Automate threat response with playbooks in Microsoft Sentinel

SOC analysts deal with numerous security alerts and incidents, and the sheer volume can overwhelm teams, leading to ignored alerts and uninvestigated incidents. Many alerts and incidents can be addressed by the same sets of predefined remediation actions, which can be automated to make the SOC more efficient and free up analysts for deeper investigations.

Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions to help automate and orchestrate your threat response. Run playbooks automatically, in response to specific alerts and incidents that trigger a configured automation rule, or manually and on-demand for a particular entity or alert.

For example, if an account and machine are compromised, a playbook can automatically isolate the machine from the network and block the account by the time the SOC team is notified of the incident.

Note

Because playbooks make use of Azure Logic Apps, additional charges may apply. Visit the Azure Logic Apps pricing page for more details.

Important

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

The following table lists high-level use cases where we recommend using Microsoft Sentinel playbooks to automate your threat response:

Use case Description
Enrichment Collect data and attach it to an incident to help your team make smarter decisions.
Bi-directional sync Sync Microsoft Sentinel incidents with other ticketing systems. For example, create an automation rule for all incident creations, and attach a playbook that opens a ticket in ServiceNow.
Orchestration Use the SOC team's chat platform to better control the incidents queue. For example, send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident.
Response Immediately respond to threats, with minimal human dependencies, such as when a compromised user or machine is indicated. Alternately, manually trigger a series of automated steps during an investigation or while hunting.

For more information, see Recommended playbook use cases, templates, and examples.

Prerequisites

The following roles are required to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel.

Role Description
Owner Lets you grant access to playbooks in the resource group.
Microsoft Sentinel Contributor Lets you attach a playbook to an analytics or automation rule.
Microsoft Sentinel Responder Lets you access an incident in order to run a playbook manually, but doesn't allow you to run the playbook.
Microsoft Sentinel Playbook Operator Lets you run a playbook manually.
Microsoft Sentinel Automation Contributor Allows automation rules to run playbooks. This role isn't used for any other purpose.

The following table describes required roles based on whether you select a Consumption or Standard logic app to create your playbook:

Logic app Azure roles Description
Consumption Logic App Contributor Edit and manage logic apps. Run playbooks. Doesn't allow you to grant access to playbooks.
Consumption Logic App Operator Read, enable, and disable logic apps. Doesn't allow you to edit or update logic apps.
Standard Logic Apps Standard Operator Enable, resubmit, and disable workflows in a logic app.
Standard Logic Apps Standard Developer Create and edit logic apps.
Standard Logic Apps Standard Contributor Manage all aspects of a logic app.

The Active playbooks tab on the Automation page displays all active playbooks available across any selected subscriptions. By default, a playbook can be used only within the subscription to which it belongs, unless you specifically grant Microsoft Sentinel permissions to the playbook's resource group.

Extra permissions required for Microsoft Sentinel to run playbooks

Microsoft Sentinel uses a service account to run playbooks on incidents, to add security and enable the automation rules API to support CI/CD use cases. This service account is used for incident-triggered playbooks, or when you run a playbook manually on a specific incident.

In addition to your own roles and permissions, this Microsoft Sentinel service account must have its own set of permissions on the resource group where the playbook resides, in the form of the Microsoft Sentinel Automation Contributor role. Once Microsoft Sentinel has this role, it can run any playbook in the relevant resource group, manually or from an automation rule.

To grant Microsoft Sentinel with the required permissions, you must have an Owner or User access administrator role. To run the playbooks, you'll also need the Logic App Contributor role on the resource group that contains the playbooks you want to run.

Playbook templates (preview)

Important

Playbook templates are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Playbook templates are prebuilt, tested, and ready-to-use workflows that aren't useable as playbooks themselves, but are ready for you to customize to meet your needs. We also recommend that you use playbook templates as a reference of best practices when developing playbooks from scratch, or as inspiration for new automation scenarios.

Access playbook templates from the following sources:

Location Description
Microsoft Sentinel Automation page The Playbook templates tab lists all installed playbooks. Create one or more active playbooks using the same template.

When we publish a new version of a template, any active playbooks created from that template have an extra label added in the Active playbooks tab to indicate that an update is available.
Microsoft Sentinel Content hub page Playbook templates are available as part of product solutions or standalone content installed from the Content hub.

For more information, see:
About Microsoft Sentinel content and solutions
Discover and manage Microsoft Sentinel out-of-the-box content
GitHub The Microsoft Sentinel GitHub repository contains many other playbook templates. Select Deploy to Azure to deploy a template to your Azure subscription.

Technically, a playbook template is an Azure Resource Manager (ARM) template, which consists of several resources: an Azure Logic Apps workflow and API connections for each connection involved.

For more information, see:

Playbook creation and usage workflow

Use the following workflow to create and run Microsoft Sentinel playbooks:

  1. Define your automation scenario. We recommend that you review recommended playbooks use cases and playbook templates to start.

  2. If you're not using a template, create your playbook and build your logic app. For more information, see Create and manage Microsoft Sentinel playbooks.

    Test your logic app by running it manually. For more information, see Run a playbook manually, on demand.

  3. Configure your playbook to run automatically on a new alert or incident creation, or run it manually as needed for your processes. For more information, see Respond to threats with Microsoft Sentinel playbooks.