In our last article, we examined the concept of what a Playbook is, and how to create one specifically for the Azure Sentinel platform.  Specifically, the following topics were covered;

  • Creating the Playbook;
  • Establishing The Trigger Point.

In this article, we continue with theme of creating the Playbook, but looking at more advanced functionalities.

How To Steps For Your Playbook

In this process, you and your IT Security team can deploy those kinds of actions to be carried out when the Playbook is actually executed.  Here are the steps to follow:

  1. In the Logic Apps Designer, click on “New Step”.
  2. This will open up a new frame. Once it appears and give this step a name for future reference.
  3. There are two types of instructions that you can add to your new step, which are as follows:
    • Dynamic Content: You can create the attributes of the specific event(s) you want your Playbook to respond to.
    • Expression Content: You can select the attributes you want from a library that is available in Azure Sentinel.

This is illustrated in the diagram below:

Responding to Specific Incidents

You can design your Azure Sentinel platform so that it will respond to certain types and kinds of events/incidents, based upon what you have experienced in the past, as well has what you have extrapolated as to what future events could possibly look like.  This is done by creating various Automation Rules.  To accomplish this, follow these steps:

  1. Log into your Azure Sentinel Portal.
  2. Go to the Navigation Menu, in the Automation screen:
    • Select Create;
    • Select Add New Rule.

This can be seen in the illustration below:

  1. Once you have finished the last step, a “Create New Automation Rule” Window will then appear. This is depicted below:

Take note of the following:

  • If you want the Automation Rule to run only selected attributes, specify in this in the “If Analytics Rule Name” condition in the drop-down menus.
  • If there are any other additional attributes you want to add to this Automation Rule, click on “Add Condition”, and select those attributes that you want to include.
  • In the “Actions” drop down menu, you select those kinds/types of events that you want the Automation Rule to act on. The options in this regard include the following:
    • Assign Owner;
    • Change Status;
    • Change Severity;
    • Add Tags;
    • Run Playbook.
  • If you choose to add an additional Playbook action, you can select that from the list that appears in the drop-down menu (this will appear when you select “Add Action”. It is important to note that those Playbooks that have been assigned an Incident Trigger to them will appear.
  • You can select an Expiration Date (from the “Rule Expiration” fields) for your Automation Rule if it supposed to have a finite lifespan.
  • From the “Order” field, you specify the order of the sequence in which the Automation Rule will be executed and run in.
  • Click on “Apply” to apply all of these characteristics your newly created Automation Rule.

You can also create more advanced and detailed Automation Rules.  More information on that can be seen here.

How To Respond To Alerts

You can also make your Azure Sentinel Playbook to respond to the alerts and warnings that your network security tools provide you with.  To do this, follow these steps:

  1. Go to the Analytics screen from the navigation menu in Azure Sentinel.
  2. Select the appropriate Analytics Rule, and then click on “Edits”.
  3. Select the “Automated Response” section.  This is illustrated in the diagram below:

  1. Select the appropriate Playbook from the drop-down menu.
  2. From the Review and Create section, click on “Save”.

More detailed information on how to respond to Alerts can be seen here.

Conclusions

Azure Sentinel is a very powerful tool that you can make use of to beef your lines of defenses.  If you need further assistance in this regard, please contact us today!

Sources