Microsoft Sentinel automated responses

Microsoft Sentinel is a scalable cloud-based solution for Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). It offers intelligent security analytics for organizations of all sizes and provides the following capabilities:

• Business attack detection
• Proactive hunting
• Automated incident response
• among others

Threat response in Microsoft Sentinel is managed through playbooks. When triggered by an alert or incident, a playbook executes a series of automated actions to counter the threat. These playbooks are created using Azure Logic Apps.

Microsoft Sentinel provides hundreds of ready-to-use playbooks, including ones for the following scenarios:

• Blocking a Microsoft Entra user
• Blocking a Microsoft Entra user based on approval or rejection via email
• Posting a message in a Microsoft Teams channel about an incident or alert
• Posting a message on Slack
• Sending an email with incident or alert details
• Sending an email with a formatted incident report
• Verifying if a Microsoft Entra user is at risk
• Sending an adaptive card via Microsoft Teams to confirm if a user is compromised
• Isolating an endpoint through Microsoft Defender for Endpoint

This article includes an example of implementing a playbook that responds to a threat by blocking a Microsoft Entra user compromised by suspicious activity.

Potential use case

The techniques described in this article apply whenever you need to implement an automatic response to a detectable condition.

Architecture

Download a Visio file of this architecture.

Workflow

This workflow shows the steps to deploy the playbook. Make sure that the Prerequisites are satisfied before you start. For example, you need to choose a Microsoft Entra user.

1. Follow the steps in Send logs to Azure Monitor to configure Microsoft Entra ID to send audit logs to the Log Analytics workspace that's used with Microsoft Sentinel.

   Note

   This solution doesn't use the audit logs, but you can use them to investigate what happens when the user is blocked.

2. Microsoft Entra ID Protection generates the alerts that trigger the threat response playbook to run. To have Microsoft Sentinel collect the alerts, navigate to your Microsoft Sentinel instance and select Data Connectors. Search for Microsoft Entra ID Protection and enable the collecting of alerts. For more information about Identity Protection, see What is Identity Protection?.

3. Install the ToR browser onto a computer or virtual machine (VM) that you can use without putting your IT security at risk.

4. Use the Tor Browser to log in anonymously to My apps as the user that you selected for this solution. See Anonymous IP address for instructions on using the Tor Browser to simulate anonymous IP addresses.

5. Microsoft Entra authenticates the user.

6. Microsoft Entra ID Protection detects that the user used a ToR browser to log in anonymously. This type of login is suspicious activity that puts the user at risk. Identity Protection sends an alert to Microsoft Sentinel.

7. Configure Microsoft Sentinel to create an incident from the alert. See Automatically create incidents from Microsoft security alerts for information on doing this. The Microsoft security analytics rule template to use is Create incidents based on Microsoft Entra ID Protection alerts.

8. When Microsoft Sentinel triggers an incident, the playbook responds with actions that block the user.

Components

• Microsoft Sentinel is a cloud-native SIEM and SOAR solution. It uses advanced AI and security analytics to detect and respond to threats across the enterprise. There are many playbooks on Microsoft Sentinel that you can use to automate your responses and protect your system.
• Microsoft Entra ID is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection into a single solution. It can synchronize with on-premises directories. The identity service provides single sign-on, multifactor authentication, and conditional access to guard against cybersecurity attacks. The solution shown in this article uses Microsoft Entra identity Protect to detect suspicious activity by a user.
• Logic Apps is a serverless cloud service for creating and running automated workflows that integrate apps, data, services, and systems. Developers can use a visual designer to schedule and orchestrate common task workflows. Logic Apps has connectors for many popular cloud services, on-premises products, and other software as a service applications. In this solution, Logic Apps runs the threat response playbook.

Considerations

• The Azure Well-Architected Framework is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.
• Microsoft Sentinel offers more than 50 playbooks that are ready for use. You can find them on the Playbook templates tab of the Microsoft Sentinel|Automation page for your workspace.
• GitHub has a variety of Microsoft Sentinel playbooks that are built by the community.

