Learning Path 8 - Lab 1 - Exercise 1 - Create a Playbook in Microsoft Sentinel

Lab scenario

You’re a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You must learn how to detect and mitigate threats using Microsoft Sentinel. Now, you want to respond and remediate actions that can be run from Microsoft Sentinel as a routine.

With a playbook, you can help automate and orchestrate your threat response, integrate with other systems both internal and external, and can be set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule.

Important: The lab exercises for Learning Path #8 are in a standalone environment. If you exit the lab before completing it, you will be required to re-run the configurations again.

Task 1: Create a Playbook in Microsoft Sentinel

In this task, you create a Logic App that is used as a Playbook in Microsoft Sentinel.

Note: Microsoft Sentinel has been predeployed and onboarded to Microsoft Defender XDR with the name sentinelworkspace-01, and the required Content Hub solutions have been installed.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser.

  3. In the Edge browser, navigate to Defender XDR at https://security.microsoft.com.

  4. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

    Note: You may be prompted to enter the Temporary Access Pass (TAP) instead of a password. This is also provided in the resources tab. If prompted, copy and paste the TAP value and select Sign in.

  6. In the Microsoft Defender navigation menu, scroll down and expand the Microsoft Sentinel section.

  7. Expand the Content management section and select Content Hub.

  8. Within the search bar, look for Sentinel SOAR Essentials.

  9. Select the solution that appears in the results.

  10. Within the solution details, select Manage.

  11. Find the Defender_XDR_Ransomware_Playbook_for_SecOps-Tasks playbook and select the name.

  12. Select the Incident tasks - Microsoft Defender XDR Ransomware Playbook for SecOps template.

  13. On the details pane, select Create playbook.

  14. For Resource Group, select SentinelStatic and select OK.

  15. Remove for and the extra underscores from the playbook name (would exceed limit of 64 characters). It should read Defender_XDR_Ransomware_Playbook_SecOps_Tasks.

  16. Select Connections.

  17. Select Next: Review and create.

  18. Now select Create Playbook.

    Note: Wait for the deployment to finish before proceeding to the next task.

  19. Select the Close and go to playbook button to open the Logic App designer for the playbook.

Task 2: Update a Playbook in Microsoft Sentinel

In this task, you update the new playbook you created with the proper connection information.

  1. When the previous task completes you should be in the *Defender_XDR_Ransomware_Playbook_SecOps-Tasks Logic app designer* page. If you aren’t, complete steps 2-7 below.

  2. In the Search bar of the Azure portal, type Sentinel, then select Microsoft Sentinel.

  3. Select your Microsoft Sentinel Workspace.

  4. Select Automation under the Configuration area and then select the Active Playbooks tab.

  5. Select Refresh from the command bar in case you don’t see any playbooks. You should see the playbook created from the previous step.

  6. Select the Defender_XDR_Ransomware_Playbook_SecOps_Tasks playbook name link.

  7. On the Logic app designer page for Defender_XDR_Ransomware_Playbook_SecOps_Tasks, in the command menu, select Edit.

    Note: You may need to refresh the page.

  8. Select the first block, Microsoft Sentinel incident.

  9. Select the Change connection* link.

  10. Select Add new and select Sign in. In the new window, select your Azure subscription admin credentials when prompted. The last line of the block should now read “Connected to your-Student-username”.

  11. Select Save on the command bar.

  12. Select the X on the window to close it. The Logic App will be used in a future lab.

Task 3: Create an Automation Rule

  1. After closing the window in the previous task you should be in the Microsoft Sentinel Automation section.

  2. Select + Create and choose Automation Rule.

  3. Give the rule a name

  4. Leave the Trigger as When an incident is created.

  5. Select + Add and choose Condition (And).

  6. From the drop-down, select Tactics.

  7. Select the Contains operator from the dropdown.

  8. Select the following tactics Values:
    • Reconnaissance
    • Execution
    • Persistence
    • Command and Control
    • Exfiltration
    • PreAttack

  9. Under Actions, select Run Playbook.

  10. From the drop-down list, select the Defender_XDR_Ransomware_Playbook_SecOps_Tasks playbook.

  11. Select Apply at the bottom.

  12. Select the X on the Create new automation rule window to close it.

You have now created a playbook and an automation rule in Microsoft Sentinel.

Proceed to Exercise 2