auto assessment playbook with "tag indicators"

Contributor

Has anyone here done any work on the idea of a playbook to perform triage on Sentinel incidents?

eg:

If the incident contains a username entity, run these kql queries and create tags depending on the results.

The tags would represent specific findings eg:

username has been seen in 5 distinct alerts in the past 7 days, so tag name = "5D-User"

IP has been seen in 3 distinct alerts in the past 7 days, so tag name = "3D-IP"

username is sensitive, so tag name = "sensitive-user"

 

Do you see where I'm going here?

I want to use tags to create a library of common tags which will accelerate triage by identifying interesting indicators.

 

(I've already created such a playbook but I'm looking for more ideas to add to it)


Even if you haven't done such a playbook please share your ideas for interesting indicators that would help triage an incident.

Thank you!

 

2 Replies
I did something similar, incident enrichment to check reputation IP address, check IP safe watchlist, check if the device is Azure hybrid ad join, user agent during sign in, cloud app, I put all information to comment
Excellent suggestions thanks Pawel!!!!!