (is_success = false) : "Action wasn't able to {0} alert with ID {1} in Microsoft Azure Security Center. Reason: {2}".format(dismiss/resolve/reactivate, alert_id, errors/message) The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If status code 204 (is_success = true) : "Successfully {0} alert with ID {1} in Microsoft Azure Security Center:\n {0}".format(dismissed/resolved/reactivated, alert_id)

If "errors" in the response (is_success = false) : "Action wasn't able to {0} alert with ID {1} in Microsoft Azure Security Center. Reason: {2}".format(dismiss/resolve/reactivate, alert_id, errors/message)

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace)

General

Connectors

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Azure Security Center - Security Alerts Connector

Pull security alerts from Microsoft Defender for Cloud.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	resourceType	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Integer	180	Yes	Timeout limit for the python process running the current script.
Client ID	String	N/A	True	Client ID of the Microsoft Entra application.
Client Secret	Password	N/A	True	Client Secret of the Microsoft Entra application.
Username	String	N/A	True	Username of the Microsoft Entra account.
Password	Password	N/A	True	Password of the Microsoft Entra account.
Subscription ID	String	N/A	True	Subscription ID of the Microsoft Entra application
Tenant ID	String	N/A	True	Tenant ID of the Microsoft Entra application.
Lowest Severity To Fetch	String	Low		Lowest severity that will be used to fetch Alert. Possible values: Low, Medium, High
Max Alerts To Fetch	Integer	50	No	How many alerts to process per one connector iteration.
Max Hours Backwards	Integer	1	No	How many hours backwards to fetch alerts.
Use whitelist as a blacklist	Checkbox	Unchecked	Yes	If enabled, dynamic list will be used as a blocklist.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verify the SSL certificate for the connection to the Microsoft Defender for Cloud server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.
Refresh Token	Password	N/A	No	Refresh token for the OAuth authorization.

Connector rules

Proxy support

The connector supports proxy.

Jobs

To configure jobs in Google Security Operations, go to Response > Job Scheduler.

Refresh Token Renewal Job

The goal of the Refresh Token Renewal Job is to periodically update the refresh token used in the integration.

By default, the refresh token expires every 90 days, thus making integration unusable upon expiration. It is recommended to run this job every 7 or 14 days to make sure that the refresh token is up to date.

Job inputs

To configure the job, use the following parameters:

Parameters

Integration Environments

Parameters
Integration Environments	Optional Integration environments which the job updates the refresh tokens for. This parameter accepts multiple values as a comma-separated string. Enclose individual values in quotation marks (`" "`).
Connector Names	Optional Connector names which the job updates the refresh tokens for. This parameter accepts multiple values as a comma-separated string. Enclose individual values in quotation marks (`" "`).

Optional

Integration environments which the job updates the refresh tokens for.

This parameter accepts multiple values as a comma-separated string. Enclose individual values in quotation marks (" ").

Connector Names

Optional

Connector names which the job updates the refresh tokens for.

This parameter accepts multiple values as a comma-separated string. Enclose individual values in quotation marks (" ").