What’s new: Automate full incident lifecycle with incident update triggers

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Automation tools are an essential capability for the modern SOC to cope with the volume of threats and manage day-to-day tasks. Microsoft Sentinel automation capabilities help security teams transform any manual process into a seamless routine which happens behind the scenes, saving time and effort and allowing the analysts to focus on the important human-required decisions, reducing the mean time to resolve incidents. Automation rules allow centrally managing the automation of incident handling and response, and playbooks provide powerful and flexible advanced automation to your threat response tasks.

 

Until today, you could create automation rules and playbooks which are triggered when an incident is created. Our customers have been using this capability for multiple purposes: initial enrichment, quick triage and false-positive suppression, immediate threat remediation, creating tickets in external systems, notifying stakeholders and more. We have seen an amazing level of adoption of these automation capabilities, and a decrease in our customers’ mean-time-to-resolve. But the security incident, as the object which tells the story of the attack and organizes all the information the team has on it, is a dynamic container which keeps changing. The creation event is only the beginning of an incident’s lifecycle – and automation should be able to be in every part of it.

 

Now available: incident update triggers for automation rules and playbooks. Teams can now create automation rules and playbooks which run when incident fields are modified – for example, when an owner is assigned, when alerts and comments are added, and more.

New automation scenarios are now possible:

 

  • Extend automation when incident evolves

SOC teams, having defined automation rules for when an incident is created, in which they enrich the incident and respond to it, want to continue do so when alerts are added.

  • Update orchestration and notification
    Notify the team when changes occur to incidents, so they won’t miss any critical updates. Assign owners and let them know they are assigned. Control the re-opening of incidents.

 

  • Keep your external ticketing system synced
    Customers who use playbooks to create tickets in other systems when incidents are created can now keep those external tickets’ status up to date.

 

Configure automation rules and playbooks

 

Automation Rules new trigger and conditions

 

When creating an automation rule, you can now select When an incident is updated in the trigger dropdown.

liortamir_0-1654011937318.png

 

To set the specific update scenario, new conditions operators are available to capture state changes. For those fields which have one value, you can select Changed, Changed from and Changed to.

liortamir_1-1654011937334.png

 

You can also configure the rule to run when items are added to any of the incident lists: alerts, tags, comments, and tactics.

liortamir_2-1654011937336.png

 

You can also determine which update sources will trigger the automation rule:

liortamir_0-1654013707704.png

 

 

Use playbooks for incident updates scenarios

The Microsoft Sentinel Logic Apps connector now supports new fields which can be used to create automated workflows with information regarding the actual update. We have released a new version of the Incident trigger, which now includes, in addition to the full updated incident information, information about the update. This means you can easily create automated workflows which dynamically use:

  • The names of the fields in which a change occurred
  • The new alerts, comments, tags and tactics items
  • Who made the update and when

 

Leverage out-of-the-box playbook templates

While these new capabilities allow customers to create their own scenarios from scratch, we've already built a set of playbooks for you, so you can get immediate value from this feature with just a few clicks, or get started with your own scenarios, having a handy reference for best practices. These playbook templates can be found now under Automation -> Playbook Templates tab. They all have the tag incident update. Learn more about how you can leverage playbook templates.

 

liortamir_7-1654012190911.png

 

Here are some examples:

 

  • Notify incident owner in Teams

When an incident owner is assigned, the new owner will receive a Teams card with incident information and a link to the incident in Azure portal.

 

liortamir_8-1654012254250.png

 

  • Update ServiceNow record / Jira issue

When an incident’s status or severity has changed, or a comment has been added, these playbooks will update the external system tickets to reflect the change.
The playbook templates for ticket creation in these systems have been updated as well, so they now keep on the Sentinel incident a tag containing the external ticket id. If you have used them, you will see an update available label on your active playbooks – clicking on it will allow you to overwrite them with the new version.

 

  • Notify on severity and status changes

When an incident’s severity or status has changed, playbooks send an adaptive card to the SOC Teams channel, or an email to their mailbox, allowing a quick pivot to the incident.

liortamir_4-1654011937389.png

 

liortamir_5-1654011937402.png

 

 

We look forward to continue enhancing the automation rules platform with new features that empower the SOC analyst and allow automating exciting new scenarios.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.