Merge pull request #49731 from KenMAG/main

Revising module units for Sentinel in the Defender portal

Author: JamesJBarnett

learn-pr/wwl-sci/automation-microsoft-sentinel/1-introduction.yml

@@ -4,7 +4,7 @@ title: Introduction
 metadata:
   title: Introduction
   description: "Introduction"
-  ms.date: 11/21/2022
+  ms.date: 03/28/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: unit

learn-pr/wwl-sci/automation-microsoft-sentinel/includes/1-introduction.md

@@ -1,12 +1,11 @@
-
 Microsoft Sentinel, in addition to being a Security Information and Event Management (SIEM) system, is also a platform for Security Orchestration, Automation, and Response (SOAR). One of its primary purposes is to automate any recurring and predictable enrichment, response, and remediation tasks that are the responsibility of your Security Operations Center and personnel (SOC/SecOps)
 
+You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel in Microsoft Azure. You're preparing to onboard Sentinel workspaces into Microsoft Defender, and you need to understand any differences with Automation rules and Playbooks. You identified an analytical rule that generates incidents that are considered Benign Positive. You would like to implement automation that would automatically close these incidents after generation.  
 
-You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel.  You've identified an analytical rule that generates incidents that are considered Benign Positive.  You would like to automatically close these incidents after generation.  
-
-By the end of this module, you'll be able to use automation rules in Microsoft Sentinel to automated incident management.
+By the end of this module, you are able to use automation rules in Microsoft Sentinel in Azure and the Defender portal to automated incident management.
 
 After completing this module, you'll be able to:
 
 - Explain automation options in Microsoft Sentinel
-- Create automation rules in Microsoft Sentinel
+- Create automation rules in Microsoft Sentinel in Azure and the Defender portal
+- Create playbooks in Microsoft Sentinel in Azure and the Defender portal

learn-pr/wwl-sci/automation-microsoft-sentinel/includes/2-understand-automation-options.md

@@ -1,11 +1,11 @@
-
 Automation takes a few different forms in Microsoft Sentinel. From automation rules that centrally manage the automation of incident handling and response, to playbooks that run predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response tasks.
 
 ## Automation rules
-Automation rules allow users to centrally manage the automation of incident handling. Automation rules also allow you to automate responses for multiple analytics rules at once. Automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Automation rules will streamline automation use in Microsoft Sentinel and will enable you to simplify complex workflows for your incident orchestration processes.
 
+Automation rules allow users to centrally manage the automation of incident handling. Automation rules also allow you to automate responses for multiple analytics rules at once. Automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Automation rules will streamline automation use in Microsoft Sentinel and will enable you to simplify complex workflows for your incident orchestration processes.
 
 ## Playbooks
+
 A playbook is a collection of response and remediation actions and logic that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response. It can integrate with other systems both internal and external, and it can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. It can also be run manually on-demand, in response to alerts, from the incidents page.
 
 Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, a cloud service that helps you schedule, automate, and orchestrate tasks and workflows across systems throughout the enterprise. This means that playbooks can take advantage of all the power and customizability of Logic Apps' integration and orchestration capabilities and easy-to-use design tools, and the scalability, reliability, and service level of a Tier 1 Azure service.

learn-pr/wwl-sci/automation-microsoft-sentinel/includes/3-create-automation-rules.md

@@ -1,7 +1,7 @@
 Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks. For example, automation rules allow you to automatically assign incidents to the proper personnel, tag incidents to classify them, and change the status of incidents and close them. Automation rules can also automate responses for multiple analytics rules at once, control the order of actions that are executed, and run playbooks for those cases where more complex automation tasks are necessary. In short, automation rules streamline the use of automation in Microsoft Sentinel, enabling you to simplify complex workflows for your incident orchestration processes.
 
-
 ## Creating and managing automation rules
+
 You can create and manage automation rules from different points in the Microsoft Sentinel experience, depending on your particular need and use case.
 
