Respond to Office 365 Threats with Azure Sentinel
Overview
Detecting the threats and respond to it in a timely manner is very crucial in the Office 365 environments. In the previous article, we explored Threat detection with Azure Sentinel analytics.
In this article, we will take this further to respond to the threats.
Responding to threats
We can use playbooks together with automation rules to automate incident response and remediate security threats detected by Azure Sentinel.
Automation rules
Automation rules are helpful to triage incidents in Azure Sentinel. With automation rules, we can assign incidents to an individual, change the severity, add tags, and also can run playbooks in response to incidents.
Playbooks
Playbooks are helpful to automate and orchestrate (using Azure Logic Apps) the response to an alert or incident.
Create a playbook and logic app
Follow below steps to create a playbook in Azure Sentinel:
-
In the Azure Sentinel, under Configuration, click Automation.
- Click Create > Add new playbook.
-
You will be navigated to Create a logic app page.
-
In the Logic Apps Designer, select Blank Logic App.
-
In the search box, type Sentinel.
- Select the appropriate trigger to build the logic app.
-
We will create a simple logic app, which will post a message in MS Teams channel.
Automate threat response with Automation rule
Follow below steps to create automation rule to automate threat response:
- In Azure Sentinel, under Configuration, click Automation.
-
Click Create > Add new rule.
- Under Conditions, select certain analytics rules.
- Under Actions, select Run playbook.
Run a playbook on demand
Follow below steps to run a playbook on demand:
- In Azure Sentinel, under Threat Management, click Incidents.
-
Select the Incident, click View full details.
-
Click View playbooks.
-
Select a playbook to run.
-
The message will be posted to MS Teams channel.
Summary
Detecting the threats and respond to it in a timely manner is very crucial in the Office 365 environments. We can use playbooks together with automation rules to automate incident response and remediate security threats detected by Azure Sentinel.
Leave a comment