The number of security incidents and information related to them are rising daily. Traditional tools and methods aren’t enough to process all the data and to respond to all the incidents. That is where SOAR (Security Orchestration, Automation, and Response) can help.
Where to start?
In addition to being a Security Information and Event Management (SIEM) system, Microsoft Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.
If you are wondering where to start in learning about Microsoft Sentinel's SOAR capabilities, take a look at some of the resources outlined below:
- Automate more with 200+ OOTB playbooks - Microsoft Tech Community
- Unleash the Power of Modern SecOps with Microsoft Sentinel SOAR - Microsoft Tech Community
- How to use Azure Sentinel for Incident Response, Orchestration and Automation - Microsoft Tech Commu...
When working with Microsoft Sentinel Automation, it is essential to understand Microsoft Sentinel API and the use of API in general. Microsoft Sentinel API 101 is a great place to start.
Utilizing Microsoft Sentinel Automation may need additional permissions. Please review the needed permissions.
The Microsoft Sentinel Content hub provides access to Microsoft Sentinel out-of-the-box (built-in) content and solutions. This is the starting point when searching for a playbook template and all other content for Microsoft Sentinel.
SOAR Content Catalog is an excellent source of information about the most used playbook connectors.
This blog is a fantastic starting point for utilizing SOAR in Microsoft Sentinel - I'm Being Attacked, Now What? - Microsoft Tech Community
Microsoft Sentinel Automation: Tips and Tricks is another excellent starting point for those who prefer webinars.
How to build automation rule
Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks.
Do you want to learn what a trigger, condition, or action is in automation rules? Start by learning more about automation rules.
To learn how to utilize automation rules in incident management, start here -
Create and use Microsoft Sentinel automation rules to manage incidents | Microsoft Docs
For tips and tricks in automation rule utilization, visit our automation rules tips and tricks blog.
How to build the playbook
A playbook is a collection of actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents when triggered by an analytics rule or an automation rule, respectively.
To learn how we utilize Logic App for playbooks, what is a trigger, action, dynamic field, etc., start with an introduction to playbooks. After that, learning how to use triggers and actions is essential.
As mentioned in the intro, it’s crucial to understand API as playbooks use REST API. But it is also essential to learn how to authenticate playbooks and what are API connections and permissions in Microsoft Sentinel playbooks.
As mentioned, automation rules are a way to manage automation centrally. One of the actions in automation rules is to run a playbook, and in this article, you can find out how to utilize this integration.
Microsoft Sentinel has many playbook templates that can be found in Content Hub, Playbooks Template Gallery, or our official GitHub repo, but sometimes we will need to customize it for our own needs. This article will guide you through customization steps.
Microsoft Sentinel’s blog on Tech Community has many examples of how you can create playbooks step-by-step. For those who like hands-on, here is a list of articles containing step-by-step instructions to create playbooks:
- Update Microsoft Sentinel VIP Users Watchlist from Azure AD group using playbooks - Microsoft Tech C...
- Using Microsoft Teams Adaptive Cards to enhance incident response in Microsoft Sentinel - Microsoft ...
- Automatically disable On-prem AD User using a Playbook triggered in Azure - Microsoft Tech Community
- Automate Incident Assignment with Shifts for Teams - Microsoft Tech Community
- Ingestion Cost Spike detection Playbook - Microsoft Tech Community
- How to use Microsoft Sentinel's SOAR capabilities with SAP
Microsoft Sentinel REST API docs and sample use cases:
- Microsoft Sentinel REST API | Microsoft Docs
- Enrich entities with geolocation data in Microsoft Sentinel using REST API | Microsoft Docs
- Manage hunting and livestream queries in Microsoft Sentinel using REST API | Microsoft Docs
What’s new with Microsoft Sentinel Automation
In this segment, we will be publishing all new announcements related to Microsoft Sentinel Automation. Announcements are sorted by the announcement dates.
- What’s new: Automate full incident lifecycle with incident update triggers - Microsoft Tech Communit...
- What's new: Power-up automation with Logic Apps Standard - Microsoft Tech Community
- New watchlist actions available for watchlist automation using Microsoft Sentinel SOAR - Microsoft T...
- What's new: run playbooks on incidents on demand - Microsoft Tech Community
- Run Microsoft Sentinel playbooks from workbooks on-demand - Microsoft Tech Community
- Announcing the Public Preview of the Microsoft Sentinel Playbook Templates Tab - Microsoft Tech Comm...
- What’s new: Automation rules - Microsoft Tech Community
- What’s new: Managed Identity for Azure Sentinel Logic Apps connector
- What's new: Monitoring your Logic Apps Playbooks in Azure Sentinel - Microsoft Tech Community
Tips & Tricks
To help users understand Microsoft Sentinel Automation “under the hood”, we started with the Tips & Tricks blog series:
Creating a playbook template can be a time-consuming task, and to help with that, we have created a script to create those templates with ease – learn how now!
Migrate from 3rd party automation tools
If you are already using 3rd party automation tools, learn how you can migrate to Microsoft Sentinel Automation: