As we know, many IT Security teams across Corporate America are totally overburdened with the many alerts and warnings that they receive from their network security tools. CISOs are realizing this and are taking more steps to help alleviate the phenomenon which is known as “Alert Fatigue”. For example, they are strategically placing technologies in the areas where they are needed the most and are even making use of Artificial Intelligence (AI) and Machine Learning (ML) tools to help automatically filter out for the false positives.

But there is yet another tool that is available which can be used in conjunction with the above. These are the playbooks that can created and designed for Azure Sentinel.

What Is A Playbook?

A playbook is nothing more than a collection of rules and procedures that can be implemented into Azure Sentinel to automatically respond to a threat variant. You can customize how this response should take place, based upon the examination of known signature profiles that have been left behind by similar attack vectors.

This platform can literally run on a 24 X 7 X 365 cycle, or it can be set so that it can be launched by your own command. Best of all, playbooks can also be used to filter out those pesky false positives in even more granular detail. It is important to note that the procedures and rules that can be created are based upon the workflows which exist in the “Azure Logic Apps” package. More information about this can be seen here.

Creating the Playbook

The steps outlined below will allow you to build a Playbook that can be imported easily into Azure Sentinel:

  1. Log into Azure Sentinel;
  2. From there:
    • Click on “Select”;
    • Click on “Add New Playbook”.

This can be seen in the image below:

 

  1. Next, a “Create Logic App” will appear, and illustrated below:

(SOURCE: 1).

  1. Once it appears, follow these steps, in this order:
    • Enter in the “Subscription” and “Resource Group” names, and in the “Logic App Name” field, give your Playbook a name;
    • Under the “Region” drop down menu, select the geographic region where the information and data from the Logic App is to be stored;
    • If you want to keep an eye on your Playbook in real time, checkmark the “Enable Log Analytics”, and enter a name into the “Log Analytics Workspace” field.
  2. If you want to enter in certain tags:
    • Click on “Next: Tags”;
    • If not, you can create this step, and your Playbook will be created. Note that this process could take up to several minutes to accomplish.
  3. Once your new Playbook has been created, you will then be automatically routed to the Logic Apps Designer, from which you can create the rules and triggers from which your Playbook will be automatically launched from. More information about this can be seen here.
  4. It is important to note that Step #6 will be accomplished from a new screen which is known as the “Blank Logic Template”. It is illustrated below:

(SOURCE: 1).

Establishing The Trigger Point

Every Playbook that is created for Azure Sentinel needs to have some kind of catalyst that will launch into action. Technically, this is known as the “Trigger Point”, and below are the steps that you need to follow in order to establish it:

  1. In the “Logic Apps Designer”, there are two distinct triggers that you can select from, which are as follows:
    • When a Creation Rule was triggered;
    • When a response to a specific Alert has been triggered.

You need to choose which of the above two is relevant to the Playbook that you are creating. This is illustrated below:

(SOURCE:  1).

Conclusions

Overall, this article has examined what a Paybook is, and how to create one for Azure Sentinel.  In our next article, we will examine:

  • How to add customized actions to you Playbook;
  • How to automate Threat Responses in Azure Sentinel;
  • How to respond to Alerts and Warnings;
  • Running the Playbook manually, or “On Demand”.

Sources