Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Automate threat response with playbooks in Microsoft Sentinel
In this articleThis article explains what Microsoft Sentinel playbooks are, and how to use them to implement your Security Orchestration, Automation and Response (SOAR) operations, achieving better results while saving time and resources. What is a playbook?SIEM/SOC teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This results all too often in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go unnoticed. Many, if not most, of these alerts and incidents conform to recurring patterns that can be addressed by specific and defined sets of remediation actions. A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. For example, if an account and machine are compromised, a playbook can isolate the machine from the network and block the account by the time the SOC team is notified of the incident. Playbooks can be used within the subscription to which they belong, but the Playbooks tab (in the Automation blade) displays all the playbooks available across any selected subscriptions. Playbook templatesA playbook template is a pre-built, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios. Playbook templates are not active playbooks themselves, until you create a playbook (an editable copy of the template) from them. You can get playbook templates from the following sources:
Technically, a playbook template is an ARM template which consists of several resources: an Azure Logic Apps workflow and API connections for each connection involved. Azure Logic Apps basic conceptsPlaybooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, a cloud service that helps you schedule, automate, and orchestrate tasks and workflows across systems throughout the enterprise. This means that playbooks can take advantage of all the power and capabilities of the built-in templates in Azure Logic Apps. Note Azure Logic Apps creates separate resources, so additional charges might apply. For more information, visit the Azure Logic Apps pricing page. Azure Logic Apps communicates with other systems and services using connectors. The following is a brief explanation of connectors and some of their important attributes:
Logic app typesMicrosoft Sentinel now supports the following logic app resource types:
The Standard logic app type offers higher performance, fixed pricing, multiple workflow capability, easier API connections management, native network capabilities such as support for virtual networks and private endpoints (see note below), built-in CI/CD features, better Visual Studio Code integration, an updated workflow designer, and more. To use this logic app version, create new Standard playbooks in Microsoft Sentinel (see note below). You can use these playbooks in the same ways that you use Consumption playbooks:
Note
There are many differences between these two resource types, some of which affect some of the ways they can be used in playbooks in Microsoft Sentinel. In such cases, the documentation will point out what you need to know. For more information, see Resource type and host environment differences in the Azure Logic Apps documentation. Permissions requiredTo give your SecOps team the ability to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel, assign Azure roles to your security operations team or to specific users on the team. The following describes the different available roles, and the tasks for which they should be assigned: Azure roles for Azure Logic Apps
Azure roles for Microsoft Sentinel
Learn more
Steps for creating a playbook
Use cases for playbooksThe Azure Logic Apps platform offers hundreds of actions and triggers, so almost any automation scenario can be created. Microsoft Sentinel recommends starting with the following SOC scenarios: EnrichmentCollect data and attach it to the incident in order to make smarter decisions. For example: A Microsoft Sentinel incident was created from an alert by an analytics rule that generates IP address entities. The incident triggers an automation rule which runs a playbook with the following steps:
Bi-directional syncPlaybooks can be used to sync your Microsoft Sentinel incidents with other ticketing systems. For example: Create an automation rule for all incident creation, and attach a playbook that opens a ticket in ServiceNow:
OrchestrationUse the SOC chat platform to better control the incidents queue. For example: A Microsoft Sentinel incident was created from an alert by an analytics rule that generates username and IP address entities. The incident triggers an automation rule which runs a playbook with the following steps:
ResponseImmediately respond to threats, with minimal human dependencies. Two examples: Example 1: Respond to an analytics rule that indicates a compromised user, as discovered by Azure AD Identity Protection:
Example 2: Respond to an analytics rule that indicates a compromised machine, as discovered by Microsoft Defender for Endpoint:
How to run a playbookPlaybooks can be run either manually or automatically. They are designed to be run automatically, and ideally that is how they should be run in the normal course of operations. You run a playbook automatically by defining it as an automated response in an analytics rule (for alerts), or as an action in an automation rule (for incidents). There are circumstances, though, that call for running playbooks manually. For example, when creating a new playbook, you'll want to test it before putting it in production. Or, there may be situations where you'll want to have more control and human input into when and whether a certain playbook runs. You run a playbook manually by opening an incident or alert and selecting and running the associated playbook displayed there. Currently this feature is generally available for alerts, and in preview for incidents. Set an automated responseSecurity operations teams can significantly reduce their workload by fully automating the routine responses to recurring types of incidents and alerts, allowing you to concentrate more on unique incidents and alerts, analyzing patterns, threat hunting, and more. Setting automated response means that every time an analytics rule is triggered, in addition to creating an alert, the rule will run a playbook, which will receive as an input the alert created by the rule. If the alert creates an incident, the incident will trigger an automation rule which may in turn run a playbook, which will receive as an input the incident created by the alert. Alert creation automated responseFor playbooks that are triggered by alert creation and receive alerts as their inputs (their first step is “Microsoft Sentinel alert"), attach the playbook to an analytics rule:
Incident creation automated responseFor playbooks that are triggered by incident creation and receive incidents as their inputs (their first step is “Microsoft Sentinel incident"), create an automation rule and define a Run playbook action in it. This can be done in 2 ways:
See the complete instructions for creating automation rules. Run a playbook manuallyWhile full automation is the best solution for many incident-handling, investigation, and mitigation tasks, there may often be cases where you would prefer your analysts have more human input and control over the situation. Also, you may want your SOC engineers to be able to test the playbooks they write before fully deploying them in automation rules. For these and other reasons, Microsoft Sentinel allows you to run playbooks manually on-demand for both incidents (now in Preview) and alerts.
In either of these panels, you'll see two tabs: Playbooks and Runs.
Manage your playbooksIn the Active playbooks tab, there appears a list of all the playbooks which you have access to, filtered by the subscriptions which are currently displayed in Azure. The subscriptions filter is available from the Directory + subscription menu in the global page header. Clicking on a playbook name directs you to the playbook's main page in Azure Logic Apps. The Status column indicates if it is enabled or disabled. The Plan column indicates whether the playbook uses the Standard or Consumption resource type in Azure Logic Apps. You can filter the list by plan type to see only one type of playbook. You'll notice that playbooks of the Standard type use the Trigger kind represents the Azure Logic Apps trigger that starts this playbook.
In the playbook's Azure Logic Apps page, you can see more information about the playbook, including a log of all the times it has run, and the result (success or failure, and other details). You can also open the workflow designer in Azure Logic Apps, and edit the playbook directly, if you have the appropriate permissions. API connectionsAPI connections are used to connect Azure Logic Apps to other services. Every time a new authentication is made for a connector in Azure Logic Apps, a new resource of type API connection is created, and contains the information provided when configuring access to the service. To see all the API connections, enter API connections in the header search box of the Azure portal. Note the columns of interest:
Another way to view API connections would be to go to the All Resources blade and filter it by type API connection. This way allows the selection, tagging, and deletion of multiple connections at once. In order to change the authorization of an existing connection, enter the connection resource, and select Edit API connection. Recommended playbooksThe following recommended playbooks, and other similar playbooks are available to you in the Microsoft Sentinel GitHub repository:
Next steps
FeedbackSubmit and view feedback for |