Thanks @Maayan_Magenheim for taking part in leading this feature and writing this blog
Incident entities are a key element in understanding and resolving a security incident. A potential attack may involve a compromised account, an unknown IP address that sent, received, or forwarded traffic, a phishing URL, a suspicious activity detected on a host or a malicious FileHash. Collecting more data and taking remediation and response actions on entities is an integral part of handling an incident.
for example:
Each of these actions requires SOC analysts to pivot to an external tool, remember a set of steps they need to take, audit somewhere they took the action and track the action outcomes. The SOC engineer needs to assign permissions for the analysts to interact with those tools and monitor them. In some teams, instead of performing these actions, analysts will need to pivot to external systems to create a ticket for other teams (such as IT) to take the actions. The above takes time and effort, slows the investigation, increases the response time, and reduces productivity.
Now available: Create and run playbook on entities on-demand
Microsoft Sentinel automation everywhere
Before this feature, playbooks on-demand could be run on incidents (an informative modifiable case with aggregation of all alerts, entities, and evidence) and alerts (single pieces of evidence) and perform actions on all or some of the entities. Now, playbooks can run on selected entity (specific threat actor).
Hybrid automation approach for the SOC
Using both automated response and actions on-demand helps to increase productivity:
Feature highlights
Run playbooks as part of incident investigation
Run playbook on-demand on entities from incident or investigation graph.
Playbooks created with the Entity trigger and triggered from an incident context can update an incident or add a comment after taking action on the entity.
Proactively take actions on entities while hunting
Microsoft Sentinel entity pages help advanced analysts (tier 3, “hunters”) to pro-actively hunt for threats, even before an incident is created. Under Entity Behavior hunters can search for specific entities or select from the lists of top risky entities. When utilizing the information and tools provided on the entity pages, hunters can now take action to protect your organization from potential threats without switching screens and losing context.
Search for entities using Microsoft Sentinel entity behavior.
Run playbook on-demand on entities from entity page.
View run history
You can see the run history for playbooks on an entity by selecting the Runs tab. It might take a few seconds for any just-completed run to appear in the list. Selecting a specific run will open the full run log in Logic Apps.
View all previous playbook runs on this entity under Runs tab.
Develop playbooks
New RBAC role: Grant analyst permissions to run playbooks
Using playbooks to encapsulate actions, analysts don’t have to get direct permissions on external tools to run actions - playbooks (Logic Apps connectors) encapsulate the permissions required.
Then, you can use the Microsoft Sentinel Playbooks Operator RBAC role to give analysts permissions to run (but not edit) a specific playbook (or to a Resource Group of multiple playbooks).
This way analysts see a list of playbooks which serve as their actions toolbox; Each tier can have their own level of actions required to be run.
Select the Microsoft Sentinel Playbook Operator when assigning permissions on a playbook.
Learn more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.