Playbooks
Today, we're going to talk about Playbooks. What exactly is a Playbook in Azure Sentinel? I'm glad you asked.A Playbook is really just another way of saying automated response. A Playbook is a collection of procedures that can be kicked off in response to an alert. You can do anything from opening a ticket in ServiceNow to blocking a suspicious IP or disabling a user in Azure AD. You can use them to tackle the most frequent threats that your organization faces so that you can spend your time on elsewhere.
Alert fatigue is real. Security analysts face a huge burden of more alerts than they can respond to. Automation increases efficiency and fills the security gap by allowing a Playbook to lift the burden of reviewing every incident.
Playbooks in Azure Sentinel are based on Azure Logic Apps and the can be run manually as an on-demand response to a selected alert or set to run automatically when specific alerts are triggered. It's up to you.
It can be a little daunting at first, if you've never used Logic Apps but once you play around a little, you'll start understanding how it works. Here is some documentation to help with this.
Below, is an example of a Playbook that will isolate a machine if you get an alert from MDATP.
The first thing we do, is add the trigger. Here the trigger is a manual step by an admin responding to an Azure Sentinel Alert. It could be an automated trigger but in this case we're expecting a person to do something first.
Then we choose an Action. In this case we are using Alert - Get Incident which returns information about the incident associated with the alert like the workspace and the actual alert ID.
Then we use the Action Alert - Get hosts which returns list of hosts associated with the alert.
Then we use a condition that says for each alert isolate the machine.
Think how much time you could save by creating automated Playbooks to respond to alerts.
The same GitHub repository we mentioned the other day has a selection of pre-built Playbooks you can use or you can create your own.
