You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/add-advanced-conditions-to-automation-rules.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,9 @@ ms.topic: how-to
5
5
author: batamig
6
6
ms.author: bagol
7
7
ms.date: 03/14/2024
8
-
appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
8
+
appliesto:
9
+
- Microsoft Sentinel in the Azure portal
10
+
- Microsoft Sentinel in the Microsoft Defender portal
9
11
ms.collection: usx-security
10
12
11
13
---
@@ -52,13 +54,13 @@ Let's create a rule that will change the severity of an incoming incident from w
52
54
53
55
1. Select the trigger **When incident is created**.
54
56
55
-
1. Under **Conditions**, if you see the **Incident provider** and **Analytics rule name** conditions, leave them as they are. These conditions aren't available if your workspace is onboarded to the unified SOC platform. In either case, we'll add more conditions later in this process.
57
+
1. Under **Conditions**, if you see the **Incident provider** and **Analytics rule name** conditions, leave them as they are. These conditions aren't available if your workspace is onboarded to the unified security operations platform. In either case, we'll add more conditions later in this process.
56
58
57
59
1. Under **Actions**, select **Change severity** from the drop-down list.
58
60
59
61
1. Select **High** from the drop-down list that appears below **Change severity**.
60
62
61
-
For example, the following tabs show samples from a workspace that's onboarded to the unified SOC platform, in either the Azure or Defender portals, and a workspace that isn't:
63
+
For example, the following tabs show samples from a workspace that's onboarded to the unified security operations platform, in either the Azure or Defender portals, and a workspace that isn't:
Copy file name to clipboardExpand all lines: articles/sentinel/add-entity-to-threat-intelligence.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,8 @@ author: yelevin
6
6
ms.author: yelevin
7
7
ms.topic: how-to
8
8
ms.date: 3/14/2024
9
-
appliesto: Microsoft Sentinel in the Azure portal
9
+
appliesto:
10
+
- Microsoft Sentinel in the Azure portal
10
11
ms.collection: usx-security
11
12
#Customer intent: As a security analyst, I want to quickly add relevant threat intelligence from my investigation for myself and others so I don't lose important information.
Copy file name to clipboardExpand all lines: articles/sentinel/automate-incident-handling-with-automation-rules.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,9 @@ ms.topic: conceptual
5
5
author: batamig
6
6
ms.author: bagol
7
7
ms.date: 03/14/2024
8
-
appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
8
+
appliesto:
9
+
- Microsoft Sentinel in the Azure portal
10
+
- Microsoft Sentinel in the Microsoft Defender portal
9
11
ms.collection: usx-security
10
12
11
13
---
@@ -103,9 +105,9 @@ The **current state** in this context refers to the moment the condition is eval
103
105
104
106
The conditions evaluated in rules defined using the trigger **When an incident is updated** include all of those listed for the incident creation trigger. But the update trigger includes more properties that can be evaluated.
105
107
106
-
One of these properties is **Updated by**. This property lets you track the type of source that made the change in the incident. You can create a condition evaluating whether the incident was updated by one of the following values, depending on whether you've onboarded your workspace to the unified SOC platform:
108
+
One of these properties is **Updated by**. This property lets you track the type of source that made the change in the incident. You can create a condition evaluating whether the incident was updated by one of the following values, depending on whether you've onboarded your workspace to the unified security operations platform:
107
109
108
-
##### [Onboarded to the unified SOC platform](#tab/onboarded)
110
+
##### [Onboarded workspaces](#tab/onboarded)
109
111
110
112
- An application, including applications in both the Azure and Defender portals.
111
113
- A user, including changes made by users in both the Azure and Defender portals.
@@ -115,7 +117,7 @@ One of these properties is **Updated by**. This property lets you track the type
115
117
- An automation rule
116
118
- Other, if none of the above values apply
117
119
118
-
##### [Not onboarded to the unified SOC platform](#tab/not-onboarded)
120
+
##### [Workspaces not onboarded](#tab/not-onboarded)
119
121
120
122
- An application
121
123
- A Microsoft Sentinel user
@@ -142,7 +144,7 @@ Also, if an incident is updated by an automation rule that ran on the incident's
142
144
If an incident triggers both create-trigger and update-trigger automation rules, the create-trigger rules will run first, according to their **[Order](#order)** numbers, and then the update-trigger rules will run, according to *their***Order** numbers.
143
145
144
146
> [!NOTE]
145
-
> After onboarding to the unified SOC platform, if multiple changes are made to the same incident in a five to ten minute period, a single update is sent to Microsoft Sentinel, with only the most recent change.
147
+
> After onboarding to the unified security operations platform, if multiple changes are made to the same incident in a five to ten minute period, a single update is sent to Microsoft Sentinel, with only the most recent change.
146
148
147
149
#### Alert create trigger
148
150
@@ -302,7 +304,7 @@ In the specific case of a Managed Security Service Provider (MSSP), where a serv
302
304
303
305
## Creating and managing automation rules
304
306
305
-
You can [create and manage automation rules](create-manage-use-automation-rules.md) from different areas in Microsoft Sentinel or the unified SOC platform, depending on your particular need and use case.
307
+
You can [create and manage automation rules](create-manage-use-automation-rules.md) from different areas in Microsoft Sentinel or the unified security operations platform, depending on your particular need and use case.
Copy file name to clipboardExpand all lines: articles/sentinel/automate-responses-with-playbooks.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,9 @@ ms.topic: conceptual
5
5
author: batamig
6
6
ms.author: bagol
7
7
ms.date: 03/14/2024
8
-
appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
8
+
appliesto:
9
+
- Microsoft Sentinel in the Azure portal
10
+
- Microsoft Sentinel in the Microsoft Defender portal
9
11
ms.collection: usx-security
10
12
11
13
---
@@ -30,7 +32,7 @@ For example, if an account and machine are compromised, a playbook can isolate t
30
32
31
33
While the **Active playbooks** tab on the **Automation** page displays all the active playbooks available across any selected subscriptions, by default a playbook can be used only within the subscription to which it belongs, unless you specifically grant Microsoft Sentinel permissions to the playbook's resource group.
32
34
33
-
After onboarding to the unified SOC platform, the **Active playbooks** tab shows a pre-defined filter with onboarded workspace's subscription. In the Azure portal, add data for other subscriptions using the Azure subscription filter.
35
+
After onboarding to the unified security operations platform, the **Active playbooks** tab shows a pre-defined filter with onboarded workspace's subscription. In the Azure portal, add data for other subscriptions using the Azure subscription filter.
Copy file name to clipboardExpand all lines: articles/sentinel/automation.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,9 @@ ms.topic: conceptual
5
5
author: batamig
6
6
ms.author: bagol
7
7
ms.date: 03/14/2024
8
-
appliesto: Microsoft Sentinel in the Azure portal and the Microsoft Defender portal
8
+
appliesto:
9
+
- Microsoft Sentinel in the Azure portal
10
+
- Microsoft Sentinel in the Microsoft Defender portal
9
11
ms.collection: usx-security
10
12
11
13
---
@@ -40,19 +42,19 @@ Playbooks in Microsoft Sentinel are based on workflows built in [Azure Logic App
40
42
41
43
Learn more with this [complete explanation of playbooks](automate-responses-with-playbooks.md).
42
44
43
-
## After onboarding to the unified SOC platform
45
+
## Automation with the unified security operations platform
44
46
45
-
After onboarding your Microsoft Sentinel workspace to the unified SOC platform, note the following differences in the way automation functions in your workspace:
47
+
After onboarding your Microsoft Sentinel workspace to the unified security operations platform, note the following differences in the way automation functions in your workspace:
46
48
47
49
|Functionality |Description |
48
50
|---------|---------|
49
-
|**Automation rules with alert triggers**| In the unified SOC platform, automation rules with alert triggers act only on Microsoft Sentinel alerts. <br><br>For more information, see [Alert create trigger](automate-incident-handling-with-automation-rules.md#alert-create-trigger). |
50
-
|**Automation rules with incident triggers**| In both the Azure portal and the unified SOC platform, the **Incident provider** condition property is removed, as all incidents have *Microsoft Defender XDR* as the incident provider. <br><br>At that point, any existing automation rules run on both Microsoft Sentinel and Microsoft Defender XDR incidents, including those where the **Incident provider** condition is set to only *Microsoft Sentinel* or *Microsoft 365 Defender*. <br><br>However, automation rules that specify a specific analytics rule name will run only on the incidents that were created by the specified analytics rule. This means that you can define the **Analytic rule name** condition property to an analytics rule that exists only in Microsoft Sentinel to limit your rule to run on incidents only in Microsoft Sentinel. <br><br>For more information, see [Incident trigger conditions](automate-incident-handling-with-automation-rules.md#conditions). |
51
+
|**Automation rules with alert triggers**| In the unified security operations platform, automation rules with alert triggers act only on Microsoft Sentinel alerts. <br><br>For more information, see [Alert create trigger](automate-incident-handling-with-automation-rules.md#alert-create-trigger). |
52
+
|**Automation rules with incident triggers**| In both the Azure portal and the unified security operations platform, the **Incident provider** condition property is removed, as all incidents have *Microsoft Defender XDR* as the incident provider. <br><br>At that point, any existing automation rules run on both Microsoft Sentinel and Microsoft Defender XDR incidents, including those where the **Incident provider** condition is set to only *Microsoft Sentinel* or *Microsoft 365 Defender*. <br><br>However, automation rules that specify a specific analytics rule name will run only on the incidents that were created by the specified analytics rule. This means that you can define the **Analytic rule name** condition property to an analytics rule that exists only in Microsoft Sentinel to limit your rule to run on incidents only in Microsoft Sentinel. <br><br>For more information, see [Incident trigger conditions](automate-incident-handling-with-automation-rules.md#conditions). |
51
53
|***Updated by* field**| - After onboarding your workspace, the **Updated by** field has a [new set of supported values](automate-incident-handling-with-automation-rules.md#incident-update-trigger), which no longer include *Microsoft 365 Defender*. In existing automation rules, *Microsoft 365 Defender* is replaced by a value of *Other* after onboarding your workspace. <br><br>- If multiple changes are made to the same incident in a 5-10 minute period, a single update is sent to Microsoft Sentinel, with only the most recent change. <br><br>For more information, see [Incident update trigger](automate-incident-handling-with-automation-rules.md#incident-update-trigger). |
52
54
|**Automation rules that add incident tasks**| If an automation rule add an incident task, the task is shown only in the Azure portal. |
53
-
|**Microsoft incident creation rules**| Microsoft incident creation rules aren't supported in the unified SOC platform. <br><br>For more information, see [Microsoft Defender XDR incidents and Microsoft incident creation rules](microsoft-365-defender-sentinel-integration.md#microsoft-defender-xdr-incidents-and-microsoft-incident-creation-rules). |
54
-
|**Active playbooks tab**| After onboarding to the unified SOC platform, by default the **Active playbooks** tab shows a pre-defined filter with onboarded workspace's subscription. Add data for other subscriptions using the subscription filter. <br><br>For more information, see [Create and customize Microsoft Sentinel playbooks from content templates](use-playbook-templates.md). |
55
-
|**Running playbooks manually on demand**|The following procedures are not supported in the unified SOC platform: <br><br>- [Run a playbook manually on an alert](tutorial-respond-threats-playbook.md?tabs=LAC%2Cincidents#run-a-playbook-manually-on-an-alert) <br>- [Run a playbook manually on an entity](tutorial-respond-threats-playbook.md?tabs=LAC%2Cincidents#run-a-playbook-manually-on-an-entity-preview)|
55
+
|**Microsoft incident creation rules**| Microsoft incident creation rules aren't supported in the unified security operations platform. <br><br>For more information, see [Microsoft Defender XDR incidents and Microsoft incident creation rules](microsoft-365-defender-sentinel-integration.md#microsoft-defender-xdr-incidents-and-microsoft-incident-creation-rules). |
56
+
|**Active playbooks tab**| After onboarding to the unified security operations platform, by default the **Active playbooks** tab shows a pre-defined filter with onboarded workspace's subscription. Add data for other subscriptions using the subscription filter. <br><br>For more information, see [Create and customize Microsoft Sentinel playbooks from content templates](use-playbook-templates.md). |
57
+
|**Running playbooks manually on demand**|The following procedures are not supported in the unified security operations platform: <br><br>- [Run a playbook manually on an alert](tutorial-respond-threats-playbook.md?tabs=LAC%2Cincidents#run-a-playbook-manually-on-an-alert) <br>- [Run a playbook manually on an entity](tutorial-respond-threats-playbook.md?tabs=LAC%2Cincidents#run-a-playbook-manually-on-an-entity-preview)|
0 commit comments