Scribd
Upload
197 views20 pages

Configure Soar in Microsoft Sentinel Slides

Microsoft Sentinel playbooks allow you to automate threat response and remediation. Playbooks can be triggered by alerts or incidents and use Logic Apps workflows and connectors to access services. They can be used to manage incidents across Microsoft Defender solutions by sending notifications when threats are detected. Playbooks leverage Azure Logic Apps and the Microsoft Sentinel connector to run predetermined sequences of actions to respond to security events.

Uploaded by

Jesse Oliveira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
197 views20 pages

Configure Soar in Microsoft Sentinel Slides

Microsoft Sentinel playbooks allow you to automate threat response and remediation. Playbooks can be triggered by alerts or incidents and use Logic Apps workflows and connectors to access services. They can be used to manage incidents across Microsoft Defender solutions by sending notifications when threats are detected. Playbooks leverage Azure Logic Apps and the Microsoft Sentinel connector to run predetermined sequences of actions to respond to security events.

Uploaded by

Jesse Oliveira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Configure SOAR in Microsoft Sentinel

Michael J. Teske
Principal Author Evangelist-Pluralsight
Configure SOAR in Microsoft Sentinel

Create Microsoft Sentinel playbooks


- Use playbooks to remediate threats
- Use playbooks across Microsoft Defender
solutions
Use playbooks to manage incidents
- Configure rules and incidents to trigger
playbooks
Create Microsoft Sentinel Playbooks
Security Orchestration, Automation, and
Response

Automates any recurring response and


remediation tasks via:
- Automation rules for incident handling
- Playbooks run predetermined sequences of
actions
• Logic apps
• Connectors
What Is a Microsoft Sentinel Playbook?

Collection of procedures that can be run in


response to an alert or incident

Automate and orchestrate threat response


Can be run manually or automatically
Based on workflows built in Azure Logic Apps
Logic Apps
Helps you schedule, automate, and
orchestrate tasks
Uses connectors to communicate with other
services
- Managed connector
- Custom Connector
- Microsoft Sentinel Connector
Trigger
- Alert
- Incident
Actions
Permissions Required for Playbooks

Logic Apps Microsoft Sentinel


Logic App Contributor Microsoft Sentinel Contributor
Logic App Operator Microsoft Sentinel Responder
Microsoft Sentinel Automation
Contributor
How It Works
Create a Microsoft Sentinel Playbook
Create a Microsoft Sentinel Playbook
Automate Response
Use Sentinel Playbook Across Defender Solutions

Connectors for Microsoft Defender for Cloud


- Receive a notification email when
• Creates a recommendation
• Creates a regulatory compliance
assessment
• Detects a threat
Use Sentinel Playbook Across Defender Solutions
Use Sentinel Playbook Across Defender Solutions
Use Playbooks to Manage Incidents
Use Playbooks to Manage Incidents

Only playbooks based on an incident trigger


can be called by an automation rule
Playbooks based on the alert trigger must be
defined to run directly in analytics rules
- Can also be run manually

When you choose trigger, you will be asked to


authenticate to whichever resource you are
interacting with
Rules and Incidents to Trigger a Playbook
Demo
Explore Microsoft Sentinel playbooks
- Logic App Designer
- Defender Solutions
Create Microsoft Sentinel playbooks
- Use playbooks to remediate threats
• Leverage Azure Logic App
Summary • Use connectors to access services
- Use playbooks across Microsoft Defender
solutions
• Send email notifications when
Defender events are detected
Use playbooks to manage incidents
- Configure rules and incidents to trigger
playbooks
• Use Microsoft Sentinel Connector
Up Next:
Domain Summary

You might also like