L12. Automation and SOAR: Playbooks with Logic Apps
Video generating
Check back soon for the video lesson on Automation and SOAR: Playbooks with Logic Apps
Sentinel SOAR capabilities automate incident response through automation rules and playbooks built on Azure Logic Apps. This lesson covers automation rule triggers, playbook architecture, and common automation patterns for the SC-200 exam.
Automation in Sentinel
Sentinel provides two automation mechanisms:
| Feature | Purpose | Complexity |
|---|---|---|
| Automation rules | Lightweight incident management (assign, tag, close, trigger playbook) | Low |
| Playbooks | Complex workflows with external integrations (Logic Apps) | Medium to High |
Automation Rules
Automation rules run when incidents are created or updated. They execute in order of priority and support these actions:
- Assign owner: Route incidents to specific analysts or teams
- Change status: Auto-close known benign incidents
- Change severity: Escalate or de-escalate based on conditions
- Add tags: Categorize incidents for reporting
- Run playbook: Trigger a Logic Apps workflow
Conditions can filter on: incident provider, analytics rule name, severity, title contains, entity values, tags, and custom details. Exam tip: Automation rules execute in priority order (lowest number first). If multiple rules match an incident, they all execute in sequence unless an earlier rule changes the status to Closed.
Playbooks (Logic Apps)
Playbooks are Azure Logic Apps workflows triggered by Sentinel. They provide the SOAR (Security Orchestration, Automation and Response) layer: Common playbook triggers:
- When a Sentinel incident is created: Runs when a new incident appears
- When a Sentinel alert is created: Runs per individual alert
- When a Sentinel incident is updated: Runs when incident properties change
- Send notification (email, Teams message, Slack)
- Enrich incident with threat intelligence lookups
- Block IP/URL in firewall or proxy
- Disable user account in Entra ID
- Isolate device via Defender for Endpoint API
- Create ticket in ServiceNow or Jira
- Post to a security channel in Teams
Playbook Architecture
A typical enrichment playbook:
- Trigger: Sentinel incident creation
- Parse entities: Extract IP addresses from the incident
- For each IP: Query VirusTotal or AbuseIPDB API
- Add comment: Write enrichment results to the incident
- Conditional: If any IP is malicious, change severity to High
Key Logic Apps connectors for security playbooks:
| Connector | Use Case |
|---|---|
| Microsoft Sentinel | Read/update incidents, add comments |
| Microsoft Entra ID | Disable accounts, reset passwords |
| Microsoft Defender for Endpoint | Isolate devices, run scans |
| Microsoft Teams | Send notifications, post to channels |
| VirusTotal | File and URL reputation lookups |
| ServiceNow | Create and update tickets |
Managed Identity and Permissions
Playbooks use a managed identity to authenticate to Sentinel and other Azure services. The managed identity needs:
- Microsoft Sentinel Responder role on the workspace (to update incidents)
- Microsoft Sentinel Reader role (if only reading incident data)
- Appropriate permissions on target services (e.g., User Administrator to disable accounts)
Automation Rule + Playbook Pattern
The recommended pattern combines both features:
- Automation rule filters incidents by analytics rule name or severity
- Automation rule triggers the appropriate playbook
- Playbook executes the response workflow
This separation keeps playbook logic clean (no filtering needed) and allows the same playbook to be triggered by multiple automation rules with different conditions.
Playbook Templates
The Content Hub and Sentinel GitHub repository provide playbook templates for common scenarios:
- Incident enrichment with threat intelligence
- User entity validation and account actions
- IP blocking across multiple firewall vendors
- Automated ticket creation and notification
- ✓Automation rules handle lightweight actions (assign, tag, close) and trigger playbooks for complex workflows.
- ✓Automation rules execute in priority order. All matching rules execute unless a prior rule closes the incident.
- ✓Playbooks are Azure Logic Apps workflows triggered by incident creation, alert creation, or incident updates.
- ✓Playbooks require the Microsoft Sentinel Responder role to update incidents (Reader is not sufficient).
- ✓The recommended pattern combines automation rules for filtering with playbooks for response logic.
- ✓Common playbook actions include enrichment lookups, account disabling, device isolation, and ticket creation.
1. A playbook needs to add comments and change the severity of Sentinel incidents. Which minimum role must the playbook managed identity have?
2. An organization wants to automatically assign all high-severity incidents from the "Brute Force" analytics rule to a specific analyst. Which Sentinel feature should they use?
3. Multiple automation rules match a newly created incident. In what order do they execute?