Blog Post

Microsoft Sentinel Blog
2 MIN READ

What's New: Multiple playbooks to one analytic rule

liortamir's avatar
liortamir
Icon for Microsoft rankMicrosoft
Nov 09, 2020

The ability to select multiple playbooks to be triggered for each Analytics Rule will change the way you use playbooks in Azure Sentinel. It will save you time, add stability, reduce risks, and increase the automation scenarios you can put in place for each security alert.

 

 

Azure Sentinel playbooks help the SOC automate tasks, improve investigations, and allow quick responses to threats. Azure Sentinel workspaces are meant to be constantly fine-tuned to be used effectively: each analytics rule is created to generate alerts on a single unique security risk; each playbook to handle a specific automation purpose. But many automation purposes can be achieved over any analytics rule. Now this can be done effectively, as this new feature enables selection of up to 10 playbooks to run when a new alert is created.

 

Why should I connect multiple playbooks to one analytics rule?

 

Move to “one goal” playbooks: Simple to develop, easy to maintain

Multiple playbooks can influence the way you plan and develop playbooks. Before this feature, if a SOC wanted to automate many scenarios to the same analytics rule, it had to create nested playbooks, or a single large playbook with complex logic blocks. Or it might create similar versions of the same playbook to be applied to different analytics rules, reusing the same functionalities.

Now, you can create as many single-process playbooks as needed. They include fewer steps and require less advanced manipulations and conditions. Debugging and testing are easier as there are fewer scenarios to test. If an update is necessary, it can be done in just the one relevant playbook. Rather than repeating the same content in different playbooks, you can create focused ones and call as many as required.

 

One analytics rule, multiple automation scenarios

For example, an analytics rule that indicates high-risk users assigned to suspicious IPs might trigger:

  • An Enrichment playbook will query Virus Total about the IP entities, and add the information as a comment on the incident.
  • Response playbook will consult Azure AD Identity Protection and confirm the risky users (received as Account entities) as compromised.
  • An Orchestration playbook will send an email to the SOC to inform that a new alert was generated together with its details.
  • Sync playbook will create a new ticket in Jira for the new incident created.

 

Increase your capabilities and flexibility as a MSSP

Multiple playbooks allow Managed Security Service Providers (MSSP) to add their provided playbooks to analytics rules that already have playbooks assigned, whether their own rules or their customers’. Similarly, customers of MSSPs can “mix and match,” adding both MSSP-provided playbooks and their own playbooks, to either their own rules or to MSSP-provided rules.

 

Get started

  1. Navigate to Azure Sentinel -> Analytics
  2. Create or Edit an existing schedule query rule
  3. Go to Automated response tab
  4. Select the multiple playbooks you would like to trigger.

It’s as simple as that!

 

At this point, the selected rules will run in no particular order. We are working on a new automation experience which will allow defining the order of execution as well - stay tuned.

Updated Nov 03, 2021
Version 2.0
No CommentsBe the first to comment