You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/automate-responses-with-playbooks.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,8 +10,6 @@ ms.custom: ignite-fall-2021
10
10
11
11
# Automate threat response with playbooks in Microsoft Sentinel
12
12
13
-
[!INCLUDE [Banner for top of topics](./includes/banner.md)]
14
-
15
13
This article explains what Microsoft Sentinel playbooks are, and how to use them to implement your Security Orchestration, Automation and Response (SOAR) operations, achieving better results while saving time and resources.
16
14
17
15
## What is a playbook?
@@ -76,10 +74,9 @@ Azure Logic Apps communicates with other systems and services using connectors.
76
74
Microsoft Sentinel now supports the following logic app resource types:
77
75
78
76
-**Consumption**, which runs in multi-tenant Azure Logic Apps and uses classic, original Azure Logic Apps engine
79
-
80
77
-**Standard**, which runs in single-tenant Azure Logic Apps and uses a redesigned Azure Logic Apps engine
81
78
82
-
This logic app type offers higher performance, fixed pricing, multiple workflow capability, easier API connections management, native network capabilities such as support for virtual networks and private endpoints, built-in CI/CD features, better Visual Studio Code integration, an updated workflow designer, and more.
79
+
This logic app type offers higher performance, fixed pricing, multiple workflow capability, easier API connections management, native network capabilities such as support for virtual networks and private endpoints (see note below), built-in CI/CD features, better Visual Studio Code integration, an updated workflow designer, and more.
83
80
84
81
To use this logic app version, create new Standard playbooks in Microsoft Sentinel. You can use these playbooks in the same ways that you use Consumption playbooks:
85
82
@@ -91,6 +88,9 @@ Microsoft Sentinel now supports the following logic app resource types:
91
88
>
92
89
> - Standard workflows currently don't support Playbook templates, which means you can't create a Standard workflow from within Microsoft Sentinel. Instead, you must create the workflow in Azure Logic Apps. After creation, the workflow appears in Microsoft Sentinel.
93
90
>
91
+
> - Although Standard workflows support private endpoints as mentioned above, Microsoft Sentinel doesn't currently support the use of private endpoints in playbooks, even those based on Standard workflows.
92
+
> Workflows with private endpoints might still be visible and selectable when you're choosing a playbook from a list in Microsoft Sentinel (whether to run manually, to add to an automation rule, or in the playbooks gallery), and you'll be able to select them, but their execution will fail.
93
+
>
94
94
> - An indicator identifies Standard workflows as either *stateful* or *stateless*. Microsoft Sentinel doesn't support stateless workflows at this time. Learn about the differences between [**stateful and stateless workflows**](../logic-apps/single-tenant-overview-compare.md#stateful-and-stateless-workflows).
95
95
96
96
There are many differences between these two resource types, some of which affect some of the ways they can be used in playbooks in Microsoft Sentinel. In such cases, the documentation will point out what you need to know. For more information, see [Resource type and host environment differences](../logic-apps/logic-apps-overview.md#resource-environment-differences) in the Azure Logic Apps documentation.
@@ -99,12 +99,12 @@ There are many differences between these two resource types, some of which affec
99
99
100
100
To give your SecOps team the ability to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel, assign Azure roles to your security operations team or to specific users on the team. The following describes the different available roles, and the tasks for which they should be assigned:
101
101
102
-
#### Roles for Azure Logic Apps
102
+
#### Azure roles for Azure Logic Apps
103
103
104
104
-**Logic App Contributor** lets you manage logic apps and run playbooks, but you can't change access to them (for that you need the **Owner** role).
105
-
-**Logic App Operator**lets you read, enable, and disable logic apps, but you can't edit or update them.
105
+
-**Logic App Operator** lets you read, enable, and disable logic apps, but you can't edit or update them.
106
106
107
-
#### Azure roles for Sentinel
107
+
#### Azure roles for Microsoft Sentinel
108
108
109
109
-**Microsoft Sentinel Contributor** role lets you attach a playbook to an analytics rule.
110
110
-**Microsoft Sentinel Responder** role lets you run a playbook manually.
0 commit comments