8 Responding to Incidents Using Automation

In the previous chapter, we focused on incident management using automation.

The first hands-on example was to auto-close an incident with no analyst interaction. We utilized the watchlist feature in Microsoft Sentinel, where we stored our allowed IP address and compared it with IPs involved in the incident. Based on the result, we auto-closed the incident or left a comment stating that the IP was not on the watchlist.

The second example expanded on the first example. As incidents can have more than one IP, we utilized an approval email action to ask analysts whether the incident should be auto-closed or whether a further investigation would be needed.

The final example used the automation rule to auto-close ...

Get Security Orchestration, Automation, and Response for Security Analysts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Security Orchestration, Automation, and Response for Security Analysts by Benjamin Kovacevic, Nicholas Dicola

8

Responding to Incidents Using Automation

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly