The number of security incidents and information related to them are rising daily. Traditional tools and methods aren’t enough to process all the data and to respond to all the incidents. That is where SOAR (Security Orchestration, Automation, and Response) can help.
But where to start with automation? Do we have some step-by-step examples?
We are happy to announce Microsoft Sentinel Automation Ninja! This is where we share resources around automation, from basic intro to deep dive tips and tricks, to help you become Ninja level – Automation!
For the Microsoft Sentinel Ninja series – please visit Become a Microsoft Sentinel Ninja: The complete level 400 training - Microsoft Tech Community!
For the Microsoft Sentinel Notebooks series – please visit Microsoft Sentinel notebook ninja - the series! (microsoft.com)!
Where to start?
In addition to being a Security Information and Event Management (SIEM) system, Microsoft Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.
If you are wondering where to start in learning about Microsoft Sentinel's SOAR capabilities, take a look at some of the resources outlined below:
When working with Microsoft Sentinel Automation, it is essential to understand Microsoft Sentinel API and the use of API in general. Microsoft Sentinel API 101 is a great place to start.
Utilizing Microsoft Sentinel Automation may need additional permissions. Please review the needed permissions.
The Microsoft Sentinel Content hub provides access to Microsoft Sentinel out-of-the-box (built-in) content and solutions. This is the starting point when searching for a playbook template and all other content for Microsoft Sentinel.
SOAR Content Catalog is an excellent source of information about the most used playbook connectors.
This blog is a fantastic starting point for utilizing SOAR in Microsoft Sentinel - I'm Being Attacked, Now What? - Microsoft Tech Community
Microsoft Sentinel Automation: Tips and Tricks is another excellent starting point for those who prefer webinars.
How to build automation rule
Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks.
Do you want to learn what a trigger, condition, or action is in automation rules? Start by learning more about automation rules.
To learn how to utilize automation rules in incident management, start here -
Create and use Microsoft Sentinel automation rules to manage incidents | Microsoft Docs
For tips and tricks in automation rule utilization, visit our automation rules tips and tricks blog.
How to build the playbook
A playbook is a collection of actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents when triggered by an analytics rule or an automation rule, respectively.
To learn how we utilize Logic App for playbooks, what is a trigger, action, dynamic field, etc., start with an introduction to playbooks. After that, learning how to use triggers and actions is essential.
As mentioned in the intro, it’s crucial to understand API as playbooks use REST API. But it is also essential to learn how to authenticate playbooks and what are API connections and permissions in Microsoft Sentinel playbooks.
As mentioned, automation rules are a way to manage automation centrally. One of the actions in automation rules is to run a playbook, and in this article, you can find out how to utilize this integration.
Microsoft Sentinel has many playbook templates that can be found in Content Hub, Playbooks Template Gallery, or our official GitHub repo, but sometimes we will need to customize it for our own needs. This article will guide you through customization steps.
Microsoft Sentinel’s blog on Tech Community has many examples of how you can create playbooks step-by-step. For those who like hands-on, here is a list of articles containing step-by-step instructions to create playbooks:
Microsoft Sentinel REST API docs and sample use cases:
What’s new with Microsoft Sentinel Automation
In this segment, we will be publishing all new announcements related to Microsoft Sentinel Automation. Announcements are sorted by the announcement dates.
Tips & Tricks
To help users understand Microsoft Sentinel Automation “under the hood”, we started with the Tips & Tricks blog series:
Creating a playbook template can be a time-consuming task, and to help with that, we have created a script to create those templates with ease – learn how now!
Migrate from 3rd party automation tools
If you are already using 3rd party automation tools, learn how you can migrate to Microsoft Sentinel Automation:
