Security operations center (SOC) analysts play a crucial role in identifying and responding to cybersecurity incidents. However, the increasing volume of alerts has created a challenge for these analysts, leading to alert fatigue and potentially missing critical incidents. To address this issue, many SOCs are turning to security orchestration, automation, and response (SOAR) platforms.
SOAR platforms leverage artificial intelligence (AI) to distinguish between false-positive and genuine alerts, allowing analysts to prioritize incident alerts more effectively. Additionally, automation capabilities enable SOC analysts to gather information about an incident quickly, leading to faster and more accurate responses. Moreover, SOAR tools automate repetitive tasks, freeing up analysts’ time for more complex and human-intensive work.
To support security practitioners in utilizing SOAR platforms, Benjamin Kovacevic, a senior product manager at Microsoft, has written a book titled “Security Orchestration, Automation, and Response for Security Analysts”. In this book, Kovacevic explains the benefits of using SOAR tools in SOC operations and how automation enhances incident response.
One prominent automation feature of SOAR platforms is the playbook. Playbooks are a set of predefined actions that guide the response process for each incident. Microsoft Sentinel, a security information and event management (SIEM) system developed by Microsoft, utilizes a solution called Logic Apps for creating and running automated workflows. Logic Apps supports both low- or no-code options for visual design and coding mode for those who prefer coding. This flexibility allows SOC analysts to tailor the playbook creation process to their preferences and requirements.
Microsoft Sentinel supports two types of Logic Apps: Logic Apps Consumption and Logic Apps Standard. Logic Apps Consumption enables the creation of single-playbook workflows that can incorporate templates and custom connectors. It is widely integrated into Microsoft Sentinel and allows sharing of backend resources across different customer tenants. On the other hand, Logic Apps Standard allows multiple workflows within a single Logic App but does not support templates or custom connectors. It serves specific use cases that don’t require sharing backend resources across different Logic Apps.
To access and manage playbooks in Microsoft Sentinel, analysts can navigate to the Automation tab and open the Active playbooks sub-menu. From there, they can create new playbooks, edit or disable existing ones, and filter playbooks based on various criteria such as status, trigger kind, subscription, and resource group. Playbook templates can be found in the Playbook templates (Preview) sub-menu. Additionally, the Content hub within Microsoft Sentinel provides access to a wide range of templates and solutions for easy deployment. Analysts can also find more templates on GitHub, leveraging Azure Resource Manager (ARM) templates for seamless integration with Microsoft Sentinel.
Creating a new playbook in Microsoft Sentinel can be done by selecting one of three options: Playbook with incident trigger, Playbook with alert trigger, or Blank playbook. The incident and alert trigger options utilize Logic Apps Consumption, while the Blank playbook option allows analysts to choose between Logic Apps Consumption and Logic Apps Standard. Once the playbook is deployed, analysts can design the playbook workflow using the Logic app designer, which offers a visual interface for building the playbook. For those who prefer working with code, the code view is also available.
In the subsequent chapters of “Security Orchestration, Automation, and Response for Security Analysts”, Kovacevic provides in-depth guidance on creating playbooks and offers hands-on examples for a comprehensive understanding of the process. The book covers various scenarios and explains how to run playbooks automatically using automation rules or manually on incidents and alerts.
In order to create, edit, and run playbooks effectively in Microsoft Sentinel, analysts need specific permissions. These permissions ensure that only authorized personnel can perform these actions, maintaining a secure and controlled environment.
In conclusion, SOAR platforms, such as Microsoft Sentinel, are empowering SOC analysts to overcome the challenges of alert fatigue and optimize their incident response capabilities. By leveraging automation and utilizing playbook workflows, analysts can triage alerts more efficiently and focus on more critical and human-intensive tasks. The book “Security Orchestration, Automation, and Response for Security Analysts” provides a comprehensive guide on using SOAR tools in the context of SOC operations, offering security practitioners invaluable insights and practical advice.