Automate threat response with playbooks in Microsoft Sentinel
SOC analysts deal with numerous security alerts and incidents, and the sheer volume can overwhelm teams, leading to ignored alerts and uninvestigated incidents. Many alerts and incidents can be addressed by the same sets of predefined remediation actions, which can be automated to make the SOC more efficient and free up analysts for deeper investigations.
Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions to help automate and orchestrate your threat response. Run playbooks automatically, in response to specific alerts and incidents that trigger a configured automation rule, or manually and on-demand for a particular entity or alert.
For example, if an account and machine are compromised, a playbook can automatically isolate the machine from the network and block the account by the time the SOC team is notified of the incident.
Note
Because playbooks make use of Azure Logic Apps, additional charges may apply. Visit the Azure Logic Apps pricing page for more details.
Important
Microsoft Sentinel is available as part of the unified security operations platform in the Microsoft Defender portal. Microsoft Sentinel in the Defender portal is now supported for production use. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Recommended use cases
The following table lists high-level use cases where we recommend using Microsoft Sentinel playbooks to automate your threat response:
Use case | Description |
---|---|
Enrichment | Collect data and attach it to an incident to help your team make smarter decisions. |
Bi-directional sync | Sync Microsoft Sentinel incidents with other ticketing systems. For example, create an automation rule for all incident creations, and attach a playbook that opens a ticket in ServiceNow. |
Orchestration | Use the SOC team's chat platform to better control the incidents queue. For example, send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident. |
Response | Immediately respond to threats, with minimal human dependencies, such as when a compromised user or machine is indicated. Alternately, manually trigger a series of automated steps during an investigation or while hunting. |
For more information, see Recommended playbook use cases, templates, and examples.
Prerequisites
The following roles are required to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel.
Role | Description |
---|---|
Owner | Lets you grant access to playbooks in the resource group. |
Logic App Contributor | Lets you manage logic apps and run playbooks. Doesn't allow you to grant access to playbooks. |
Logic App Operator | Lets you read, enable, and disable logic apps. Doesn't allow you to edit or update logic apps. |
Microsoft Sentinel Contributor | Lets you attach a playbook to an analytics or automation rule. |
Microsoft Sentinel Responder | Lets you access an incident in order to run a playbook manually, but doesn't allow you to run the playbook. |
Microsoft Sentinel Playbook Operator | Lets you run a playbook manually. |
Microsoft Sentinel Automation Contributor | Allows automation rules to run playbooks. This role isn't used for any other purpose. |
The Active playbooks tab on the Automation page displays all active playbooks available across any selected subscriptions. By default, a playbook can be used only within the subscription to which it belongs, unless you specifically grant Microsoft Sentinel permissions to the playbook's resource group.
Extra permissions required for Microsoft Sentinel to run playbooks
Microsoft Sentinel uses a service account to run playbooks on incidents, to add security and enable the automation rules API to support CI/CD use cases. This service account is used for incident-triggered playbooks, or when you run a playbook manually on a specific incident.
In addition to your own roles and permissions, this Microsoft Sentinel service account must have its own set of permissions on the resource group where the playbook resides, in the form of the Microsoft Sentinel Automation Contributor role. Once Microsoft Sentinel has this role, it can run any playbook in the relevant resource group, manually or from an automation rule.
To grant Microsoft Sentinel with the required permissions, you must have an Owner or User access administrator role. To run the playbooks, you'll also need the Logic App Contributor role on the resource group that contains the playbooks you want to run.
Playbook templates (preview)
Important
Playbook templates are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Playbook templates are prebuilt, tested, and ready-to-use workflows that aren't useable as playbooks themselves, but are ready for you to customize to meet your needs. We also recommend that you use playbook templates as a reference of best practices when developing playbooks from scratch, or as inspiration for new automation scenarios.
Access playbook templates from the following sources:
Location | Description |
---|---|
Microsoft Sentinel Automation page | The Playbook templates tab lists all installed playbooks. Create one or more active playbooks using the same template. When we publish a new version of a template, any active playbooks created from that template have an extra label added in the Active playbooks tab to indicate that an update is available. |
Microsoft Sentinel Content hub page | Playbook templates are available as part of product solutions or standalone content installed from the Content hub. For more information, see: About Microsoft Sentinel content and solutions Discover and manage Microsoft Sentinel out-of-the-box content |
GitHub | The Microsoft Sentinel GitHub repository contains many other playbook templates. Select Deploy to Azure to deploy a template to your Azure subscription. |
Technically, a playbook template is an Azure Resource Manager (ARM) template, which consists of several resources: an Azure Logic Apps workflow and API connections for each connection involved.
For more information, see:
- Create and customize Microsoft Sentinel playbooks from content templates
- Recommended playbook templates
- Azure Logic Apps for Microsoft Sentinel playbooks
Playbook creation and usage workflow
Use the following workflow to create and run Microsoft Sentinel playbooks:
Define your automation scenario. We recommend that you review recommended playbooks use cases and playbook templates to start.
If you're not using a template, create your playbook and build your logic app. For more information, see Create and manage Microsoft Sentinel playbooks.
Test your logic app by running it manually. For more information, see Run a playbook manually, on demand.
Configure your playbook to run automatically on a new alert or incident creation, or run it manually as needed for your processes. For more information, see Respond to threats with Microsoft Sentinel playbooks.
Related content
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for