Merge pull request #218384 from yelevin/yelevin/incident-tasks

Incident tasks

Author: v-ccolin

articles/sentinel/TOC.yml

@@ -141,6 +141,8 @@
       href: notebooks.md
   - name: Investigate incidents
     items:
+    - name: Use tasks to manage incident workflow
+      href: incident-tasks.md
     - name: Investigate large datasets
       href: investigate-large-datasets.md
     - name: Investigate entities with entity pages
@@ -378,6 +380,8 @@
       href: livestream.md
   - name: Investigate incidents
     items:
+    - name: Use tasks to handle incident workflow
+      href: work-with-tasks.md
     - name: Investigate incidents
       href: investigate-cases.md
     - name: Relate alerts to incidents
@@ -408,6 +412,10 @@
       href: migrate-playbooks-to-automation-rules.md
     - name: Customize playbooks from templates
       href: use-playbook-templates.md
+    - name: Create incident tasks using automation rules
+      href: create-tasks-automation-rule.md
+    - name: Create and perform advanced incident tasks using playbooks
+      href: create-tasks-playbook.md
   - name: Manage Microsoft Sentinel
     items:
     - name: Microsoft Sentinel for MSSPs

articles/sentinel/add-advanced-conditions-to-automation-rules.md

@@ -107,15 +107,15 @@ Now we decide we're going to be a little more picky. We want to add more conditi
 
     :::image type="content" source="media/add-advanced-conditions-to-automation-rules/add-a-compound-condition.png" alt-text="Screenshot of adding a compound condition to an automation rule.":::
 
-    You'll see a new row added where the **+ Add** link was, separated by an `AND` operator. 
+    You'll see a new row added under the existing condition (in the same blue-shaded area), linked to it by an `AND` operator. 
 
     :::image type="content" source="media/add-advanced-conditions-to-automation-rules/empty-new-condition.png" alt-text="Screenshot of empty new condition row in automation rules.":::
 
 1. Fill in the parameters and values of this condition the same way you did the others.
 
     :::image type="content" source="media/add-advanced-conditions-to-automation-rules/fill-in-new-condition.png" alt-text="Screenshot of new condition fields to fill in to add to automation rules.":::
 
-1. Repeat the previous two steps to add an AND condition to the other side of the OR condition group.
+1. Repeat the previous two steps to add an AND condition to either side of the OR condition group.
 
     :::image type="content" source="media/add-advanced-conditions-to-automation-rules/add-compound-conditions.png" alt-text="Screenshot of adding multiple compound conditions to an automation rule.":::
 

articles/sentinel/automate-incident-handling-with-automation-rules.md

@@ -19,6 +19,7 @@ Automation rules are a way to centrally manage automation in Microsoft Sentinel,
 Automation rules apply to the following categories of use cases:
 
 - Perform basic automation tasks for incident handling without using playbooks. For example:
+    - [Add incident tasks](incident-tasks.md) (in Preview) for analysts to follow.
     - Suppress noisy incidents.
     - Triage new incidents by changing their status from New to Active and assigning an owner.
     - Tag incidents to classify them.
@@ -136,6 +137,8 @@ Currently the only condition that can be configured for the alert creation trigg
 
 Actions can be defined to run when the conditions (see above) are met. You can define many actions in a rule, and you can choose the order in which they’ll run (see below). The following actions can be defined using automation rules, without the need for the [advanced functionality of a playbook](automate-responses-with-playbooks.md):
 
+- Adding a task to an incident - you can create a [checklist of tasks for analysts to follow](incident-tasks.md) throughout the processes of triage, investigation, and remediation of the incident, to ensure that no critical steps are missed.
+
 - Changing the status of an incident, keeping your workflow up to date.
 
   - When changing to “closed,” specifying the [closing reason](investigate-cases.md#closing-an-incident) and adding a comment. This helps you keep track of your performance and effectiveness, and fine-tune to reduce [false positives](false-positives.md).
@@ -160,10 +163,16 @@ You can define the order in which automation rules will run. Later automation ru
 
 For example, if "First Automation Rule" changed an incident's severity from Medium to Low, and "Second Automation Rule" is defined to run only on incidents with Medium or higher severity, it won't run on that incident.
 
