How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, an

Brass Contributor

How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts?

 

For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.

1 Reply

@VinodS2020

So, I think you're asking how to create those books in Microsoft Sentinel. For any incident trigger you can go to Automation under the Configuration section in Sentinel. From there you can select "+ Create" and then assign an action such as running a playbook or adding a task etc. If you select to run a playbook you can select any active playbooks you have created. Additionally, there are playbook templates that will have what you want or will be close enough for you to modify to accomplish almost any task. 

 

Gregory_Wilson3468_0-1707155765283.png

Here are the docs that will help.

 

Tutorial - Automate threat response in Microsoft Sentinel | Microsoft Learn