6 Enriching Incidents Using Automation

In the previous chapter, we introduced Microsoft Sentinel automation and its main elements, permissions, and building blocks.

In this chapter, we will work through some hands-on examples. But first, we will guide you on how to enable Microsoft Sentinel to perform these exercises on your own, then we will go through our two hands-on examples – the enrichment of incidents with IP and URL details.

This chapter will go through the following topics:

Why should you use automation for incident enrichment?
Creating your own Microsoft Sentinel trail
VirusTotal playbook – IP enrichment
VirusTotal playbook – URL enrichment

Why should you use automation for incident enrichment?

When a new incident/case is detected, ...

Get Security Orchestration, Automation, and Response for Security Analysts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Security Orchestration, Automation, and Response for Security Analysts by Benjamin Kovacevic, Nicholas Dicola

6

Enriching Incidents Using Automation

Why should you use automation for incident enrichment?

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly