Security teams are often burdened with a growing number and complexity of security incidents. Automation offers a path to handling the long series of repetitive tasks involved in incident triage, investigation and response, letting analysts focus on the most important incidents and allowing SOCs to achieve more with the resources they have.
Automation rules are a new concept in Azure Sentinel, which allows you to manage the automation of incident handling centrally. Besides letting you assign playbooks to incidents from every source, automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order in which actions are executed. Automation rules are meant to simplify automation use in Azure Sentinel while allowing you better control and visibility.
What are automation rules?
Automation rules are comprised of several parts:
- Trigger – automation rules are triggered when an incident is created.
- Conditions – a comprehensive set of conditions on the incident and entity details to control if the actions should be executed.
- Actions – actions that will be executed, in order, if the conditions are met. The actions supported now are:
- Running a playbook
- Changing the status of an incident
- Changing the severity of an incident
- Assigning an incident to an owner
- Adding a tag to an incident
Automation rules are executed in an order defined by the user and can also be set to expire after a defined period. More triggers, conditions, and actions will be introduced in the future.
Sample use cases and scenarios
Incident suppression
Automatically resolve incidents that are known false or benign positives without the use of playbooks. For example, when running penetration tests, doing scheduled maintenance or upgrades, or testing automation procedures, many false-positive incidents may be created that the SOC wants to ignore. A time-limited automation rule can automatically close these incidents as they are created while tagging them with a descriptor of their generation's cause.
Playbook management
View all playbooks that are triggered by analytic rules and assign playbooks to multiple analytic rules centrally. For example, if all your incidents are exported to an external system, you can define it once and apply it to all rules.
Incident-triggered automation
Until now, only alerts could trigger an automated response using playbooks. With automation rules, incidents can now trigger an automated response as well.
Automatic assignment
You can assign incidents to the right owner automatically. If your SOC has an analyst specializing in a particular platform, any incidents relating to that platform can be automatically assigned to that analyst.
Multiple sequenced playbooks/actions in a single rule
You can now control the order of execution of actions and playbooks and the execution of the automation rules themselves. This allows you to greatly simplify your playbooks, reducing them to a single task or a small, straightforward sequence of tasks, and combine these small playbooks in different combinations in different automation rules.
Further reading
- Introduction to automation in Azure Sentinel | Microsoft Docs (Introduction to SOAR)
- Automate incident handling in Azure Sentinel | Microsoft Docs (Concept - automation rules)
- Automate threat response with playbooks in Azure Sentinel | Microsoft Docs (Concept - playbooks)
- Tutorial: Use playbooks with automation rules in Azure Sentinel | Microsoft Docs