Learning Path 7 - Lab 1 - Exercise 2 - Create a Playbook

Lab scenario

Lab overview.

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. Now, you want to respond and reMediate actions that can be run from Microsoft Sentinel as a routine.

With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Create a Security Operations Center Team in Microsoft Teams

In this task, you’ll create a Microsoft Teams team for use in the lab.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Microsoft Edge browser, open a new tab and navigate to the Microsoft Teams portal at (https://teams.microsoft.com).

  3. In the Sign in dialog box, copy and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. Close any Teams pop-ups that may appear.

  6. If not already selected, select Teams on the left menu, then at the top, select the plus sign icon icon.

  7. Select the Create Team option.

  8. Select the From scratch button.

  9. Select the Private button.

  10. Give the team the name: type SOC and select the Create button.

  11. In the Add members to SOC screen, select the Skip button.

  12. Scroll down the Teams blade to locate the newly created SOC team, select the ellipsis (…) on the right side of the name and select Add channel.

  13. Enter a channel name of New Alerts then select the Add button.

Task 2: Create a Playbook in Microsoft Sentinel

In this task, you’ll create a Logic App that is used as a Playbook in Microsoft Sentinel.

  1. In the Microsoft Edge browser, navigate to Microsoft Sentinel on GitHub.

  1. Scroll down and select the Solutions folder.

  2. Next select the SentinelSOARessentials folder, then the Playbooks folder.

  3. Select the Post-Message-Teams folder.

  4. In the readme.md box, scroll down to the Quick Deployment section, Deploy with incident trigger (recommended) and select the Deploy to Azure button.

  5. Make sure your Azure Subscription is selected.

  6. For Resource Group, select Create New, enter RG-Playbooks and select OK.

  7. Leave (US) East US as the default value for Region.

  8. Rename the Playbook Name to “PostMessageTeams-OnIncident” and select Review + create.

  9. Now select Create.

    Note: Wait for the deployment to finish before proceeding to the next task.

Task 3: Update a Playbook in Microsoft Sentinel

In this task, you’ll update the new playbook you created with the proper connection information.

  1. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  2. Select your Microsoft Sentinel Workspace.

  3. Select Automation under the Configuration area and then select the Active Playbooks tab.

  4. Select Refresh from the command bar in case you don’t see any playbooks. You should see the playbook created from the previous step with the Microsoft Sentinel Incident Trigger kind.

  5. Select the PostMessageTeams-OnIncident playbook name.

  6. On the Logic App page for PostMessageTeams-OnIncident, in the command menu, select Edit.

    Note: You may need to refresh the page.

  7. Select the first block, Microsoft Sentinel incident (Preview).

  8. Select the Change connection link.

  9. Select Add new and select Sign in. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read “Connected to your-admin-username”.

  10. Now select the second block, Connections.

  11. Select Add new and select your Azure admin credentials when prompted. The last line of the block should now read “Connected to your-admin-username”.

  12. The block has now been renamed to Post a message (V3)(Preview), at the end of the Team field, select the X to clear the contents. The field is changed to a drop-down with a listing of the available Teams from Microsoft Teams. Select SOC.

  13. Do the same for the Channel field, select the X at the end of the field to clear the contents. The field is changed to a drop-down with a listing of the Channels of the SOC Teams. Select New Alerts.

  14. Select Save on the command bar. The Logic App will be used in a future lab.

Proceed to Exercise 3