In the previous chapters, you learned about the Security Information and Event Management (SIEM) side of Azure Sentinel. Now it is time to learn about the Security Orchestration, Automation, and Response (SOAR) capabilities.
Azure Sentinel’s SOAR features allow for automated, or semi-automated, responses to the creation of alerts. This allows you to develop workflows that can perform tasks such as blocking an IP address from getting through a firewall, blocking a suspicious username, or something simple such as sending an email to the security team letting them know a new high-severity alert was generated. When you combine the automation capabilities offered by Azure Sentinel with the protection capabilities of the many other security products you deploy, the sky is the limit!
In this chapter, you will learn about Azure Sentinel playbooks, including how to write and edit them, configuring their workflow, and managing them. At the end of the chapter, we will walk through the process of creating a simple playbook. By the end of the chapter, you should feel comfortable getting started writing your own playbooks.
We will cover the following topics in this chapter:
Azure Sentinel uses Azure Logic Apps for its workflow automation. In fact, an Azure Sentinel playbook is a logic app that uses the Azure Sentinel connector to trigger the workflow. As we go through this chapter, many of the screens we will be looking at are logic app pages, which reinforces this concept. The full extent of how to use logic apps is beyond this book, so we will just cover the Azure Sentinel connector, which contains a logic app trigger and actions.
Note
For this chapter, the terms playbook and logic app will be used interchangeably. For more information on Azure Logic Apps, go to https://azure.microsoft.com/en-us/services/logic-apps/.
Logic apps use connectors (not to be confused with Azure Sentinel data connectors) and actions to perform a workflow’s activities. A logic app connector provides access to events and data. Actions will perform a specific task, such as sending an email, posting a message on Microsoft Teams, extracting JavaScript Object Notation (JSON) objects, and so much more.
By using Azure Logic Apps as the backend technology, Azure Sentinel playbooks already have a rich ecosystem of connectors and actions that they can call upon to perform their activities. Now, let’s look at the pricing considerations when using playbooks.
As mentioned in Chapter 1, Getting Started with Azure Sentinel, running an Azure Sentinel playbook is not included in the ingestion costs of Azure Sentinel or Log Analytics. It has its own separate charges that, though they may be considered small, can add up quickly.
For example, in the East US region, each logic app action that is run (and this includes things such as looking up information, extracting JSON, and sending emails) will cost $0.000025 each time it is used. There is also an additional $0.000125 for each standard connector. Granted, this seems pretty small, but if you write a logic app that has 100 actions with 1 connector that gets run each second of every day for a month, that one logic app would cost $3,564 each month!
Note
For more on Azure Logic Apps pricing, go to https://azure.microsoft.com/en-us/pricing/details/logic-apps/.
Now, this is a pretty extreme example, but it serves to remind you that when designing playbooks, you need to keep them as simple as needed and you should not do a lot of extraneous work. Next, we will discuss the Azure Sentinel connector, which you will need to use in all Azure Sentinel playbooks.
While there are many logic app connectors, and more are being added all the time, the one we are concerned with is the Azure Sentinel connector. It provides us with the trigger that can kick off our playbook. It also contains various actions that can perform tasks such as obtaining information about a specific incident, getting information about the entities associated with an alert, updating an incident, and more.
Note
It should be noted that at the time this chapter was written, all the features of the Azure Sentinel connector were in preview, so they could have changed from what is shown and discussed here.
The connector currently has one trigger called When a response to an Azure Sentinel alert is triggered. This means that the trigger will fire whenever an alert is triggered. It is worth noting that while the trigger returns a lot of information, it does not return the actual incident that gets created, if one gets created at all. In order to get the incident information, you need to use one of the actions to obtain the details.
The following table lists all the current actions for the Azure Sentinel connector:
Note
Some actions may have (V2) or a higher number after the title. Those are newer versions of the action and may break old functionality, so you want to check periodically to make sure there is not a new version of an action you are using.
