In today's fast-paced digital landscape, efficient incident investigation is crucial for maintaining robust security. Azure Logic Apps play a central role in extending Microsoft Sentinel into a SOAR solution by automating routine processes, thereby delivering speed, consistency and reliability when handling certain Security Operations Center (SOC) processes. Security Copilot supports the integration of Logic Apps to automatically submit prompts or promptbooks whose outputs can then be used to bring AI-powered enrichments into incidents generated by Microsoft Sentinel.
The Solution
This solution leverages AI and automation to speed up incident triage by providing automated response to an incident while infusing AI reasoning into the triage process, allowing the analyst to gain quick context about the gravity of the incident, detailed information about each entity involved and any executed processes. It then goes on to recommend mitigation steps, leading to faster MTTR (Mean Time To Respond).
Below are key highlights of the solution:
- Accelerated triage:
- One of the scenarios in which analysts could spend a considerable amount of time is when the incident includes, for example, a process name that they have never encountered before. This challenge is compounded when the process execution includes command line elements. In this situation Security Copilot steps in to provide a rapid analysis of the process and associated command line elements and presenting the output to the analyst in a much faster fashion than they would be able to do without AI’s contribution.
- Similarly, in the case of the device entity Copilot taps into Microsoft Intune to bring in a summary of OS information, compliance status and hardware information, etc., thereby accelerating triage.
- Additionally, the reality in the SOC is that incidents do not happen at convenient times, several incidents can be triggered at the same time, requiring analysts to triage them as quickly as possible. This is where AI and automation become a force multiplier. Having the logic app trigger automatically upon incident creating and performing the core triage tasks saves the analysts precious time that they would have spent having to manually triage several incidents that could trigger at the same time.
- Insight consolidation: The Logic App brings together context from multiple sources, spanning across both first and third-party. In this example we are tapping into AbuseIPDB as a third-party enrichment source. The logic app offers this flexibility, giving customers the option to being in enrichment data from third party or custom sources and have Security Copilot build a holistic narrative for the triage summary. In doing so it helps the analyst get as much context as possible without needing to pivot into multiple security tools.
- Streamlined incident management: Incident comments in Microsoft Sentinel are automatically updated, providing investigators with up-to-date information and reducing manual effort. These comments are also automatically synchronized to Defender XDR portal and are therefore also accessible from that interface.
The automated incident investigation summary is structured with the following details:
- Incident overview – Details matching those used to define the analytics rule
- Incident description – A summary including the key highlights of the incident
- Analysis on incident entities – AI-powered analysis of the IP, Account, Host and Process details as extracted from the incident
- Possible mitigation steps – Depending on the nature of the incident, provide suggested mitigation steps for the incident
- Conclusion
Below is a snapshot of the logic App steps:
Figure 1: Logic app stepsSample output
Once attached to the selected analytics rules and the associated incident is created, you can expect output the incident to be enriched in a manner similar to what is shown here below and then added as a comment to the triggered Microsoft Sentinel incident
Figure 2: Incident activity logSecurity Copilot skills used
| Skill | Description |
| ProcessAnalyzer | Scrutinizes process names and command lines, providing detailed insights into potentially malicious activities. |
| GetEntraUserDetails | Retrieves comprehensive user information |
| GetIntineDevices | Facilitates the extraction of device details from Intune, ensuring that all devices associated with an incident are thoroughly examined |
| AbuseIPDB | Preforms IP address reputation checks, helping to identify and mitigate threats from suspicious IP addresses |
Deployment prerequisitesBefore deploying the Logic App, ensure the following prerequisites are met:
Follow below link to our Security Copilot GitHub repo to obtain the solution: ConclusionThe integration of AI and automation in the Security Operations Center (SOC) through tools like Security Copilot and Logic Apps in Microsoft Sentinel significantly enhances incident triage and management. By leveraging these technologies, organizations can achieve faster, more consistent, and reliable incident handling, ultimately strengthening their overall security posture.
Additional resources |
|
|
Overview - Azure Logic Apps | Microsoft Learn Logic Apps connectors in Microsoft Security Copilot | Microsoft Learn Microsoft Sentinel - Cloud-native SIEM Solution | Microsoft Azure |
|
|
|
|
Updated Jan 24, 2025
Version 1.0
Inwafula
Microsoft
Microsoft