Deploy this scenario

You can deploy this scenario by following the steps in Workflow after making sure that the Prerequisites are satisfied.

Prerequisites

• Prepare the software and choose a test user
• Deploy the playbook

Prepare the software and choose a test user

To implement and test the playbook, you'll need Azure and Microsoft Sentinel along with the following:

• A Microsoft Entra ID Protection license (Premium P2, E3, or E5).
• A Microsoft Entra user. You can use either an existing user or create a new user. If you do create a new user, you can delete it when you're done using it.
• A computer or VM that can run a ToR browser. You'll use the browser to log in to the My Apps portal as your Microsoft Entra user.

Deploy the playbook

To deploy a Microsoft Sentinel playbook, proceed as follows:

• If you don't have a Log Analytics workspace to use for this exercise, create a new one as follows:
  • Go to the Microsoft Sentinel main page, and select + Create to get to the Add Microsoft Sentinel to a workspace page.
  • Select Create a new workspace. Follow the instructions to create the new workspace. After a short time, the workspace is created.
• At this point, you have a workspace, perhaps one that you just created. Use the following steps to see whether Microsoft Sentinel has been added to it, and to add it if not:
  • Go to the Microsoft Sentinel main page.
  • If Microsoft Sentinel has already been added to your workspace, the workspace appears in the displayed list. If it hasn't been added yet, add it as follows.
    • Select + Create to get to the Add Microsoft Sentinel to a workspace page.
    • Select your workspace from the displayed list, and then select Add at the bottom of the page. After a short time, Microsoft Sentinel is added to your workspace.
• Create a playbook, as follows:
  • Go to the Microsoft Sentinel main page. Select your workspace. Select Automation from the left menu to get to the Automation page. This page has three tabs.
  • Select the Playbook templates (Preview) tab.
  • In the search field, enter Block Microsoft Entra user - Incident.
  • In the list of playbooks, select Block Microsoft Entra user - Incident and then select Create playbook in the bottom right corner to get to the Create playback page.
  • On the Create playbook page, do the following:
    • Select values for Subscription, Resource group, and Region from the lists.
    • Enter a value for Playbook name if you don't want to use the default name that appears.
    • If you want, select Enable diagnostics logs in Log Analytics to enable logs.
    • Leave the Associate with integration service environment checkbox unchecked.
    • Leave Integration service environment empty.
  • Select Next: Connections > to go to the Connections tab of Create playbook.
  • Choose how you will authenticate within the playbook’s components. Authentication is required for:
    • Microsoft Entra ID
    • Microsoft Sentinel
    • Office 365 Outlook

    Note

    You can authenticate the resources during playbook customization under the logic app resource if you wish to enable later. To authenticate the above resources at this point, you need permissions to update a user on Microsoft Entra ID, and the user must have access to an email mailbox and must be able to send emails.

  • Select Next: Review and create > to get to the Review and create tab of Create playbook.
  • Select Create and continue to designer to create the playbook and access the Logic app designer page.

For more information about building logic apps, see What is Azure Logic Apps and Quickstart: Create and manage logic app workflow definitions.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

• Rudnei Oliveira | Senior Azure Security Engineer

Other contributors:

• Andrew Nathan | Senior Customer Engineering Manager
• Lavanya Kasturi | Technical Writer

Next steps

• Overview of Azure Cloud Services?
• What is Microsoft Sentinel?
• Security orchestration, automation and response (SOAR) in Microsoft Sentinel.
• Automate threat response with playbooks in Microsoft Sentinel
• What is Microsoft Entra ID?
• What is Identity Protection?
• Simulating risk detections in Identity Protection
• What is Azure Logic Apps?
• Tutorial: Create automated approval-based workflows by using Azure Logic Apps
• Introduction to Microsoft Sentinel

Related resources

• Threat indicators for cyber threat intelligence in Microsoft Sentinel
• Monitor hybrid security using Microsoft Defender for Cloud and Microsoft Sentinel
• Security architecture design