Forum Discussion
auto assessment playbook with "tag indicators"
Has anyone here done any work on the idea of a playbook to perform triage on Sentinel incidents?
eg:
If the incident contains a username entity, run these kql queries and create tags depending on the results.
The tags would represent specific findings eg:
username has been seen in 5 distinct alerts in the past 7 days, so tag name = "5D-User"
IP has been seen in 3 distinct alerts in the past 7 days, so tag name = "3D-IP"
username is sensitive, so tag name = "sensitive-user"
Do you see where I'm going here?
I want to use tags to create a library of common tags which will accelerate triage by identifying interesting indicators.
(I've already created such a playbook but I'm looking for more ideas to add to it)
Even if you haven't done such a playbook please share your ideas for interesting indicators that would help triage an incident.
Thank you!
- I did something similar, incident enrichment to check reputation IP address, check IP safe watchlist, check if the device is Azure hybrid ad join, user agent during sign in, cloud app, I put all information to comment
- Excellent suggestions thanks Pawel!!!!!
