Create and perform incident tasks in Microsoft Sentinel using playbooks
This article explains how to use playbooks to create (and optionally perform) incident tasks, in order to manage complex analyst workflow processes in Microsoft Sentinel.
Incident tasks can be created automatically not only by playbooks, but also by automation rules, and also manually, ad-hoc, from within an incident.
Use cases for different roles
This article addresses the following scenarios that apply to SOC managers, senior analysts, and automation engineers:
Other scenarios for this audience are addressed in the following companion article:
Another article, at the following links, addresses scenarios that apply more to SOC analysts:
Prerequisites
The Microsoft Sentinel Responder role is required to view and edit incidents, which is necessary to add, view, and edit tasks.
The Logic Apps Contributor role is required to create and edit playbooks.
Add tasks to incidents with playbooks
Use the Add task action in a playbook (in the Microsoft Sentinel connector) to automatically add a task to the incident that triggered the playbook.
Follow these instructions to create a playbook based on the incident trigger. (You can use either a Standard workflow or a Consumption workflow.)
There are two ways to work with playbooks to generate tasks:
Use a playbook to add a task and perform it
In this example we're going to add a playbook action that adds a task to the incident to reset a compromised user's password, and we'll add another playbook action that sends a signal to Microsoft Entra ID Protection (AADIP) to actually reset the password. Then we'll add a final playbook action to mark the task in the incident complete.
To add and configure these actions, take the following steps:
From the Microsoft Sentinel connector, add the Add task to incident action.
Choose the Incident ARM ID dynamic content item for the Incident ARM id field. Enter Reset user password as the Title. Add a description if you want.
Add the Entities - Get Accounts (Preview) action.
Add the Entities dynamic content item (from the Microsoft Sentinel incident schema) to the Entities list field.
Add a For each loop from the Control actions library.
Add the Accounts dynamic content item from the Entities - Get Accounts output to the Select an output from previous steps field.
Inside the For each loop, select Add an action.
Search for and select the Microsoft Entra ID Protection connector, and select the Confirm a risky user as compromised (Preview) action.
Add the Accounts Microsoft Entra user ID dynamic content item to the userIds Item - 1 field.Note
This field (Accounts Microsoft Entra user ID) is one way to identify a user in AADIP. It might not necessarily be the best way in every scenario, but is brought here just as an example. For assistance, consult other playbooks that handle compromised users, or the Microsoft Entra ID Protection documentation.
This action sets in motion processes inside Microsoft Entra ID Protection that will reset the user's password.
Add the Mark a task as completed action from the Microsoft Sentinel connector.
Add the Incident task ID dynamic content item to the Task ARM id field.
Use a playbook to add a task conditionally
In this example we're going to add a playbook action that researches an IP address that appears in an incident. If the results of this research are that the IP address is malicious, the playbook will create a task for the analyst to disable the user using that IP address. If the IP address is not a known malicious address, the playbook will create a different task, for the analyst to contact the user to verify the activity.
From the Microsoft Sentinel connector, add the Entities - Get IPs action.
Add the Entities dynamic content item (from the Microsoft Sentinel incident schema) to the Entities list field.
Add a For each loop from the Control actions library.
Add the IPs dynamic content item from the Entities - Get IPs output to the Select an output from previous steps field.
Inside the For each loop, select Add an action.
Search for and select the Virus Total connector, and select the Get an IP report (Preview) action.
Add the IPs Address dynamic content item from the Entities - Get IPs output to the IP Address field.
Inside the For each loop, select Add an action.
Add a Condition from the Control actions library.
Add the Last analysis statistics Malicious dynamic content item from the Get an IP report output (you might have to select "See more" to find it), select the is greater than operator, and enter0as the value. This condition asks the question "Did the Virus Total IP report have any results?"
Inside the True option, select Add an action.
Select the Add task to incident action from the Microsoft Sentinel connector.
Choose the Incident ARM ID dynamic content item for the Incident ARM id field.
Enter Mark user as compromised as the Title. Add a description if you want.
Inside the False option, select Add an action.
Select the Add task to incident action from the Microsoft Sentinel connector.
Choose the Incident ARM ID dynamic content item for the Incident ARM id field.
Enter Reach out to the user to confirm the activity as the Title. Add a description if you want.
Next steps
- Learn more about incident tasks.
- Learn how to investigate incidents.
- Learn how to add tasks to groups of incidents automatically using automation rules.
- Learn how to use tasks to handle incident workflow in Microsoft Sentinel.
- Learn more about playbooks, how to create them, and especially about working with actions.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for