In Sprint III, which spans up till March 17, 2023, our primary objective is to implement a Security Orchestration, Automation, and Response plan.

SOAR is the next evolution in security operations, allowing for the automation of repetitive tasks and the orchestration of complex security workflows.

SOAR Power Of Combination

In the mid-2010s, the cybersecurity landscape was marked by a significant turning point with the emergence of Security Orchestration, Automation, and Response (SOAR) solutions.

Gartner, a renowned technology research and advisory firm, played a pivotal role in shaping this narrative. In their groundbreaking report, Gartner identified the need for a comprehensive approach to security incident handling, emphasizing the importance of automation and orchestration in the face of increasingly sophisticated cyber threats.

Gartner's foresight was first to recognize that the traditional, manual methods of incident response were becoming inadequate in the rapidly evolving threat landscape.

Thus, the Soar concept was introduced with the aim to streamline and enhance incident response processes through the integration of automation, orchestration, and response capabilities. This set the stage for a new era in cybersecurity, inspiring a wave of innovation and entrepreneurial spirit.

A Network of SOAR-Driven Startups #

SOAR, starting as a concept, served as a catalyst for the birth of numerous cybersecurity startups, each born with the explicit intention of addressing the inherent gaps that have been discerned in traditional incident response methodologies.

Startup Focus Area Core Innovation
Threat Intelligence Automated aggregation and analysis of threat intelligence feeds
Automation Platform Development of a versatile automation platform for incident response
Predictive Analytics Integration of predictive analytics to enhance threat detection capabilities

These startups grew on the principles of automation, orchestration, and response, offering innovative solutions to organizations seeking to bolster their security postures.

They brought a fresh perspective to the cybersecurity domain, challenging conventional practices and paving the way for a more efficient and proactive approach to managing security incidents.

They advocated for continuous improvement, adaptability, and a stance against cyber threats.

Unpacking SOAR Capabilities for Cybersecurity Resilience

As we jump into the of UEBA next, this will mark the next phase in the evolution of cybersecurity.

UEBA, rooted in understanding and analyzing user behavior, stands as a crucial complement to SOAR technologies. Together, they form a robust defense against the ever-evolving cybersecurity challenges of the modern digital landscape.


It really began with UBA, a methodology centered around observing and scrutinizing the actions of individual users within a network.

The evolution continued when a Gartner analyst introduced a better idea—UEBA, taking this process a step further by broadening its scope to encompass diverse entities, extending beyond the confines of individual users to include a comprehensive analysis of various elements within a network.

A Comprehensive Analysis of User Behavior and Entity Analytics

User and entity behavior analytics is a game-changer in cybersecurity with the function to monitor, analyze, and identify abnormal patterns in the behavior of users and entities within a network including devices, applications, and systems.

UEBA also uses advanced analytics, machine learning algorithms, and contextual analysis to provide organizations with early threat detection, reducing the dwell time of attackers and enabling swift responses to security incidents.

From SOAR to UEBA to SIEM #

As SOAR startups gained traction and demonstrated their efficacy, the cybersecurity landscape witnessed a wave of acquisitions. Established SIEMs and UEBA vendors like Microsoft recognized the value of incorporating SOAR capabilities into their offerings to provide end-to-end security solutions.

This evolution highlighted the industry's commitment to staying ahead of cyber threats by embracing innovative technologies and adapting to the changing security landscape.

Automated Incident Handling #

A playbook is actually a SOAR workflow. These playbooks serve as orchestrators, empowering SOAR platforms to spring into action automatically at the onset of an incident.

The last refers to a documented and strategic set of procedures that outlines how an organization should detect, respond to, and recover from cybersecurity incidents.

It consist of a series of actions executed in response to an incident.
This holds significant importance within our Sentinel SOAR strategy, as the playbook plays a crucial role in optimizing our security operations.

Aspect Description
Automation Capacity Playbooks lie in their ability to engineer workflows that require minimal human intervention.
Incident Investigation They seamlessly automate the intricate process of incident investigation.
TI Enrichment They go beyond automation, enhancing threat intelligence by incorporating enrichment techniques.
Action Execution Deftly executing actions with capabilities extending to the proactive blockade of malicious IOCs.
Automated Threat Data Dissemination Excel in the seamless dissemination of automated threat data to a diverse array of security tools, SIEMs, firewalls, TIPs.

The Automation Logic #

At the core of our Sentinel playbook is its automation logic.

This logic dictates the sequence of actions and responses taken during an incident.

This process is designed to automate repetitive and time-consuming tasks, allowing our security team to respond rapidly and consistently to various security events.

  1. Decision Trees: We incorporate decision trees that guide the response process based on the nature and severity of the incident.
  2. Human-in-the-Loop: While automation is key, our playbook recognizes the importance of human decision-making. Critical decision points are flagged for human intervention, ensuring a human-in-the-loop approach for nuanced and complex situations.

The effectiveness of our Sentinel SOAR strategy heavily relies on the strength of the playbook automation logic for speed, consistency, resource optimization, and adaptability.

Later on, we will guide you through the steps to effortlessly craft your own workflow.

Create a Cybersecurity Playbook #

  1. Access the Automation Section: Begin by navigating to the Automation section from the Microsoft Sentinel navigation menu.

  2. Initiate the Creation Process: From the top menu, select the Create option.

  3. Select Playbook Type: The drop-down menu that appears under Create provides four options for playbook creation.

    Quick start playbooks from Automation in left pane

    At this point, you'll get the option to decide which type of LogicApp you intend to create, and based on that, the steps vary for you to follow.

    Logic App Type SecOps
    Consumption LogicApp Playbook with incident trigger, Playbook with alert trigger, or Playbook with entity trigger.
    Standard LogicApp Blank playbook.
    • Standard playbook is the new type, to create that, pick the Blank playbook.
    • Consumption playbook is the main type and applies to any of Playbook with incident trigger, Playbook with alert trigger, or Playbook with entity trigger. based on the desired trigger, choose yours.

Considering our specific security use case and operational needs, we'll leverage the Consumption option.

This entails utilizing a playbook with an incident trigger, a choice that seamlessly aligns with our incident response requirements and overall automation strategy, but let's first go over key differentiation.

Logic App Types for Informed Decision-Making #

Logic Apps is the tool we use to set up the playbook and define the desired workflow.

Azure Logic Apps officially made its debut with the introduction of the Azure App Service in 2015.

The primary objective was to empower users to design, automate, and orchestrate workflows in a visual and code-free manner offering 2 types.

Logic App Consumption Logic App Standard
- Serverless Model: Scales automatically in a serverless environment. - Dedicated Resources: Operates in a dedicated integration service environment.
- Pay-per-Use Pricing: Billed based on executions and resource consumption. - Continuous Execution: Designed for high-volume, consistent workloads.
- Built-in Connectors: Includes connectors for seamless integration. - Cost Structure: Involves a fixed cost based on dedicated resources.

This marked a departure from traditional integration methods, offering a more agile and responsive approach to building and managing integrations.

A Consumption logic app have only one workflow that runs in multi-tenant Azure Logic Apps or an integration service environment.

Use Consumption when: Use Standard when:
- You have sporadic or variable workloads. - You have a consistent and high-volume workload.
- You want a serverless, scalable model without managing dedicated resources. - Predictable performance and resource allocation are crucial.
- Pay-per-use pricing aligns with your cost model. - You need to run Logic Apps within a dedicated integration service environment.
- Built-in connectors meet your integration needs. - You prefer a fixed-cost model based on provisioned resources.

On the flip side, The Standard boasts a comprehensive infrastructure with one or multiple workflows seamlessly running within the confines of a single-tenant Azure LA.

Building a Consumption-Driven Logic App #

Progressing to the playbook that incorporates an incident trigger is an intuitive step that effortlessly navigates you through the setup of the Logic App.

  1. Choose the Subscription, Resource group, Region, and the name from their respective drop-down lists.
  2. Tick the Enable diagnostics logs in Log Analytics checkbox, and choose your Log Analytics workspace from the drop-down list.
  3. For playbook access to secure resources within or linked to an Azure virtual network, use an integration service environment (ISE).
  4. Click Next: Connections >. Observe playbook required authentication with Microsoft Sentinel for this instance.
  5. Click Next: Review and create >.
  6. Review the configuration and Click Create and continue to designer.

