Bring Remediation Steps into Azure Sentinel

Posted by

Special thanks to Nicholas DiCola for collaborating on the solution!


In this blog you will learn how to bring guided remediation steps into Azure Sentinel (from Azure Defender and Microsoft Defender for Endpoint) to enhance the security posture of your organization and stop attacks.


 


Background


Once an investigation is underway in Sentinel, SOC Analysts are then tasked with responding to true threats and preventing malicious activity from further occurring. With Sentinel’s Incidents, SOC’s have a collection of entities, events, and alerts to analyze and determine what resources need further security or remediation.


With this playbook, Azure Sentinel users that have Microsoft Defender for Endpoint or Azure Defender will experience a tighter integration of their best security tools within Azure Sentinel.


Rather than having to jump from portal to portal, this playbook identifies recommended steps to resolve a potentially malicious or suspicious event and surfaces this guidance in the form of a comment on the related Sentinel incident.


 


Ready, Set, Go


1. To get started, deploy the playbook to Azure using the GitHub artifact using this link: Remediation Steps Playbook


joross_1-1612999635471.png


 


2. After you have deployed the playbook from the Sentinel GitHub and add it to your Sentinel related resource group.


joross_2-1612999635478.png


 


3. Once the playbook has successfully deployed, navigate to the playbook’s (‘Comment_RemediationSteps’) Logic App Designer. Once in the designer, be sure to enable the connections to Azure Monitor and Sentinel. This is as simple as selecting the connection in the Logic App designer and clicking ‘Add new’ to establish your new connection as seen below:


(Note: there are three areas in the logic app where a connection to an identity or service principal is required. This is needed at the trigger “When a response to an Azure Sentinel alert is triggered”, and the two actions: “Alert – Get incident” and “Run query and list results”)


joross_3-1612999635494.png


 


4. Once the connections have been made, hit save and you are all set to use the playbook to provide guided remediation steps to you analysts. This playbook runs off a manual trigger, so when an analyst finds an incident related to Azure Defender or Microsoft Defender for Endpoint, all the analyst needs to do is open the incident -> click ‘View Full Details’ -> Under the ‘Alerts’ tab click ‘View Playbooks’ -> and click ‘Run’ on ‘Comment_RemediationSteps’as seen in the visuals below:


 


a. View Full Details


joross_4-1612999635505.png


 


b. View playbooks


joross_5-1612999635517.png


 


c. Run playbook


joross_6-1612999635523.png


 


 5. Once the playbook “Comment_RemediationSteps” has been run, return to the related incident’s ‘comments’ tab and you will find that the remediation steps have been posted as seen below:


joross_0-1613000843968.png


 


Using these steps an analyst can ensure that an attack does not progress, and that the organization’s security posture has been improved to prevent future intrusions.


 


Related Content:


How Azure Sentinel and Azure Security Center Work Together – YouTube


Connect Microsoft Defender for Endpoint data to Azure Sentinel | Microsoft Docs


Connect Azure Defender data to Azure Sentinel | Microsoft Docs


Tutorial: Run a playbook in Azure Sentinel | Microsoft Docs


 


Overview of the Logic App:


joross_0-1613000310382.pngjoross_1-1613000325938.png


 

 

This articles are republished, there may be more discussion at the original link. But if you found this helpful, you're more than welcome to let us know!

This site uses Akismet to reduce spam. Learn how your comment data is processed.