Chapter 12: Creating Playbooks and Automation

In the previous chapters, you learned about the Security Information and Event Management (SIEM) side of Microsoft Sentinel. Now, it is time to learn about its Security Orchestration, Automation, and Response (SOAR) capabilities.

Microsoft Sentinel's SOAR features allow automated or semi-automated responses to be created regarding alerts and incidents. This allows you to develop workflows that can perform tasks such as blocking an IP address from getting through a firewall, blocking a suspicious username, or something simple such as sending an email to the security team, letting them know a new high-severity alert was generated. When you combine the automation capabilities offered by Microsoft Sentinel ...

Get Microsoft Sentinel in Action - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.