If this were applicable to a standard type, you would just need to make a selection, and that would complete this stage.

Logic App Designer Interface #

Your playbook will take a few minutes to be created and deployed. Once complete, you will see the message "Your deployment is complete," and you will be taken to your new playbook's Logic App Designer.

The trigger you chose at the beginning will have automatically been added as the first step, and you can continue designing the workflow.

Freshly Created LogicApp From Sentinel Playbook

We selected Incident trigger for our playbook, so expect our workflow with the Sentinel Incident Node.

Before getting into the design process, a brief authentication of that node is necessary to establish our identity within the system.

Next-Gen Connectivity With Azure Logic App #

Managed Identity is a feature that simplifies the way applications and services authenticate in the cloud.

You don't need to store credentials in your code or configuration files, improving security and reducing the management overhead associated with its handling.

To maintain a seamless workflow, we'll now perform the final configuration before actually designing of the Logic App.

This involves assigning a managed identity to the Sentinel incident node to prevent potential issues when working with the designer.

  1. In the Logic apps, in the left pane click on Identity.
  2. Turn the status toggle to on for System assigned tab and click save.
  3. Click Add role assignment and pick Azure Sentinel Responder for that logic app.
  4. Go back to your connector, decide on an optional name, and include the system-managed identity you just created.

By doing that, your Logic App will be authenticated and correctly configured to start working in your workflow.

We have specified system managed for our identity but you may wonder how many are there.

There are actually two types of Managed Identities in Azure;

Feature System-assigned Managed Identity User-assigned Managed Identity
Creation Automatically created with Azure resource Created independently as a standalone resource
Lifecycle Tied to the lifecycle of the Azure resource Independent lifecycle, can be assigned to multiple resources
Assignment Assigned to a specific Azure resource during creation Assigned to one or more Azure resources independently
Flexibility Limited flexibility for reuse across multiple resources Offers flexibility for reuse across multiple resources
Removal Deleted when the associated Azure resource is deleted Can be removed from resources without affecting the identity
Granularity Coarse-grained, typically tied to a specific resource type Fine-grained, can be assigned to different types of resources
Use Case VM needing to access Azure services securely Shared identity for a group of related resources across different types

Having arrived at this strategic decision for system-based identity, it becomes clear why we opted for this approach.

Our objective was to establish a seamless and efficient communication channel between Sentinel and Logic Apps in a secure and internal manner.

Security Turns Developer Phase #

I refer to this stage as the "developer phase" for a significant reason. At this juncture, your workspace is prepared, authenticated, and poised to unlock your insights.

Here, you have the opportunity to meticulously design the actual workflow that will eventually be consolidated into a playbook.

In the designer, you have the opportunity to leverage your coding skills using JSON.

Code Editor Within The Logic App Designer

This empowers you to craft your own sentinel trigger block and also allows you to intricately code your connection parameters and assign their respective values.

This level of flexibility opens the doors to a realm of possibilities, enabling you to introduce innovative approaches to automating tasks that you frequently encounter in your role as a cybersecurity professional.

Aspect Code Editor Designer
Granular Control Fine-grained control. Limit customization.
Version Control Easier version control. Less intuitive.
Collaboration Well-suited for developer collaboration. Limited collaboration.
Complex Scenarios Better for complex scenarios. Simpler scenarios.
Error Handling More control through code. Simple error handling.
Learning Curve Steeper learning curve. User-friendly interface.
Debugging You learn more. Not much to learn.

Remarkable breakthroughs frequently emerge from coding endeavors, and for the present, let's focus on a more straightforward approach.

Adhering to a carefully considered methodology, this exact process will unfold more smoothly in Sprint Four when I guide you through integrating with other technologies.

Use Playbooks Templates #

This sprint is designed to elucidate the implementation of SOAR within your organization.

Our goal is to simplify the process for you and guide you directly to the key points that propel you forward. This is precisely why we have included this section.

