Use automation/playbooks in Microsoft Sentinel during incident update activity using update triggers
Automation is critical for modern SOC environments to handle the volume of upcoming threats and manage day-to-day tasks. Ideally most of the features are automated in Microsoft Sentinel during the incident creation, enrichment, update, and closure. For quite some time playbooks can be used for initial enrichment and actions like triage, creating tickets, etc.
Incidents are always changing or updating with new information; it is now possible to use incident update triggers for automation rules and playbooks.
Announcement public preview: What’s new: Automate full incident lifecycle with incident update triggers
Note: Feature currently in preview – blog updated 31-5-2022
Incident update triggers for automation rules and playbooks
Sentinel incidents can be updated by users, API, Defender Sync, and Automation. Another common situation is where alerts may join the incident part of the incident story; performed by user/API/ Sentinel Alert Grouping or Defender sync. Which gives the result: Severity change, reopened by Defender, changed tactics etc.
Now available is the new feature incident update triggers for automation rules and playbooks based on the new function it is possible to create automation rules and playbooks that only run when specific fields are modified in the incident story. For example below scenarios are possible;
- Notify the team when changes occur to incidents
- Assign owners and let them know they are assigned
- Notify during automatically or manual re-opening of incidents
- Keep external tickets up to date with the latest information coming from Sentinel
- Notify when severity is changed
- Notify when incident data is added in alerts, tags, comments, or tactics
- Extend the automation part of the incident
To set the specific update scenario, new conditions operators are available to capture changes during the incidents. For the update scenario the following operators are available to capture changes; Changed, Changed from, and Changed to. You can also configure the rule to run when items are newly added to any of the incident lists: alerts, tags, comments, and tactics. More in-depth information is in the next sections.
Currently, the following trigger types are available as part of Sentinel automation;
Trigger type | Events that cause the rule to run |
---|---|
When incident is created | – A new incident is created by an analytics rule. – An incident is ingested from Microsoft 365 Defender. – A new incident is created manually. |
When incident is updated (New/Preview) | – An incident’s status is changed (closed/reopened/triaged). – An incident’s owner is assigned or changed. – An incident’s severity is raised or lowered. – Alerts are added to an incident. – Comments, tags, or tactics are added to an incident. |
How to configure the new update triggers?
The new incident update triggers are directly integrated into the automation section part of Microsoft Sentinel.
When creating an automation rule there is now the trigger option; When an incident is updated. Go to Microsoft Sentinel -> Automation -> and click on Create -> Automation rule.
Part of the automation rule wizard is now the option to use the following trigger: When incident is updated (preview).
The new update trigger supports multiple new change operators which are working in combination with the new update trigger.
Examples
- Run automation when severity changed to High
- Run automation when alerts are added part of the incident
- Run automation when owner is changed
- Run automation when comments are added
- Run automation where status is changed from Closed to New/ Active, updated by a user
Below change operators are currently available as part of the State changed values
- Alert
- Change status Added
- Severity
- Severity changed
- Severity changed From
- Severity changed To
- Status
- Status changed
- Status changed from
- Status Changed To
- Tactics
- Tactics added
- Tag
- Tag added
- Owner
- Owner changed
- Comments
- Comments Added
It is possible to determine which update-source will trigger the automation rule. The following updated sources are currently available:
- Application
- user
- Alert grouping
- Playbook
- Automation rule
- Microsoft 365 Defender
Complete overview including all existing conditions and supported operators which can be used in the update trigger. Source: Microsoft
Property | Operator set |
---|---|
– Title – Description – Tag – All listed entity properties | – Equals/Does not equal – Contains/Does not contain – Starts with/Does not start with – Ends with/Does not end with |
– Tag (in addition to above) – Alerts – Comments | – Added |
– Severity – Status | – Equals/Does not equal – Changed – Changed from – Changed to |
– Owner | – Changed |
– Incident provider – Updated by | – Equals/Does not equal |
– Tactics | – Contains/Does not contain – Added |
– Alert product names | – Contains/Does not contain |
Automation action using Playbooks
Multiple actions are available which can be used as part of the update trigger. It is possible to Add Tags, Assign Owners, Change status, Change severity, or run Playbooks. Part of this blog is an example based on Playbook actions.
Multiple playbook templates are created out-of-the-box, currently, the following playbooks are available. Of course, there is always the option to create custom playbooks completely from scratch for unique update situations.
For viewing all new incident update playbooks; Go to Microsoft Sentinel -> Automation -> and click on Playbook templates (preview)
Examples:
- Notify Incident Owner in Microsoft Teams
- Notify When Incident Is Closed
- Notify When Incident Is Reopened
- Notify When Incident Severity Changed
Playbook: Notify severity change
When the severity is changed part of the incident, this playbook will send an adaptive card to the generic SOC channel – to view directly the information in one single view/ including the incident URL.
For creating the playbook click on; Create playbook, and fill in the basic information( subscription, resource group, playbook name, and optional diagnostics logs), other page required the Teams parameters ( teams id, channel id) and e-mail address. Don’t forget to authorize the Microsoft Teams and Microsoft Office 365 Outlook connectors.
Playbook action
Playbook trigger is based on the automation rule trigger; when incident is updated (1). Use the condition: Analytics rule contains all and severity Changed (2). Now configure the Run playbook action, and select the playbook (3)
Testing
Testing of Logic Apps is possible based on the Logic app run history. For checking the history go to Logic Apps -> Runs History. View all previous Logic app results and view the error in the complete logic app run view. Click on trigger history for viewing the launched triggers.
Playbook template Notify-incidentseveritychanged is created based on sending an email notification and adaptive card in a Teams chat or channel. Logic App flow can be completely customized.
Result
Based on the severity change playbooks; two results focussing on Teams and Outlook.
Result based on Teams adaptive card
Adaptive card sent in Teams channel, including card format based on Sentinel incident data. Adaptive card is configured using JSON.
Result based on mail
Mail send by mail, including Sentinel incident data and incident update by information.
Conclusion
The purpose of this blog was to give you some insights on what you can accomplish with the new Microsoft Sentinel Update trigger functionality.
With the use of Logic App, and update triggers way more options are available for informing and automating more actions. Stay tuned for more related blogs around Sentinel health monitoring, automated actions, and reporting.
Content request? Use the content submission form
Sources
Microsoft: What’s new: Automate full incident lifecycle with incident update triggers
Microsoft: Create and manage automation rules (new!)
Microsoft: Automate incident handling with automation rules (updated)
Microsoft: Create and customize Azure Sentinel playbooks from built-in templates