Become a Microsoft Sentinel Ninja: The complete level 400 training - Microsoft Tech Community!
The number of security incidents and information related to them are rising daily. Traditional tools and methods aren’t enough to process all the data and to respond to all the incidents. That is where SOAR (Security Orchestration, Automation, and Response) can help.
Where to start?
In addition to being a Security Information and Event Management (SIEM) system, Microsoft Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.
If you are wondering where to start in learning about Microsoft Sentinel's SOAR capabilities, take a look at some of the resources outlined below:
When working with Microsoft Sentinel Automation, it is essential to understand Microsoft Sentinel API and the use of API in general. Microsoft Sentinel API 101 is a great place to start.
Utilizing Microsoft Sentinel Automation may need additional permissions. Please review the needed permissions.
The Microsoft Sentinel Content hub provides access to Microsoft Sentinel out-of-the-box (built-in) content and solutions. This is the starting point when searching for a playbook template and all other content for Microsoft Sentinel.
A playbook is a collection of actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents when triggered by an analytics rule or an automation rule, respectively.
As mentioned, automation rules are a way to manage automation centrally. One of the actions in automation rules is to run a playbook, and in this article, you can find out how to utilize this integration.
Microsoft Sentinel’s blog on Tech Community has many examples of how you can create playbooks step-by-step. For those who like hands-on, here is a list of articles containing step-by-step instructions to create playbooks: