Great thanks to @Julian Gonzalez for working together on these playbooks!
Azure Security Center alerts inform the SOC about possible security attacks occurred on resources In Azure. The SOC might not have permissions to the resources which potentially been compromised, and would need the resource owner during investigation of the alert to:
For these reasons, SOC manually would need to find the relevant contact and reach them every time a new alert is created. This process can easily become automatic, using Azure Sentinel new Watchlists feature together with playbook.
In this blogpost we generalized the problem for simplicity reasons to Subscriptions owners level, but same solution can be implemented for any specific resource.
Note: This playbook requires Azure Sentinel Incident Trigger Private Preview. A very similar solution can be implemented by creating scheduled alerts over Azure Security Center alerts, and then use the Alert trigger which is public.
This blogpost includes:
When Azure Sentinel incident creation rule was triggered
Azure Sentinel incident was created. The playbook receives the incident as the input.
For Each Alert
Iterates on the alerts found in this incident (probably one) and performs the following:
Create and Upload your watchlist
On the left menu, click on API connections.
For each product being used in this playbook, click on the connection name.
Click on Authorize to log in with your user, and don't forget to save.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.