Where To Look For Playbooks Templates

As of this writing, I have identified several templates within the portal, and I have tabled them for your convenience.

Name Description
Prompt User - Alert Prompt user for alert response
Prompt User - Incident Prompt user for incident response
Reset-AADUserPassword Reset Azure AD user password
Response on Okta user from Teams Respond to Okta user alert from Teams
Restrict MDE Domain Restrict MDE domain
Restrict MDE Ip Address Restrict MDE IP address
Run MDE Antivirus Run MDE antivirus scan
Send basic email Send a basic email
Sync Jira from Sentinel Synchronize Jira data from Sentinel
Sync Jira to Sentinel Synchronize Jira data to Sentinel

We'll reserve the design work for Sprint Four to assist you in fostering innovation. Here, you can leverage the templates provided by Microsoft for common cybersecurity workflows.

This will kickstart your process, enabling you to implement SOAR with minimal operational overhead.

Once you've grasped the fundamentals, you'll find it easier to design your workflows in the upcoming sprint.

Run Playbooks Manually #

Once you have your playbook and its workflow established, the subsequent step is to tailor it specifically to address a particular incident within your organization.

Now, it is time to implement this workflow in response to a specific incident.

  1. Navigate to the Incidents page.
  2. Select an incident of interest.
  3. Click on "View full details" at the bottom of the incident details pane. Run Playbooks Manually Against Specific Incidents
  4. In the Incident timeline widget, locate the incident action.
  5. From the pop-up menu, select "Run playbook."
  6. Click on that to expand on the playbook you wish to run on this.
  7. The Alert playbooks pane will open, displaying all configured playbooks with the Microsoft Sentinel Alert Logic Apps trigger that you have access to.
  8. Select the "Run" option on the line of the specific playbook you intend to execute immediately.

Run Playbooks Failed Because You Need Permission

Above, we provide detailed steps on how to manually run playbooks.

Below, we explain why this is helpful, and that's all you need to know to get it to work.

Benefit Description
Improved Response Time Reducing the overall response time.
Contextual Decision-Making Enabling informed and context-aware decisions.
Flexibility and Adaptability Choose the most suitable playbook incident-based.
Human Oversight Apply human intelligence during execution.

Unlock SOAR Potential #

We are unleashing the full potential of SOAR capabilities.
We are not just automating common actions within a workflow; We are also automating their attribution to specific incidents.

This is achieved by defining rules according to our specific organizational needs.

If you refer back to the figure we previously employed, you'll observe that one of the options is automation rules.

This is the next step after ensuring your playbooks are in place.

Automation rules in SOAR are fundamental components designed to streamline cybersecurity processes and focus on what really matters.

These are the key to liberating your teams from the hassle of manual, repetitive tasks.

They empower you to effortlessly configure rules, offering a solution to handle complexities in your workflows and freeing up valuable time for more impactful work.

They consist of three main components:

Trigger Of Automation Rule Execution #

  • Triggers are events or conditions that initiate the execution of an automation rule.
  • These could include specific incidents, alerts, or predefined conditions within the cybersecurity environment.

Defining the Necessary Conditions #

  • Conditions define the criteria that must be met for the automation rule to proceed.
  • These criteria serve as the decision-making parameters, ensuring that the rule is triggered only under specific circumstances.

Executing Actions Upon Triggering and Condition Verification #

  • Actions are the predefined responses or tasks that the automation rule performs once triggered and the specified conditions are met.
  • These actions can range from executing predefined workflows to sending notifications or taking corrective measures.

By combining triggers, conditions, and actions, automation rules empower cybersecurity professionals to respond swiftly and effectively to security incidents, enhancing the overall efficiency of SOAR systems and let me tell just how next.

