Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
What’s new: Incident tasks
Published Nov 29 2022 04:51 AM 14.6K Views
Microsoft

To triage, investigate and remediate an incident, the SOC analyst is required to perform a list of steps - which may be use case specific or as part of a general SOC standard. The set of steps is commonly called an incident workflow, playbook or SOPs. Formulating these processes keeps the SOC working smoothly and sets the same standards for all analysts, so no matter who is in shift, an incident always gets the same treatment and SLAs. Also, the analyst will not need to spend time on thinking about what to do or worry about missing critical steps.

 

While Microsoft Sentinel’s great automation capabilities help you automate the flow of those tasks or encapsulate them to one-action playbooks that can be run on-demand, they do not replace the human analyst incident-handling process.

We are pleased to continue introducing case management capabilities that help your team handle the full incident lifecycle and workflows in a unified SIEM and SOAR platform, allowing analysts to stay in context and reduce the need to pivot to external systems. This is an integral part of our efforts to empower SOC teams' productivity and effectiveness, letting you do more with less. 

 

Now available: Microsoft Sentinel Incident tasks

  • Your SOC analysts can use a single central checklist to handle the processes of incident triage, investigation, and response, all without worrying about missing a critical step.
  • Your SOC engineers or senior analysts can document, update, and align the standards of incident response across the analysts' teams and shifts.
  • Your SOC engineers can create checklists of tasks to train new analysts or analysts encountering new types of incidents.
  • As a SOC manager or as an MSSP, you can make sure incidents are handled in accordance with the relevant SLAs/SOPs.

 

What’s included:

  • Incidents – new panel: incident tasks.
  • Automation rules – new action: Add task
  • Playbooks (Microsoft Sentinel Logic Apps connector) – new actions: Add task, mark task as completed

We have released a first set of features but stay tuned for more additions as this feature evolves!

 

Highlights

 

Follow incident tasks

When exploring the next incident in the queue to handle, analysts can already see that open tasks are waiting to be completed.

liortamir_0-1669672986533.png

Also available from the full incident details page:

liortamir_0-1669674162875.png

 

Entering the panel, a list of 6 steps appear:

liortamir_1-1669674210164.png

 

The first task was added and already completed by a playbook. If the playbook failed to execute the action, the task will stay open for the analyst.

liortamir_2-1669672421771.png

 

The second task has informative instructions, including links to external services and knowledge bases.

liortamir_3-1669672421777.png

 

The third task has a recommended query that should be run in this kind of incidents.  

liortamir_4-1669672421780.png

 

If during the incident investigation process additional steps are required, analysts can add new tasks on-demand.

liortamir_5-1669672421782.png

Ad-hoc task is added at the end of the list with the user name: 

liortamir_0-1669674571136.png

 

Add tasks to incidents using automation rules

With new Add task (Preview) action, automation rules can add a list of tasks for every new incident.

Apply the automation rule to a limited set of analytics rules to assign specific tasks to particular incidents, or to all analytics rules in order to define a standard set of tasks to be applied to all incidents.

 

 

liortamir_2-1669674344854.png

 

In general, you can make the automation rule conditions as granular as you wish. For example, adding tasks to incidents that have certain entity type or created by Microsoft 365 Defender.

liortamir_1-1669675251858.png

liortamir_2-1669675404377.png

 

 

Use automation rules order to create smart tasks logic; Have an overview on all existing workflows

Tasks are added to incidents by their creation time. So Automation rules’ order and the internal order of tasks in a rule determine the order of the tasks that analyst will see. You can leverage this for smart logic. For example (See screenshot below):

  • In order 1, automation rules add general tasks that must happen before specific use case tasks are added.
  • In order 5-9, automation rules will add for each specific use case its own list of tasks.
  • In order 10, automation rules will add tasks that should always be at the end of the analyst steps.

Lower order can also serve conditional task: for example, if automation rule in order 10 added a tag, an automation rule in order 30 can add tasks based on the tag value.

Use the filters on Action: Add task (Preview) to have a high-level overview on all the automation rules that add tasks, and all the all the analytic rules that will be impacted.

 

liortamir_0-1669725621809.png

 

 

Advanced flows with playbooks

While automation rules are great for adding a plain list of tasks, playbooks can help you integrate task creation and completion in complex conditional workflows that integrate with external tools. The Microsoft Sentinel Logic Apps connector now has new actions: Add task (Preview), and Mark task as completed (Preview).

 

Use the Microsoft Sentinel Incident trigger to get the incident ARM ID:

 

liortamir_0-1669675071661.png

 

Use the new task ID to mark it as completed:

liortamir_0-1669675621471.png

 

 

Playbooks can add a task, perform the task, and mark the task as completed, so the analyst finds an incident that is already a few steps ahead.

 

liortamir_9-1669672421800.png

 

Playbooks can add tasks based on certain conditions after collecting data and evaluating the updated investigation status. For example, when an incident is created the playbook researches an IP address that appears in an incident. If the results of this research are that the IP address is malicious, the playbook will create a task for the analyst to disable the user using that IP address. If the IP address is not a known malicious address, the playbook will create a different task, for the analyst to contact the user to verify the activity.

 

liortamir_10-1669672421808.png

 

Learn more

 

1 Comment
Version history
Last update:
‎Nov 29 2022 04:45 AM
Updated by: