Welcome to the first entry of our blog series on automating Microsoft Sentinel. We're excited to share insights and practical guidance on leveraging automation to enhance your security posture. In this series, we'll explore the various facets of automation within Microsoft Sentinel. Whether you're a seasoned security professional or just starting, our goal is to empower you with the knowledge and tools to streamline your security operations and stay ahead of threats.

Join us on this journey as we uncover the power of automation in Microsoft Sentinel and learn how to transform your security strategy from reactive to proactive. Stay tuned for our upcoming posts where we'll dive deeper into specific automation techniques and share success stories from the field. Let's make your security smarter, faster, and more resilient together.

 

In this series, we will show you how to automate various aspects of Microsoft Sentinel, from simple automation of Microsoft Sentinel Alerts and Incidents to more complicated response scenarios with multiple moving parts.  We’re doing this as a series so that we can build up our knowledge step-by-step and finishing off with a “capstone project” that takes SOAR into areas that most people aren’t aware of or even thought was possible.

Here is a preview of what you can expect in the upcoming posts [we’ll be updating this post with links to new posts as they happen]:

• Part 1: [You are here] – Introduction to Automating Microsoft Sentinel
• Part 2: Automation Rules – Automate the mundane away
• Part 3: Playbooks 1 – Playbooks Part I – Fundamentals

o   Triggers

o   Entities

o   In-App Content / GitHub

o   Consumption plan vs. dedicated – which to choose and why?

• Part 4: Playbooks 2 – Playbooks Part II – Diving Deeper

o   Built-In 1^st and 3^rd Party Connections (ServiceNow, etc.)

o   REST APIs (everything else)

• Part 5: Azure Functions / Custom Code

o   Why Azure Functions?

o   Consumption vs. Dedicated – which to choose and why?

• Part 6: Capstone Project (Art of the Possible) – Putting it all together

Part 1: Introduction to Automating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that helps you collect, analyze, and respond to security threats across your enterprise.  But did you know that it also has a native, integrated Security Orchestration, Automation, and Response (SOAR) platform?  A SOAR platform that can do just about anything you can think of?  It’s true!

What is SOAR and why would I want to use it?

A Security Orchestration, Automation, and Response (SOAR) platform helps your team take action in response to alerts or events in your SIEM.  For example, let’s say Contoso Corp has a policy where if a user has a medium sign-in risk in Entra ID and fails their login three times in a row within a ten-minute timeframe that we force them to re-confirm their identity with MFA.  While an analyst could certainly take the actions required, wouldn’t it be better if we could do that automatically?  Using the Sentinel SOAR capabilities, you could have an analytic rule that automatically takes the action without the analyst being involved at all. 

Why Automate Microsoft Sentinel?

Automation is a key component of any modern security operations center (SOC). Automation can help you:

• Reduce manual tasks and human errors
• Improve the speed and accuracy of threat detection and response
• Optimize the use of your resources and skills
• Enhance your visibility and insights into your security environment
• Align your security processes with your business objectives and compliance requirements

Reduce manual tasks and human errors

Alexander Pope famously wrote “To err is human; to forgive, divine”.  Busy and distracted humans make mistakes.  If we can reduce their workload and errors, then it makes sense to do so.  Using automation, we can make sure that all of the proper steps in our response playbook are followed and we can make our analysts lives easier by giving them a simpler “point and click” response capability for those scenarios that a human is “in the loop” or by having the system run the automation in response to events and not have to wait for the analyst to respond.

Improve the speed and accuracy of threat detection and response

Letting machines do machine-like things (such as working twenty-four hours a day) is a good practice.  Leveraging automation, we can let our security operations center (SOC) run around the clock by having automation tied to analytics.  Rather than waiting for an analyst to come online, triage an alert and then take action, Microsoft Sentinel can stand guard and respond when needed.

Optimize the use of your resources and skills

Having our team members repeat the same mundane tasks is not optimal for the speed of response and their work satisfaction.  By automating the mundane away, we can give our teams more time to learn new things or work on other tasks.

Enhance your visibility and insights into your security environment 

Automation can be leveraged for more than just responding to an alert or incident.  We can augment the information we have about entities involved in an alert or incident by using automation to call REST based APIs to do point-in-time lookups of the latest threat information, vulnerability data, patching statuses, etc.

Align your security processes with your business objectives and compliance requirements

If you have to meet particular regulatory requirements or internal KPIs, automation can help your team to achieve their goals quickly and consistently.

What Tools and Frameworks Can You Use to Automate Microsoft Sentinel?

Microsoft Sentinel provides several tools that enable you to automate your security workflows, such as:

• Automation Rules

o   Automation rules can be used to automate Microsoft Sentinel itself.  For example, let’s say there is a group of machines that have been classified as business critical and if there is an alert related to those machines, then the incident needs to be assigned to a Tier 3 response team, and the severity of the alert needs to be raised to at least “high”.  Using an automation rule, you can take one analytic rule, apply it to the entire enterprise, but then have an automation rule that only applies to those business-critical systems. That way only the items that need that immediate escalation receive it, quickly and efficiently. 

o   Another great use of Automation Rules is to create Incident Tasks for analysts to follow.  If you have a process and workflow, by using Incident Tasks, you can have those appear inside of an Incident right there for the analysts to follow.  No need to go “look it up” in a PDF or other document.

• Playbooks: You can use playbooks to automatically execute actions based on triggers, such as alerts, incidents, or custom events. Playbooks are based on Azure Logic Apps, which allow you to create workflows using various connectors, such as Microsoft Teams, Azure Functions, Azure Automation, and third-party services.
• Azure Functions can be leveraged to run custom code like PowerShell or Python and can be called from Sentinel via Playbooks. This way if you have a process or code that’s beyond a Playbook , you can still call it from the normal Sentinel workflow.

Conclusion

In this blog post, we introduced the automation capabilities and benefits of SOAR in Microsoft Sentinel, and some of the tools and frameworks that you can use to automate your security workflows. In the next blog posts, we will dive deeper into each of these topics and provide some practical examples and scenarios of how to automate Microsoft Sentinel.

Stay tuned for more updates and tips on automating Microsoft Sentinel!

Additional Resources

• What are Automation Rules?
• Automate Threat Response with playbooks in Microsoft Sentinel