+The order of automation rules that add [incident tasks](incident-tasks.md) determines the order in which the tasks will appear in a given incident.
+
 Rules based on the update trigger have their own separate order queue. If such rules are triggered to run on a just-created incident (by a change made by another automation rule), they will run only after all the applicable rules based on the create trigger have run.
 
 ## Common use cases and scenarios
 
+### Incident tasks
+
+Automation rules allow you to standardize and formalize the steps required for the triaging, investigation, and remediation of incidents, by [creating tasks](incident-tasks.md) that can be applied to a single incident, across groups of incidents, or to all incidents, according to the conditions you set in the automation rule and the threat detection logic in the underlying analytics rules. Tasks applied to an incident appear in the incident's page, so your analysts have the entire list of actions they need to take, right in front of them, and won't miss any critical steps.
+
 ### Incident- and alert-triggered automation
 
 Automation rules can be triggered by the creation or updating of incidents and also (in Preview) by the creation of alerts. These occurrences can all trigger automated response chains, which can include playbooks ([special permissions are required](#permissions-for-automation-rules-to-run-playbooks)). 
@@ -294,5 +303,6 @@ You can [create and manage automation rules](create-manage-use-automation-rules.
 In this document, you learned about how automation rules can help you to centrally manage response automation for Microsoft Sentinel incidents and alerts.
 
 - [Create and use Microsoft Sentinel automation rules to manage incidents](create-manage-use-automation-rules.md).
+- [Use automation rules to create lists of tasks for analysts](create-tasks-automation-rule.md).
 - To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
 - For help in implementing playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).

articles/sentinel/automate-responses-with-playbooks.md

@@ -331,3 +331,4 @@ The following recommended playbooks, and other similar playbooks are available t
 ## Next steps
 
 - [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md)
+- [Create and perform incident tasks in Microsoft Sentinel using playbooks](create-tasks-playbook.md)

articles/sentinel/automation.md

@@ -26,7 +26,7 @@ Microsoft Sentinel, in addition to being a Security Information and Event Manage
 
 ## Automation rules
 
-Automation rules (now generally available!) allow users to centrally manage the automation of incident handling. Besides letting you assign playbooks to incidents (not just to alerts as before), automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Automation rules also allow you to apply automations when an incident is **updated** (now in **Preview**), as well as when it's created. This new capability will further streamline automation use in Microsoft Sentinel and will enable you to simplify complex workflows for your incident orchestration processes.
+Automation rules allow users to centrally manage the automation of incident handling. Besides letting you assign playbooks to incidents and alerts, automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, create lists of tasks for your analysts to perform when triaging, investigating, and remediating incidents, and control the order of actions that are executed. Automation rules also allow you to apply automations when an incident is **updated** (now in **Preview**), as well as when it's created. This new capability will further streamline automation use in Microsoft Sentinel and will enable you to simplify complex workflows for your incident orchestration processes.
 
 Learn more with this [complete explanation of automation rules](automate-incident-handling-with-automation-rules.md).
 
@@ -45,4 +45,4 @@ In this document, you learned how Microsoft Sentinel uses automation to help you
 - To learn about automation of incident handling, see [Automate incident handling in Microsoft Sentinel](automate-incident-handling-with-automation-rules.md).
 - To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
 - To get started creating automation rules, see [Create and use Microsoft Sentinel automation rules to manage incidents](create-manage-use-automation-rules.md)
-- For help in implementing advanced automation with playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).
+- For help with implementing advanced automation with playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).

articles/sentinel/create-manage-use-automation-rules.md

@@ -27,6 +27,7 @@ The first step in designing and defining your automation rule is figuring out wh
 
 You also want to determine your use case. What are you trying to accomplish with this automation? Consider the following options:
 
+- (**Preview**) Create tasks for your analysts to follow in triaging, investigating, and remediating incidents.
 - Suppress noisy incidents (see [this article on handling false positives](false-positives.md#add-exceptions-by-using-automation-rules) instead)
 - Triage new incidents by changing their status from New to Active and assigning an owner.
 - Tag incidents to classify them.
@@ -37,7 +38,7 @@ You also want to determine your use case. What are you trying to accomplish with
 
 ### Determine the trigger
 
-Do you want this automation to be activated when new incidents (or alerts, in preview) are created? Or any time an incident gets updated?
+Do you want this automation to be activated when new incidents (or alerts, in preview) are created? Or anytime an incident gets updated?
 
 Automation rules are triggered **when an incident is created or updated** (the update trigger is now in **Preview**) or **when an alert is created** (also in **Preview**). Recall that incidents include alerts, and that both alerts and incidents are created by analytics rules, of which there are several types, as explained in [Detect threats with built-in analytics rules in Microsoft Sentinel](detect-threats-built-in.md).
 
@@ -208,5 +209,6 @@ In this document, you learned how to use automation rules to centrally manage re
 - To learn how to add advanced conditions with `OR` operators to automation rules, see [Add advanced conditions to Microsoft Sentinel automation rules](add-advanced-conditions-to-automation-rules.md).
 - To learn more about automation rules, see [Automate incident handling in Microsoft Sentinel with automation rules](automate-incident-handling-with-automation-rules.md)
 - To learn more about advanced automation options, see [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md).
+- To learn how to use automation rules to add tasks to incidents, see [Create incident tasks in Microsoft Sentinel using automation rules](create-tasks-automation-rule.md).
 - To migrate alert-trigger playbooks to be invoked by automation rules, see [Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules](migrate-playbooks-to-automation-rules.md)
-- For help in implementing automation rules and playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).
+- For help with implementing automation rules and playbooks, see [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md).

articles/sentinel/create-tasks-automation-rule.md

@@ -0,0 +1,116 @@
+---
+title: Create incident tasks in Microsoft Sentinel using automation rules
+description: This article explains how to use automation rules to create lists of incident tasks, in order to standardize analyst workflow processes in Microsoft Sentinel.
+author: yelevin
+ms.author: yelevin
+ms.topic: how-to
+ms.date: 11/24/2022
+---
+
+# Create incident tasks in Microsoft Sentinel using automation rules
+
+This article explains how to use automation rules to create lists of incident tasks, in order to standardize analyst workflow processes in Microsoft Sentinel.
+
+[Incident tasks](incident-tasks.md) can be created automatically not only by automation rules, but also by playbooks, and also manually, ad-hoc, from within an incident.
+
+> [!IMPORTANT]
+>
+> The **Incident tasks** feature is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Use cases for different roles
+
+This article addresses the following scenarios that apply to SOC managers, senior analysts, and automation engineers:
+
+- [View automation rules with incident task actions](#view-automation-rules-with-incident-task-actions)
+- [Add tasks to incidents with automation rules](#add-tasks-to-incidents-with-automation-rules)
+
+Another such scenario is addressed in the following companion article:
+
+- [Add tasks to incidents with playbooks](create-tasks-playbook.md)
+
+Another article, at the following links, addresses scenarios that apply more to SOC analysts:
+
+- [View and follow incident tasks](work-with-tasks.md#view-and-follow-incident-tasks)
+- [Manually add an ad-hoc task to an incident](work-with-tasks.md#manually-add-an-ad-hoc-task-to-an-incident)
+
+## Prerequisites
+
+The **Microsoft Sentinel Responder** role is required to create automation rules and to view and edit incidents, both of which are necessary to add, view, and edit tasks.
+
+
+## View automation rules with incident task actions
+
+In the **Automation** page, you can filter the view of automation rules to see only the ones that have **Add task** actions defined.
+
+:::image type="content" source="media/create-tasks-automation-rule/filter-grid-on-actions.png" alt-text="Screenshot showing how to filter automation rules grid.":::
+
+1. Select the **Actions** filter.
+
+1. Unmark the **Select all** checkbox.
+
+1. Scroll down and mark the **Add task (Preview)** checkbox.
+
+1. Select **OK** and see the results.
+
+    :::image type="content" source="media/create-tasks-automation-rule/filtered-grid-on-actions.png" alt-text="Screenshot showing the results of the filter on the automation rules grid.":::
+
+    These are the automation rules that add tasks to incidents. The **Analytics rule names** column tells you which analytics rules these automation rules are conditioned on, so you'll have a general idea of which incidents are affected.
+
+    > [!NOTE]
+    > To have exact knowledge of whether an automation rule will apply to a particular incident, you must open the rule to see if any additional conditions are defined, besides the analytics rule condition. If other conditions are defined, the scope of the affected incidents will be accordingly narrowed.
+
+## Add tasks to incidents with automation rules
+
+1. In the **Automation** page, select **+ Create** and select **Automation rule**.
+
+1. The **Create new automation rule** panel will open on the right side.  
+Give your automation rule a name that describes what it does.
+
+1. Select **When incident is created** as the trigger (you can also use **When incident is updated**).
+
+1. Add **Conditions** to determine to which incidents new tasks will be added.
+
+    For example, filter by **Analytics rule name**:
+
+    - You may want to add tasks to incidents based on the types of threats detected by an analytics rule or a group of analytics rules, that need to be handled according to a certain workflow. Search for and select the relevant analytics rules from the drop-down list.
+
+    - Or, you may want to add tasks that are relevant for incidents across all types of threats (in this case, leave the default selection of **All** as is).
+
+    In either case, you can add more conditions to narrow the scope of incidents to which your automation rule will apply. Learn more about [adding advanced conditions to automation rules](add-advanced-conditions-to-automation-rules.md).
+
+    One thing you'll need to consider is that the order in which tasks appear in your incident is determined by the tasks' creation time. You can set the order of automation rules so that rules that add tasks required for all incidents will run first, and only afterwards any rules that add tasks required for incidents generated by specific analytics rules.
+
+    :::image type="content" source="media/create-tasks-automation-rule/create-new-automation-rule.png" alt-text="Screenshot of first part of automation rule wizard.":::
+
+1. Under **Actions**, select **Add task (preview)**.
+
+    :::image type="content" source="media/create-tasks-automation-rule/add-task-action.png" alt-text="Screenshot of choosing the Add Task action in an automation rule.":::
+
+1. For each task, enter a title in the **Task title** field, and then (optionally) select **+ Add description** to open a description field.  
+    Only task titles appear by default in the incident's task list panel. A task's description appears only when the task item is expanded.
+
+    :::image type="content" source="media/create-tasks-automation-rule/add-title-description.png" alt-text="Screenshot showing how to add a title and a description to a task.":::
+
+1. In the description field you can add a free-form description for the task, including images, links and rich-text formatting (see the hyperlinks, numbered lists, and code-block-formatted text in the examples below).
+
+    :::image type="content" source="media/create-tasks-automation-rule/add-task-description.png" alt-text="Screenshot showing how to add a description to a task.":::
+
+1. Add more tasks to the same group of incidents by selecting **+ Add action** and repeating the last three steps.
+
+    Tasks will be created and added to the incident according to the order of the **Add task** actions in your automation rule.
+
+    :::image type="content" source="media/create-tasks-automation-rule/create-more-tasks.png" alt-text="Screenshot showing how to add more tasks to an automation rule.":::
+
+1. Finish creating the automation rule by completing the remaining steps, **Rule expiration** and **Order**, and selecting **Apply** at the end. See [Create and use Microsoft Sentinel automation rules to manage response](create-manage-use-automation-rules.md) for full details.
+
+    Regarding the **Order** setting: The order in which tasks appear in your incidents depends on two things:
+    1. The order of execution of the automation rules, as determined by the number in the **Order** setting, and...
+    1. The order of the **Add task** actions defined within each automation rule.
+
+## Next steps
+
+- Learn more about [incident tasks](incident-tasks.md).
+- Learn how to [investigate incidents](investigate-cases.md).
+- Learn how to add tasks to groups of incidents automatically using [playbooks](create-tasks-playbook.md).
+- Learn how to [use tasks to handle incident workflow in Microsoft Sentinel](work-with-tasks.md).
+- Learn more about [automation rules](automate-incident-handling-with-automation-rules.md) and how to [create them](./create-manage-use-automation-rules.md).