Azure Sentinel playbooks help to automate tasks, improve investigations, and allow quick responses to threats.
This new feature enables selection of up to 10 playbooks to run when a new alert is created.
For example, an analytics rule that indicates high-risk users assigned to suspicious IPs might trigger:
- An Enrichment playbook will query Virus Total about the IP entities, and add the information as a comment on the incident.
- A Response playbook will consult Azure AD Identity Protection and confirm the risky users (received as Account entities) as compromised.
- An Orchestration playbook will send an email to the SOC to inform that a new alert was generated together with its details.
- A Sync playbook will create a new ticket in Jira for the new incident created.
Integration
- Navigate to Azure Sentinel -> Analytics
- Create or Edit an existing schedule query rule
- Go to Automated response tab
- Select the multiple playbooks you would like to trigger.
Note : At this point, the selected rules will run in no particular order.