Create Automation Rules In Sentinel #

  1. Navigate to Automation in the Sentinel left pane.
  2. Utilize the '+' create button, similar to the one used for playbooks, to create a new Automation rule.
    • Select Automation rule instead of the previously used options. Create Automation Rules In Microsoft Sentinel
  3. A new window will appear, allowing you to specify your automation based on the components we previously discussed. For the trigger, choose from the following: Types Of Automation Rules Trigger These represent the diverse types of triggers available for Automation Rules, offering a comprehensive range of events that can prompt rule activation. Whether it's the creation of a new incident, updates to existing incidents, or the generation of a new alert, these trigger options ensure a versatile and adaptable response mechanism.
  4. Specify the conditions as per your requirements and can range from simplicity, involving only two elements with an OR operator, to compound scenarios with three or more intricate elements of logic. Types Of Automation Rules Conditions
  5. For the action, specify playbooks.
    • Six actions are available for you to execute.
    • We can modify the incident status, such as changing it to "severe" or marking it as "closed."
    • In the realm of SOAR, our primary emphasis is on playbooks. Types Of Automation Rules Actions
  6. When you finished operating, Click Apply.

Note: it is essential to ensure that you assign the necessary permissions to your playbooks to authenticate and enable their functionality.

This now implies that with the workflow now automated in playbooks, we are extending the automation to include the assignment of the playbook to the incident using predefined rules we just operated.

Empower SOAR With UBEA #

I want to emphasize the importance of UBEA and stress that leveraging its power is crucial for your organization.

Consequently, I believe it's fitting to conclude our SOAR sprint by highlighting this pivotal aspect.

In this section, we will walk you through the steps to enable UBEA for your Sentinel workspace.

This enhancement aims to simplify the realms of detection and alert engineering, leveraging data from tables like BehaviorAnalytics and IdentityInfo.

  1. Navigate to the Entity Behavior Configuration page In Sentinel Settings.
  2. On Entity behavior analytics drop down, click set UBEA. UBEA Microsoft Sentinel Settings Pane
  3. On the Entity Behavior Configuration page, toggle the switch to the "On" position.
  4. Select the checkboxes corresponding to the Active Directory source types that you wish to synchronize user entities with Microsoft Sentinel, and enter the ID.
  5. Mark the checkboxes for the data sources on which you want to activate UEBA.

UEBA meticulously builds profiles of what's considered "normal" behavior in a system.

It's like teaching a digital detective to recognize the usual patterns of users and entities. This simplifies the process of identifying non-normal behavior, making it easier to detect when a user deviates from their usual patterns or engages in activities that may pose a security risk.

Now, let's talk about Contextual Analysis, another crucial role.

Here, UEBA goes beyond just the here and now. It considers historical data and situational factors, akin to a detective taking into account a person's past actions and the current circumstances of that specific case.

By incorporating UBEA into your Sentinel environment, you can significantly enhance the effectiveness of your security operations.

  • Click on the "Apply" button. If you entered this page through the Entity Behavior page, you will be redirected back. Enable UBEA In Your Organisation

The goal is to minimize false positives and efficiently address intricate queries with concise lines of KQL.

Embrace the opportunity to employ UBEA and give it a try.

Liberating Cyber Experts Minds #

In this sprint, we had a great ride into the foundational elements of SOAR, tracing its evolution from a concept introduced by Gartner analysts to its incorporation into the arsenal of cybersecurity products.

Witnessing its dissemination worldwide, particularly with the ascent of cloud technologies, highlights the expansive reach of this transformative approach.

Throughout this sprint, we provided comprehensive, step-by-step instructions for setting up SOAR, elucidating the meticulous process of crafting workflows, bundling them into playbooks, and the dynamic options of executing them manually or automating through customized rules.

This not only empowers you with a profound understanding of the entire setup but also unlocks the full potential of SOAR within your operational landscape.

With these capabilities at your disposal, you are now equipped to embark on the exciting journey of constructing your unique workflows and automating processes based on the distinctive rules of your organization.

This marks a pivotal moment in your SOAR journey, as you transition from learner to creator, bringing a tailored approach to cybersecurity optimization.

Looking ahead to the forthcoming sprint, we will explore product integration, providing insights into how you can expand the capabilities of your Security Information and Event Management system to achieve even greater efficiency.

The journey continues, and the promise of more exciting developments awaits.

Stay tuned for the next chapter in our exploration of cybersecurity innovation,