What's New: Azure Sentinel - SOC Process Framework Workbook

Published May 10 2021 02:45 PM 18.6K Views

If you are like me, you are probably excited with how fast Azure Sentinel has grown. This means more capabilities, functions and integrations to work with. So with all that power, how do I build a SOC and operationalize my Security Operations to keep up? At long last, there is a new Workbook to help you do just that... I have spent over a decade helping to build SOCs and together at Microsoft my team of GBB's, built a SOC Process Framework Workbook that combines SOC industry standards and best practices and applied them to Azure Sentinel.


A special thanks to my team members who helped me on this project. (Clive Watson, Beth Bischoff, Chuck Enstall, Josh Heizman, Matthew Littleton) Each one of you brought a wealth of knowledge and a unique perspective. A heart felt Thank you to you all!!


Deploying the Workbook

It is recommended that you have a working instance of Azure Sentinel get the full benefit of the SOC Process Framework Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:

Requirements: Azure Sentinel Workspace and Security Reader rights.

1) From the Azure portal, navigate to Azure Sentinel.

2) Select Workbooks > Templates.

3) Search SOC Process Framework and select Save to add to My Workbooks.


NOTE: If the workbook is not yet available in your Azure Sentinel Workbook Templates, you can pull down a copy by going to my GitHub repo: https://github.com/rinure-msft/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json and simply open a New Workbook and paste in the Gallery Code.


If you need steps on manually deploying the workbook after copying the code from GitHub, I suggest following the instructions from this article that has them outlined: https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate.


There are 14 Processes and 36 Procedures broken into detail to help deliver a comprehensive start to operationalizing Azure Sentinel and applying a SOC methodology.


Working Example of SOC Process Framework WorkbookWorking Example of SOC Process Framework Workbook



This workbook is built so that SOC practices can deploy this workbook and edit the following Parameters:

- [CUSTOMER] Simply replace with your customer SOC Name.

- Upload Diagrams and or Docs under the Technology sections.

- Make any necessary changes to fit the way your SOC operates and use this workbook as your Central SOC Operational Process and Procedures Knowledge Base.


This workbook has a TON of features (too many to mention) so go grab this workbook and find out how easy it is to build your SOC processes around Azure Sentinel, XDR, Azure Security Center, or any of our Security tools. 


SOC Process Framework - Analytical ProcessesSOC Process Framework - Analytical Processes



There are a couple of other artifacts that are complimentary to this workbook that were uploaded recently! Here they are:

- Get-SOCActions Playbook - Azure-Sentinel/Playbooks/Get-SOCActions at master · rinure-msft/Azure-Sentinel (github.com)

- SocRA Watchlist -  https://github.com/rinure-msft/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv


The Get-SOCActions Playbook with "SocRA" Watchlist gives SOCs the ability to onboard SOC Actions for their Analysts to follow that snap to the SOC Process Framework Workbook. As they onboard Use-Cases and apply triage steps, this playbook can then be run to add those steps to the Incident for an Analyst to follow to closure.


I am positive this workbook will help you build a successful SOC framework needed to mature your SOC around Azure Sentinel.


Happy SOC Building!


Occasional Visitor

This is somewhat exceptional. A lot of hard work has gone into this - Thank you for sharing!

Respected Contributor

@rinure I am unable to install the template, I get 

There was an error downloading the template from URI 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Playbooks/Get-SOCActions/azuredeploy.j...'. Ensure that the template is publicly accessible and that the publisher has enabled CORS policy on the endpoint. To deploy this template, download the template manually and paste the contents in the 'Build your own template in the editor' option below. 

If I refresh my browser, I get the Build your own template in the editor option, but after pasting in the JSON, I get a message that it not properly formed.


@Dean Gross I am getting the same error. The PG has yet to merge my code with the main Azure-Sentinel GitHub instance. I have a pull request out and I will be talking to them today, so I will mention this and ask for a solution while I wait for them to merge. Thanks for bringing this to my attention!

Respected Contributor

@rinure thanks for the quick response. I noticed that I could not add an issue to your repro like I can in other repos, is that expected behavior or is something misconfigured?


Question on Get-SOCActions Playbook.

Did you intend to leave a subscription name on line 247 and on the bottom few rows?

Occasional Contributor

Impressive work! Kudos to the Team


Great work!

Occasional Contributor

What great edition! Thank you to the entire team

Occasional Visitor

Rin, great to see some of those SOC Best Practices and templates being made available to organizations! 

Occasional Contributor

Hello @rinure This is available for my client tenants but it tells me that the workspace is not set...Any Idea


Established Member

Amazing Workbook!


Will guide us a lot. 


Kudos to everyone involved.




Rin will be talking about this solution and providing a live demo on Wednesday, May 19, 2021 at 6pm EST. See the following for links:


Live Demo and Discussion of the SOC Process Framework Workbook for Azure Sentinel – Azure Cloud & AI... 

Senior Member

Got the templates and works well. Now need to explore in detail. 

This is an outstanding job from Rin and his colleagues which requires an award :)

Senior Member

@rodtrent - Thanks Rod.  I missed the live, but will be watching it later for sure.

Big thank you to @rinure for creating this Workbook.  Just need to explore and understand it.

Senior Member

@rodtrent  thanks mate :)

Respected Contributor

This is a great, I am learning a lot from the demo also. It makes me wonder how to expand this to include/make this available to firms that just have M365. They still need to conduct security ops, but they don't have Sentinel workbooks. Does anyone have any suggestions about how to approach this scenario? @rinure  @rodtrent 


Respected Contributor

@Edward Walton comment that, "this is a lot" was the understatement of the year :)



@Dean Gross - The repo has been fixed and merged! You should have no problems deploying the Get-SOCActions Playbook, the SocRA Watchlist, or the SOC Process Framework Workbook. All code has now been merged into the master.

Respected Contributor

Thanks that’s helpful. Now I just need to figure out how to help my clients that only have m365 without Sentinel use the content from this workbook efficiently 

Respected Contributor

@rinure is there any way to do a text search in this workbook?


@Dean Gross 

Open the Workbook, Edit, Choose the Advanced Editor, and type CTRL-F.



Use the Find to search and the Replace to replace any text you wish to update.

Occasional Contributor

Hello @rodtrent,

Please note that the replay link is not working on twitch:


Please advise?






@CHARBEL NEMNOM Because Twitch.tv is a streaming platform, it only saves live events for 10 days. This demo/episode is now available to watch on YouTube here:  https://youtu.be/i7792hqi5vg 

Occasional Contributor

Many Thanks @rodtrent!

Version history
Last update:
‎May 10 2021 02:47 PM
Updated by: