Open in app

Sign in

Write

Sign in

Sentinel Explained: Automation Rules, Playbooks, and Logic Apps

Tyler Wall
3 min readJan 29, 2024

Automation rules help you triage incidents in Microsoft Sentinel.

Definition: Triage is the process of the intake of an incident and preparing it to be worked on.

You can use automation rules to automatically assign incidents to the right personnel, close noisy incidents or known false positives, change their severity, and add tags. They have three components:

  • Triggers that define what kind of incident event will cause the rule to run, subject to…
  • Conditions that will determine the exact circumstances under which the rule will run and perform…
  • Actions to change the incident in some way or call a playbook.

Playbooks are automations that can be run from Microsoft Sentinel in response to an entire incident, to an individual alert, or to a specific entity. They can be set to run automatically when specific alerts are generated or when incidents are created or updated, by being attached to an automation rule.

Note: When an alert or incident is created or updated it goes back through the triage process where it gets prepared to be worked on (again).

It can also be run manually on-demand on specific incidents, alerts, or entities.

Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, which means that you get all what-you-see-is-what-you-get power of Logic Apps. Azure Logic Apps is a cloud platform where you can create and run automated workflows with little to no code. By using the visual designer and selecting from prebuilt operations, you can quickly build a playbook that manages your alerts and incidents.

You can also choose to run a playbook manually on-demand, as a response to a selected alert.

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.

You can connect with him on LinkedIn.

Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”

Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.

Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.

Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.

Cybersecurity
Azure
Sentinel
Security Operation Center

--

--

Tyler Wall
Tyler Wall

Written by Tyler Wall

4K Followers
22 Following

Founder of Cyber NOW Education | Husband & Father | Published Author | Instructor | Master Mason | 3D Printing & Modeling | Astrophotography

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams