|
| 1 | +--- |
| 2 | +title: 'Create playbooks for Microsoft Sentinel solutions' |
| 3 | +description: This article guides you through the process of creating and publishing playbooks to Microsoft Sentinel solutions. |
| 4 | +author: anilgodavarthy |
| 5 | +ms.author: angodavarthy |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 1/23/2025 |
| 9 | + |
| 10 | +#CustomerIntent: As a ISV partner, I want to create and publish playbooks to my Microsoft Sentinel solution so that I can provide inbuilt automation use cases to my customers. |
| 11 | +--- |
| 12 | + |
| 13 | +# Creating and publishing playbooks for Microsoft Sentinel solutions |
| 14 | + |
| 15 | +Playbooks in Microsoft Sentinel are sets of procedures that can respond to incidents, alerts, or specific entities. They help automate responses and can be set to run automatically when certain alerts or incidents occur. Playbooks can also be executed manually. |
| 16 | + |
| 17 | +This article walks you through the process of creating and publishing playbooks to Microsoft Sentinel solutions. |
| 18 | + |
| 19 | +## Use Cases for Microsoft Sentinel playbooks |
| 20 | +Due to the growing number of alerts and incidents, SOC analysts can't manually handle everything. To maximize the benefits of Microsoft Sentinel, it's crucial to determine which automations help SOC analysts with each detection in your solution. Here are some of the common scenarios for playbooks – |
| 21 | + |
| 22 | +- **Incident Enrichment:** Enhance alerts with additional information for efficient investigation and resolution. Example: Collect more data on IP addresses associated with an incident. |
| 23 | +- **Sync with Ticketing Systems:** Synchronize Microsoft Sentinel incidents with other systems like ServiceNow bi-directionally. Example: On incident creation, sync details with a ServiceNow ticket. For more information, see [ServiceNow connector](/connectors/service-now/) |
| 24 | +- **Automated Response:** Take automated actions in response to suspicious activities. Example: Send a Teams message to the user for confirmation if a suspicious action is detected. |
| 25 | + |
| 26 | +To understand more about potential playbook use cases, see [Recommended Microsoft Sentinel playbook use cases, templates, and examples | Microsoft Learn](/azure/sentinel/automation/playbook-recommendations). |
| 27 | + |
| 28 | +## Creating and publishing playbooks |
| 29 | + |
| 30 | +Microsoft Sentinel Playbooks are based on Microsoft Azure Logic Apps, a cloud platform that enables the creation and execution of automated workflows with minimal to no coding. Users can use the visual designer and select prebuilt operations to efficiently build workflows that integrate and manage their applications, data, services, and systems. For more information, see [Overview - Azure Logic Apps | Microsoft Learn](/azure/logic-apps/logic-apps-overview). Microsoft Azure Logic Apps includes numerous out-of-the-box connectors, such as Salesforce, Office 365, and SQL, which offer no-code options for various functions. For example, the Office 365 Outlook connector includes built-in actions for sending emails without needing any code. If specific actions required by a playbook aren't covered by the out-of-the-box connectors, creating a custom connector is necessary. |
| 31 | + |
| 32 | +### Scenario 1: Playbook using builtin connectors |
| 33 | + |
| 34 | +**Step 1: Create the Playbook** |
| 35 | +If your Playbook doesn't require any custom actions outside of the actions already provided by the built-in connectors, you can use the Azure Logic apps UI in Microsoft Sentinel to create the Playbook. No other code is required. For detailed instructions on how to create Playbooks from Azure portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=azure-portal%2Cconsumption). For detailed instructions on how to create Playbooks from Defender portal, see [Create and manage Microsoft Sentinel playbooks | Microsoft Learn](/azure/sentinel/automation/create-playbooks?tabs=defender-portal%2Cconsumption). |
| 36 | + |
| 37 | +**Step 2: Generate the ARM template for the Playbook** |
| 38 | +In the Code view tab of the Azure Logic Apps editor, you can access the JSON ARM template. Remove any organizational details like tenant ID and subscription info for privacy and security. Follow these steps to get a sanitized version of your playbook ARM template - |
| 39 | + |
| 40 | +1. Download the PowerShell script from https://aka.ms/Playbook-ARM-Template-Generator |
| 41 | +1. Extract the folder and open "Playbook_ARM_Template_Generator.ps1" in Visual Studio Code, Windows PowerShell, or PowerShell Core. |
| 42 | + |
| 43 | + > [!NOTE] |
| 44 | + > Run the script from your machine. Allow PowerShell script execution by running the command in PowerShell: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass |
| 45 | +
|
| 46 | +1. Enter your Azure Tenant ID when prompted. |
| 47 | +1. Authenticate with your credentials, then choose: |
| 48 | + 1. Subscription |
| 49 | + 1. Playbooks |
| 50 | +1. Select a location on your local drive to save the sanitized ARM Template as azuredeploy.json. The tool converts Microsoft Sentinel connections to Microsoft Software Installer (MSI) during export. For more information, see this demonstration video [Export your SOAR Playbooks with ease | Microsoft Sentinel in the Field #7 - YouTube](https://www.youtube.com/watch?v=scTtVHVzrQw) |
| 51 | +1. Update the metadata section of the azuredeploy.json file with your playbook's specific details |
| 52 | + |
| 53 | + :::image type="content" source="media/sentinel-playbook-creation/playbook-update-metadata.png" alt-text="Screenshot of playbook metadata that needs to be updated." lightbox="media/sentinel-playbook-creation/playbook-update-metadata.png" ::: |
| 54 | + |
| 55 | +5. It's recommended to use managed service identity rather than user-assigned identity for connecting Azure services (such as Microsoft Sentinel, Key Vault, and Storage Account) with playbooks. Update the authentication type under connectionProperties to "ManagedServiceIdentity". |
| 56 | + |
| 57 | + :::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-identity.png" alt-text="Screenshot of playbook identity updates." lightbox="media/sentinel-playbook-creation/sentinel-playbook-identity.png" ::: |
| 58 | + |
| 59 | +6. Update "Microsoft.Web/connections" resources |
| 60 | + |
| 61 | + :::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" alt-text="Screenshot of playbook web connections metadata." lightbox="media/sentinel-playbook-creation/sentinel-playbook-web-connections.png" ::: |
| 62 | + |
| 63 | +For more information, see https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL/azuredeploy.json |
| 64 | + |
| 65 | +### Scenario 2: Playbook using custom connectors |
| 66 | + |
| 67 | +Custom connectors in Logic Apps extend Azure Logic Apps by integrating with APIs or services not covered by built-in connectors. They're useful for connecting your Logic Apps to specific use cases such as |
| 68 | + |
| 69 | +- **Internal APIs** within your organization. |
| 70 | +- **Third-party services** not directly supported by Azure. |
| 71 | +- **Custom-built applications** with a REST or SOAP API. |
| 72 | + |
| 73 | +For more information, see [custom connectors](/connectors/custom-connectors) |
| 74 | + |
| 75 | +**Step 1: Create the Playbook** |
| 76 | +To create a custom connector, describe the API so the connector understands its operations and data structures. This example uses an OpenAPI definition for the Cognitive Services Text Analytics Sentiment API. For more details on creating custom connectors, visit [Create a custom connector from an OpenAPI definition | Microsoft Learn](/connectors/custom-connectors/define-openapi-definition) |
| 77 | + |
| 78 | +Once the custom connector is created, you can use it to build a Playbook using Azure logic apps. For step-by-step instructions on how to use custom connectors in a playbook, see [Use a custom connector in a logic app workflow | Microsoft Learn](/connectors/custom-connectors/use-custom-connector-logic-apps) |
| 79 | + |
| 80 | +**Step 2: Generate the ARM template for the Playbook** |
| 81 | +1. Navigate to Azure portal |
| 82 | +1. Search for **Logic Apps Custom Connector** |
| 83 | +1. Open the connector and then select on Export template under Automation link. |
| 84 | + |
| 85 | +:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-export-template.png" alt-text="Screenshot to export template." Lightbox="media/sentinel-playbook-creation/sentinel-playbook-export-template.png" ::: |
| 86 | + |
| 87 | +4. Select "Copy template" and save contents in a JSON file on your local computer |
| 88 | +1. From the JSON created in step 4, remove the runtimeUrls, apiDefinitions, and wsdlDefinition fields |
| 89 | +1. Download the file containing swagger attributes. Select on the Overview link and then on the Download link. This downloads the swagger file |
| 90 | + |
| 91 | +:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-download-swagger.png" alt-text="Screenshot to download swagger file." Lightbox="media/sentinel-playbook-creation/sentinel-playbook-download-swagger.png" ::: |
| 92 | + |
| 93 | + |
| 94 | +7. Updated the JSON file created in step 4 with the swagger and backendService values obtained from the swagger file created in step 6. |
| 95 | +1. Validate the host, basepath, and scheme parameters in the swagger file and update as needed. |
| 96 | + |
| 97 | +:::image type="content" source="media/sentinel-playbook-creation/sentinel-playbook-swagger-fields.png" alt-text="Screenshot showing swagger fields." Lightbox="media/sentinel-playbook-creation/sentinel-playbook-swagger-fields.png" ::: |
| 98 | + |
| 99 | +9. Finally, update the Parameter section of the ARM template files for the custom connector as shown. |
| 100 | + |
| 101 | +:::image type="content" source="media/sentinel-playbook-creation/playbook-update-parameters.png" alt-text="Screenshot showing update parameters." Lightbox="media/sentinel-playbook-creation/playbook-update-parameters.png" ::: |
| 102 | + |
| 103 | +Refer to the link for reference or comparison to determine which other fields need to be modified within the ARM template. |
| 104 | +[Azure-Sentinel/Solutions/Minemeld/Playbooks/CustomConnector/MinemeldCustomConnector/azuredeploy.json at master · Azure/Azure-Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Minemeld/Playbooks/CustomConnector/MinemeldCustomConnector/azuredeploy.json) |
| 105 | + |
| 106 | +### Directory structure for playbook and custom connector contributions |
| 107 | + |
| 108 | +Before making a pull request to the Microsoft Sentinel GitHub repo, follow the proper directory structure. The ARM template file must be named “azuredeploy.json.” Additionally, include a Readme.md file for all custom connectors and playbooks, detailing configuration steps during and after deployment. |
| 109 | + |
| 110 | +For Readme.md file guidelines, refer to the links - |
| 111 | +- [Custom connector Readme.md file guidelines](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Minemeld/Playbooks/CustomConnector/MinemeldCustomConnector) |
| 112 | +- [Playbook Readme.md file guidelines](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Minemeld/Playbooks/MinemeldPlaybooks/Minemeld-CreateIndicator) |
| 113 | + |
| 114 | +:::image type="content" source="media/sentinel-playbook-creation/playbook-folder-structure.png" alt-text="Screenshot of playbook folder structure in GitHub." Lightbox="media/sentinel-playbook-creation/playbook-folder-structure.png" ::: |
0 commit comments