 ### Automation blade
@@ -26,9 +26,8 @@ You can also create an automation rule from the Incidents blade, in order to res
 
 You'll notice that the Create new automation rule panel has populated all the fields with values from the incident. It names the rule the same name as the incident, applies it to the analytics rule that generated the incident, and uses all the available entities in the incident as conditions of the rule. It also suggests a suppression (closing) action by default, and suggests an expiration date for the rule. You can add or remove conditions and actions, and change the expiration date, as you wish.
 
-
-
 ## Components of an Automation Rule
+
 Automation rules are made up of several components:
 
 - **Trigger:** Automation rules are triggered by the creation of an incident.
@@ -41,15 +40,15 @@ Complex sets of conditions can be defined to govern when actions (see below) sho
 - **Actions:**
 Actions can be defined to run when the conditions (see above) are met. You can define many actions in a rule, and you can choose the order in which they’ll run (see below). The following actions can be defined using automation rules, without the need for the advanced functionality of a playbook:
 
-    - **Changing the status of an incident**, keeping your workflow up to date.
+  - **Changing the status of an incident**, keeping your workflow up to date.
 
         When changing to “closed,” specifying the closing reason and adding a comment. This helps you keep track of your performance and effectiveness, and fine-tune to reduce false positives.
 
-    - **Changing the severity of an incident** – you can reevaluate and reprioritize based on the presence, absence, values, or attributes of entities involved in the incident.
+  - **Changing the severity of an incident** – you can reevaluate and reprioritize based on the presence, absence, values, or attributes of entities involved in the incident.
 
-    - **Assigning an incident to an owner** – this helps you direct types of incidents to the personnel best suited to deal with them, or to the most available personnel.
+  - **Assigning an incident to an owner** – this helps you direct types of incidents to the personnel best suited to deal with them, or to the most available personnel.
 
-    - **Adding a tag to an incident** – this is useful for classifying incidents by subject, by attacker, or by any other common denominator.
+  - **Adding a tag to an incident** – this is useful for classifying incidents by subject, by attacker, or by any other common denominator.
 
     Also, you can define an action to **run a playbook**, in order to take more complex response actions, including any that involve external systems. Only playbooks activated by the incident trigger are available to be used in automation rules. You can define an action to include multiple playbooks, or combinations of playbooks and other actions, and the order in which they'll run.
 

learn-pr/wwl-sci/automation-microsoft-sentinel/index.yml

@@ -3,19 +3,20 @@ uid: learn.wwl.automation-microsoft-sentinel
 metadata:
   title: Automation in Microsoft Sentinel
   description: "Automation in Microsoft Sentinel"
-  ms.date: 11/21/2022
+  ms.date: 03/28/2025
   author: wwlpublish
   ms.author: kelawson
   ms.topic: module
   ms.service: microsoft-sentinel
 title: Automation in Microsoft Sentinel
-summary: By the end of this module, you'll be able to use automation rules in Microsoft Sentinel to automated incident management.
+summary: By the end of this module, you're able to use automation rules in Microsoft Sentinel to automated incident management.
 abstract: |
-  After completing this module, you'll be able to:
+  After completing this module, you're able to:
   *   Explain automation options in Microsoft Sentinel
   *   Create automation rules in Microsoft Sentinel
 prerequisites: |
-  None
+  - Familiarity with Microsoft Sentinel and its components
+  - Familiarity with the Microsoft Defender portal
 iconUrl: /training/achievements/automation-microsoft-sentinel.svg
 levels:
 - intermediate
@@ -24,8 +25,10 @@ roles:
 products:
 - azure
 - microsoft-sentinel
+- defender-xdr
 subjects:
   - automation
+  - cloud-security
 units:
 - learn.wwl.automation-microsoft-sentinel.introduction
 - learn.wwl.automation-microsoft-sentinel.understand-automation-options