Microsoft Sentinel SOAR content catalog
Microsoft Sentinel provides a wide variety of playbooks and connectors for security orchestration, automation, and response (SOAR), so that you can readily integrate Microsoft Sentinel with any product or service in your environment.
The integrations listed below may include some or all of the following components:
| Component type | Purpose | Use case and linked instructions |
|---|---|---|
| Playbook templates | Automated workflow | Use playbook templates to deploy ready-made playbooks for responding to threats automatically. Automate threat response with playbooks in Microsoft Sentinel |
| Azure Logic Apps managed connector | Building blocks for creating playbooks | Playbooks use managed connectors to communicate with hundreds of both Microsoft and non-Microsoft services. List of Logic Apps connectors and their documentation |
| Azure Logic Apps custom connector | Building blocks for creating playbooks | You may want to communicate with services that aren't available as prebuilt connectors. Custom connectors address this need by allowing you to create (and even share) a connector and define its own triggers and actions. |
You can find SOAR integrations and their components in the following places:
- Microsoft Sentinel solutions
- Microsoft Sentinel Automation blade, playbook templates tab
- Logic Apps designer (for managed Logic Apps connectors)
- Microsoft Sentinel GitHub repository
Tip
- Many SOAR integrations can be deployed as part of a Microsoft Sentinel solution, together with related data connectors, analytics rules and workbooks. For more information, see the Microsoft Sentinel solutions catalog.
- More integrations are provided by the Microsoft Sentinel community and can be found in the GitHub repository.
- If you have a product or service that isn't listed or currently supported, please submit a Feature Request.
You can also create your own, using the following tools:- Logic Apps custom connector
- Azure functions
- Logic Apps HTTP calls
AbuseIPDB
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| AbuseIPDB (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Enrich incident by IP info, Report IP to Abuse IP DB, Deny list to Threat intelligence |
Atlassian
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Jira | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
AWS IAM
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| AWS IAM (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Add User Tags, Delete Access Keys, Enrich incidents |
Checkphish by Bolster
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Checkphish by Bolster (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Get URL scan results |
Check Point
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Check Point NGFW (Available as solution) |
Custom Logic Apps connector Playbooks |
CheckPoint | |
Cisco
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Cisco ASA, Cisco Meraki |
Custom Logic Apps connector Playbooks |
Community | Block IPs |
| Cisco FirePower | Custom Logic Apps connector Playbooks |
Community | Block IPs and URLs |
| Cisco ISE (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | |
| Cisco Umbrella (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Block domains, policies management, destination lists management, enrichment, and investigation |
Crowdstrike
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Falcon endpoint protection (Available as solution) |
Playbooks | Microsoft | Endpoints enrichment, isolate endpoints |
Elastic Search
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Elastic search (Available as solution) |
Playbooks | Microsoft | Enrich incident |
F5
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Big-IP | Playbooks | Community | Block IPs and URLs |
Forcepoint
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Forcepoint NGFW | Custom Logic Apps connector Playbooks |
Community | Block IPs and URLs |
Fortinet
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| FortiGate (Available as solution) |
Custom Logic Apps connector Azure Function Playbooks |
Microsoft | Block IPs and URLs |
| Fortiweb Cloud (Available as solution) |
Custom Logic Apps connector Azure Function Playbooks |
Microsoft | Block IPs and URLs , Incident enrichment |
Freshdesk
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Freshdesk | Managed Logic Apps connector | Sync incidents | |
GCP IAM
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| GCP IAM (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Disable service account, Disable service account key, Enrich Service account info |
Have I Been Pwned
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Have I Been Pwned | Custom Logic Apps connector Playbooks |
Community | |
HYAS
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| HYAS Insight (Available as solution) |
Managed Logic Apps connector Playbooks |
HYAS | |
IBM
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Resilient | Custom Logic Apps connector Playbooks |
Community | Sync incidents |
InsightVM Cloud API
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| InsightVM Cloud API | Custom Logic Apps connector Playbooks |
Microsoft | Enrich incident with asset info, Enrich vulnerability info, Run VM scan |
Microsoft
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Azure DevOps | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
| Azure Firewall (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Block IPs |
| Microsoft Entra ID Protection | Managed Logic Apps connector Playbooks |
Microsoft Community |
Users enrichment, Users remediation |
| Microsoft Entra ID | Managed Logic Apps connector Playbooks |
Microsoft Community |
Users enrichment, Users remediation |
| Azure Data Explorer | Managed Logic Apps connector | Microsoft | Query and investigate |
| Azure Log Analytics Data Collector | Managed Logic Apps connector | Microsoft Community |
Query and investigate |
| Microsoft Defender for Endpoint | Managed Logic Apps connector Playbooks |
Microsoft Community |
Endpoints enrichment, isolate endpoints |
| Microsoft Defender for IoT | Playbooks | Microsoft | Orchestration and notification |
| Microsoft Teams | Managed Logic Apps connector Playbooks |
Microsoft Community |
Notifications, Collaboration, create human-involved responses |
Minemeld
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Minemeld (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Create indicator, Enrich incident |
Neustar IP GEO Point
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Neustar IP GEO Point (Available as solution) |
Playbooks | Microsoft | Get IP Geo Info |
Okta
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Okta | Managed Logic Apps connector Playbooks |
Community | Users enrichment, Users remediation |
OpenCTI
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| OpenCTI (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Create Indicator, Enrich incident, Get Indicator stream, Import to Sentinel |
Palo Alto
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Palo Alto PAN-OS (Available as solution) |
Custom Logic Apps connector Playbooks |
Community | Block IPs and URLs |
| Wildfire | Custom Logic Apps connector Playbooks |
Community | Filehash enrichment and response |
Proofpoint
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Proofpoint TAP (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Accounts enrichment |
Qualys VM
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Qualys VM (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Get asset details, Get asset by CVEID, Get asset by Open port, Launch VM scan |
Recorded Future
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Recorded Future Intelligence | Managed Logic Apps connector Playbooks |
Recorded Future | Entities enrichment |
ReversingLabs
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| TitaniumCloud File Enrichment (Available as solution) |
Managed Logic Apps connector Playbooks |
ReversingLabs | FileHash enrichment |
RiskIQ
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| RiskIQ Digital Footprint (Available as solution) |
Managed Logic Apps connector Playbooks |
RiskIQ | Entities enrichment |
| RiskIQ Passive Total | Managed Logic Apps connector Playbooks |
RiskIQ | Entities enrichment |
| RiskIQ Security Intelligence (Available as solution) |
Managed Logic Apps connector Playbooks |
RiskIQ | Entities enrichment |
ServiceNow
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| ServiceNow | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
Slack
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Slack | Managed Logic Apps connector Playbooks |
Microsoft Community |
Notification, Collaboration |
TheHive
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| TheHive (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Create alert, Create Case, Lock User |
ThreatX WAF
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| ThreatX WAF (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Block IP / URL, Incident enrichment |
URLhaus
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| URLhaus (Available as solution) |
Custom Logic Apps connector Playbooks |
Microsoft | Check host and enrich incident, Check hash and enrich incident, Check URL and enrich incident |
Virus Total
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Virus Total | Managed Logic Apps connector Playbooks |
Microsoft Community |
Entities enrichment |
VMware
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Carbon Black Cloud (Available as solution) |
Custom Logic Apps connector Playbooks |
Community | Endpoints enrichment, isolate endpoints |
Zendesk
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Zendesk | Managed Logic Apps connector Playbooks |
Microsoft Community |
Sync incidents |
Zscaler
| Product | Integration components | Supported by | Scenarios |
|---|---|---|---|
| Zscaler | Playbooks | Microsoft | URL remediation, incident enrichment |
Next steps
In this document, you learned about Microsoft Sentinel SOAR content.
- Learn more about Microsoft Sentinel Solutions.
- Find and deploy Microsoft Sentinel Solutions.