How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts?

Vinod Survase 4,726 Reputation points
2023-12-05T15:35:15.2266667+00:00

How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts?

For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,277 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,048 questions
{count} votes

1 answer

Sort by: Most helpful
  1. David Broggy 5,701 Reputation points MVP
    2023-12-06T01:52:52.91+00:00

    Hi @Vinod Survase

    Have you tried enabling the M365 Defender analytic rule in Sentinel and then configure it for automation?

    Then if the logic within that automation was not sufficient you could still call a playbook and perform additional customized workflows.

    User's image