As stated before, all Azure Sentinel playbooks will need to use this Azure Sentinel connector for the logic app to be considered a playbook. It also provides a lot of actions that you can use to get more information about, and update information in, incidents. You will be using this connector a lot and you should familiarize yourself with its actions. Next, we will start the journey of creating your own playbooks by looking at the Playbooks page.
To access the list of playbooks, from the Azure Sentinel page select Playbooks in the navigation pane. This will take you to the Azure Sentinel Playbooks page.
This page will actually list all the logic apps in the subscription(s) you have selected to show in the Azure portal. You will need to look at the Trigger kind column at the far right to see whether the logic app can be used as a playbook. If it states Azure Sentinel, you can use this logic app as a playbook:
Tip
You can also access your playbooks by going to the logic app screen. However, it will not present the same amount of information as shown in the preceding screenshot.
If you have used logic apps before, you will notice that this page is similar, but not identical, to the Azure Logic Apps page. There are some differences that make it a bit easier to use. Let’s take a look at the different fields of this page.
The header bar, shown in the following figure, contains the following buttons:
Let’s discuss each field in detail:
The header bar will be used to create new playbooks, as well as change the time frame that you are looking at, and give you more documentation on how to work with logic apps.
Under the header is the status bar:
All the information presented here, other than the number of security playbooks, will use the time dropdown to determine how far back in time to show the results:
Let’s look at the logic app listing.
Under the summary bar is the listing of all the logic apps, as shown in the following figure. For each logic app listed, there is a selection checkbox, followed by Name, Status (Enabled or Disabled), the number of total runs (which is the sum of the Running, Succeeded, and Failed columns), how many instances of the logic app are running, how many times the logic app succeeded, how many times it failed, which subscription it belongs to, which location the logic app resides in, and the trigger kind, of which we only care about Azure Sentinel.
As with the status bar, the numbers shown in the Runs, Running, Succeeded, and Failed columns are based on the time selected in the time dropdown, as shown in the following figure:
That is the makeup of the playbook overview page. Next, we will look at a specific playbook using the logic app settings page.
You’ve just seen the overview section. What if you want to look at a specific item? We’ll discuss that now.
Clicking on the name of the logic app, shown in figure 11.4, will bring you into the logic app settings page. This is where you can create, edit, or delete an individual logic app, and see more information regarding your logic app, as well as see the history of your logic app’s runs, as shown in the following screenshot:
Each section will be discussed in more detail in the following sections.
This is where you perform more actions against this logic app. We will not discuss all the options available in the left-hand navigation menu as they are out of the scope of this book; however, we encourage you to take some time to study the full capabilities of logic apps.
The header bar contains the following buttons, which allow you to quickly manage the logic app:
Each field is as follows:
Let’s take a look at the next field.
This section shows the most essential information for the logic app. Most of the fields are shown with all other types of Azure resources and are self-explanatory, so they will not be covered, with two exceptions:
Each field is as follows:
Tip
For more information on using Integration Account with logic apps, go to https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-enterprise-integration-create-integration-account.
This section, as follows, displays information that is specific to logic apps. The fields are broken down into two sections: Trigger and Actions:
Each field is as follows:
Let’s take a look at the next one.
This section will provide you with information on all the times this logic app has run:
Each field is as follows:
The main items on this page that we will focus on are the Edit button in the header, so that we can make changes to our playbook, and Runs history at the bottom of the page, which lets us know which instance of the logic app succeeded or failed, and if it failed, why.
Tip
For more information on debugging logic apps, go to https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-diagnosing-failures.
Now that you know how to look at existing playbooks, how do you go about adding one? This next section will cover adding a new playbook.
You are going to want to create your own playbooks, so now it is time to investigate how to do that.
In the Azure Sentinel playbooks page (see figure 11.1), click on the Add Playbook link in the header. This will open a new tab in your browser that will open the Logic App screen, as shown in the following figure:
Let’s discuss the different fields:
Once all your information is filled in, click the Review + create button. This will validate that the information you entered is correct and, if it is, it will allow you to create the logic app. If not, it will inform you of what is wrong and allow you to go back to the main page to fix the issues.
It may take a little while for your logic app to get created. You will be taken back to the main playbook page while this happens.
That is how you create the basis for your playbook. As it stands right now, it does nothing as there is no workflow steps in it. Next, we will explore how to add the workflow components to make your playbook useful.
Once the playbook has been created, you will be taken to the Logic Apps Designer page. There are actually two different views for this page.
The first view, shown in the following figure, will be shown if your workflow is empty. It provides a quick introduction video, some common triggers, and predefined templates that can be used to help you get started building your workflow. Note that the view shown in the following figure will only show up the first time you edit the workflow for a specific logic app. After that, if there is no workflow, you will be shown a listing of templates and the Blank Logic App button, which will allow you to create an empty workflow that you can add into:
Note
At the time of writing, there are no Azure Sentinel playbook templates on this page, but, hopefully, there will be soon.
Scroll down the page and then click on the Blank Logic App button to start building your playbook.
Once you click on the button, the second view will be shown, which will look similar to what is shown in the following figure. Depending on what connectors and actions you have used recently, the listing under Recent in the workflow editor section will be different, or it could be empty:
Each section of this page is described in more detail in the next section.
The header bar, shown in the following screenshot, contains all the buttons to work with this workflow. Here, you can save or discard your changes, switch between the GUI and the code views, add parameters, and more:
The details of each button are as follows:
Go to https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview to get more information on using parameters in logic app deployments.
Go to https://docs.microsoft.com/en-us/connectors/ to see all the available connectors under the Connector Reference section.
Let’s discuss the workflow editor section.
The Logic App Designer page’s workflow editor section, shown in the following figure, is where you will do most of the work creating your workflow. It is where you will build your workflow:
This is where you will select the trigger that you want to use and then add the various actions that you need to use.
Now you know how to create an Azure Sentinel playbook. While the process itself is fairly simple, the workflows you can create can be as complex as you want. In the next section, we will take all that we have learned in this chapter and create a simple playbook.
This example will take you step by step through the process of creating a new Azure Sentinel playbook. The scenario we are solving is notifying our security analysts using Microsoft Teams that a new, high-severity incident was created.
The first step is to create a new playbook that Azure Sentinel can use. Remember that for Azure Sentinel to be able to use a playbook, it must use the Azure Sentinel connector:
Note
There is a functionality for Azure Sentinel that allows you to create analytic rules that will raise an alert without generating an incident. For this example, we are assuming that the analytic rule(s) using this workflow will be creating an incident.
Now that we have the information from the incident, what do we do with it? The scenario states that we need to alert the analysts if a high-severity alert is raised. The Alert – Get Incident action returns all the incidents, so we need to filter for just the high-severity ones:
Hint
Both the Azure Sentinel connector’s trigger and the Alert – Get incident action both return the severity and it does not matter which one you choose.
Now we need to post the message. To do this, follow these steps:
There you have it! A fully functional and incredibly useful Azure Sentinel playbook with no coding required. It just took some figuring out of which fields to use where. This is a very simple example but, hopefully, it will at least give you some ideas of what to use playbooks for.
In this chapter, you learned how to create a playbook that you can use in your analytic query rules to perform SOAR actions. Playbooks are based on Azure Logic Apps, with the only difference being that the Azure Sentinel connector must be used for a logic app to be a playbook.
With what you have learned, you can now create playbooks to automate a lot of actions that had to be performed manually before. You read about one such example, but there is no limit to what you can do!
In the next chapter, we will use what we learned in this chapter to build a playbook that will create a new ServiceNow ticket and update the incident with the ticket number.
Use these questions to test your knowledge of this chapter:
18.191.67.40