Sentinel Automation – Streamlining Security Operations With Enhanced Incident Management

This repository provides automation solutions for Microsoft Sentinel. The repository is focused on Logic Apps/Playbooks. The solutions are aimed to:

Enrich Incidents
Perform Incident Response Steps
Create new detections

Presenting this material as your own is illegal and forbidden. A reference to Twitter @BertJanCyber or Github @Bert-JanP is much appreciated when sharing or using the content.

How To Use The Automation Flows?

Automation Rule

Automation rules can be used to automatically run a playbook once an incident is created or changed.

Go to Automation in Microsoft Sentinel.
Create
Automation Rule (or Playbook depending on trigger)
Select your playbook
Apply

Manual Trigger

After the first triage of an incident a security analyst may determine that more information is needed, Playbooks can be used to provide the analyst with this information.

There are different options to trigger the Playbook for execution, one is shown below.

Open a Sentinel Incident
Incident Actions
Run Playbook
Select the Playbook you want to run
Run

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.