Automation tools are an essential capability for the modern SOC to cope with the volume of threats and manage day-to-day tasks. Microsoft Sentinel automation capabilities help security teams transform any manual process into a seamless routine which happens behind the scenes, saving time and effort and allowing the analysts to focus on the important human-required decisions, reducing the mean time to resolve incidents. Automation rules allow centrally managing the automation of incident handling and response, and playbooks provide powerful and flexible advanced automation to your threat response tasks.
Until today, you could create automation rules and playbooks which are triggered when an incident is created. Our customers have been using this capability for multiple purposes: initial enrichment, quick triage and false-positive suppression, immediate threat remediation, creating tickets in external systems, notifying stakeholders and more. We have seen an amazing level of adoption of these automation capabilities, and a decrease in our customers’ mean-time-to-resolve. But the security incident, as the object which tells the story of the attack and organizes all the information the team has on it, is a dynamic container which keeps changing. The creation event is only the beginning of an incident’s lifecycle – and automation should be able to be in every part of it.