You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/threat-response-sentinel-playbooks/includes/2-exercise-setup.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ To deploy the prerequisites for the exercise, perform the following tasks.
24
24
| Workspace name | Provide a unique name for the Microsoft Sentinel workspace such as `<yourName>-Sentinel`, where *\<yourName>* represents the workspace name that you chose in the previous task. |
25
25
| Location | Accept the default value of **[resourceGroup().location]**. |
26
26
| Simplevm Name | Accept the default value of **simple-vm**.|
27
-
| Simplevm Windows OS Version | Accept the default value of **2016-Datacenter**.|
27
+
| Simplevm Windows OS Version | Accept the default value of **2022-Datacenter**.|
28
28
29
29
:::image type="content" source="../media/02-custom-deployment.png" alt-text="Screenshot of the custom deployment inputs for a Microsoft template." border="true":::
30
30
@@ -57,7 +57,7 @@ To deploy the prerequisites for the exercise, perform the following tasks.
57
57
|`vnet1`|Virtual network|Virtual network for the VM. |
58
58
59
59
> [!NOTE]
60
-
> The resources deployed and configuration steps completed in this exercise are required in the next exercise. If you intended completing the next exercise do not delete the resources from this exercise.
60
+
> The resources deployed and configuration steps completed in this exercise are required in the next exercise. If you intended to complete the next exercise, don't delete the resources from this exercise.
61
61
62
62
## Task 3: Configure Microsoft Sentinel Connectors
63
63
@@ -87,7 +87,7 @@ To deploy the prerequisites for the exercise, perform the following tasks.
87
87
1. Select the **Review + Create** button to review the configuration, and then select **Create**.
88
88
89
89
> [!NOTE]
90
-
> The connector for Azure Activity uses policy assignments, you need to have role permissions that allow you to create policy assignments. And, it typically take 15 minutes to display a status of **Connected**. While the connector deploys, you can continue performing the rest of the steps in this unit and subsequent units in this module.
90
+
> The connector for Azure Activity uses policy assignments. You need to have role permissions that allow you to create policy assignments. And, it typically takes 15 minutes to display a status of **Connected**. While the connector deploys, you can continue performing the rest of the steps in this unit and subsequent units in this module.
91
91
92
92
:::image type="content" source="../media/06-azure-activity-content-hub-solution.png" alt-text="Screenshot that displays the Microsoft Sentinel Azure Activity Content Hub solution." border="true":::
In addition to assessing and addressing problems with their security configuration, Contoso must also monitor for new problems and threats, and then respond appropriately.
3
3
4
-
5
-
6
4
## Microsoft Sentinel as a SIEM and SOAR solution
7
5
8
-
9
-
10
6
Microsoft Sentinel is both a Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution that's designed for hybrid environments.
11
7
12
-
13
-
14
8
> [!NOTE]
15
9
> SIEM solutions provide storage and analysis of logs, events, and alerts that other systems generate. You can configure these solutions to raise their own alerts. SOAR solutions support the remediation of vulnerabilities and the overall automation of security processes.
16
10
17
-
18
-
19
11
Microsoft Sentinel uses built-in and custom detections to alert you to potential security threats such as attempts to access Contoso's resources from outside its infrastructure or when data from Contoso appears to be sent to a known malicious IP address. You can also create incidents based on these alerts.
20
12
21
-
22
-
23
13
## Microsoft Sentinel playbooks
24
14
25
-
26
-
27
15
You can create security playbooks in Microsoft Sentinel to respond to alerts. *Security playbooks* are collections of procedures based on Azure Logic Apps that run in response to an alert. You can run these security playbooks manually in response to your investigation of an incident or you can configure an alert to run a playbook automatically.
28
16
29
-
30
-
31
17
With the ability to respond to incidents automatically, you can automate some of your security operations and make your Security Operations Center (SOC) more productive.
32
18
33
-
34
-
35
-
For example, to address Contoso's concerns, you can develop a workflow with defined steps that can block a suspicious username from accessing resources from a non-secure IP address. Alternatively, you can configure the playbook to perform an operation such as notifying the SecOps team about a high-level security alert.
36
-
37
-
19
+
For example, to address Contoso's concerns, you can develop a workflow with defined steps that can block a suspicious username from accessing resources from a nonsecure IP address. Alternatively, you can configure the playbook to perform an operation such as notifying the SecOps team about a high-level security alert.
38
20
39
21
## Azure Logic Apps
40
22
41
-
42
-
43
23
Azure Logic Apps is a cloud service that automates the operation of your business processes. You use a graphical design tool called the *Logic Apps Designer* to arrange prebuilt components into the sequence you need. You can also use the code view and write your automated process in the JSON file.
44
24
45
-
46
-
47
25
## Logic Apps Connector
48
26
49
-
50
-
51
27
Logic apps use connectors to connect to hundreds of services. A *connector* is a component that provides an interface to an external service.
52
28
53
-
54
-
55
29
> [!NOTE]
56
-
> A Microsoft Sentinel data connector and a Logic Apps connector are not the same thing. A Microsoft Sentinel data connector connects Microsoft Sentinel with Microsoft security products and security ecosystems for non-Microsoft solutions. A Logic Apps connector is a component that provides an API connection for an external service and allows integration of events, data, and actions across other apps, services, systems, protocols, and platforms.
57
-
58
-
30
+
> A Microsoft Sentinel data connector and a Logic Apps connector aren't the same thing. A Microsoft Sentinel data connector connects Microsoft Sentinel with Microsoft security products and security ecosystems for non-Microsoft solutions. A Logic Apps connector is a component that provides an API connection for an external service and allows integration of events, data, and actions across other apps, services, systems, protocols, and platforms.
59
31
60
32
## What are triggers and actions
61
33
62
-
63
-
64
34
Azure Logic Apps use triggers and actions, which are defined as follows:
65
35
66
-
67
-
68
36
- A *trigger* is an event that occurs when a specific set of conditions is satisfied. Triggers activate automatically when conditions are met. For example, a security incident occurs in Microsoft Sentinel, which is a trigger for an automated action.
69
37
70
38
- An *action* is an operation that performs a task in the Logic Apps workflow. Actions run when a trigger activates, another action completes, or a condition is met.
71
39
72
-
73
-
74
40
## Microsoft Sentinel Logic Apps connector
75
41
76
-
77
-
78
42
A Microsoft Sentinel playbook uses a Microsoft Sentinel Logic Apps connector. It provides the triggers and actions that can start the playbook and perform defined actions.
79
43
80
44
Currently, there are two triggers from Microsoft Sentinel Logic Apps connector:
81
45
82
-
83
-
84
46
- When a response to a Microsoft Sentinel alert is triggered
85
47
86
48
- When Microsoft Sentinel incident creation rule is triggered
87
49
88
-
89
-
90
50
> [!NOTE]
91
51
> Because Microsoft Sentinel Logic App connector is in preview, the features described in this module might change in the future.
92
52
93
-
94
-
95
53
The following table lists all the current actions for the Microsoft Sentinel connector.
96
54
97
-
98
-
99
55
| Name | Description |
100
56
| --- | --- |
101
57
| Add comment to incident | Adds comments to the selected incident. |
@@ -112,11 +68,7 @@ The following table lists all the current actions for the Microsoft Sentinel con
112
68
| Entities - Get URLs | Returns a list of URLs associated with the alert. |
113
69
| Remove labels from incident | Removes the labels for the selected incident. |
114
70
115
-
116
-
117
71
> [!NOTE]
118
72
> Actions that have **(V2)** or a higher number provide a new version of the action and might differ from the old functionality of the action.
119
73
120
-
121
-
122
-
Some actions require integration with actions from another connectors. For example, if Contoso wants to identify all suspicious accounts returned in the alert from the defined entities, you must combine the **Entities - Get Accounts** action with the **For Each** action. Similarly, to get all individual hosts in an incident that detect suspicious hosts, you must combine the **Entities - Get Hosts** action with the **For Each** action.
74
+
Some actions require integration with actions from another connectors. For example, if Contoso wants to identify all suspicious accounts returned in the alert from the defined entities, you must combine the **Entities - Get Accounts** action with the **For Each** action. Similarly, to get all individual hosts in an incident that detect suspicious hosts, you must combine the **Entities - Get Hosts** action with the **For Each** action.
0 commit comments