Hi Cloudsec, Yes, you can use Azure Logic Apps to automate the enrichment of Sentinel incidents. With Microsoft Sentinel playbooks, based on workflows built in Azure Logic Apps, can be used for your SOAR operations. Also you can connect directly to the Microsoft Defender Threat Intelligence feed.
A good example and tutorial connecting threat intelligence sources from playbooks is this one: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enrich-azure-sentinel-security-incidents-with-the-riskiq/ba-p/1534412
In essence, a playbook is a specialized Logic App designed to respond to Azure Sentinel triggers.
Reference:
- https://learn.microsoft.com/en-us/Azure/sentinel/threat-intelligence-integration
- https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
- https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincidents
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-automate-full-incident-lifecycle-with-incident-update/ba-p/3450306
I hope this information help you. Regards, Luis
If the information helped address your question, please Accept the answer.