In the realm of Security Orchestration, Automation, and Response (SOAR), timing is often crucial. There might be scenarios where executing a playbook on specific days, such as public holidays, becomes necessary to ensure effective security incident response. Microsoft Sentinel, coupled with Logic Apps, offers a robust solution to automate playbook execution on designated days. Let's delve into how you can set this up effectively.
Setting Up the Solution:
Create a Watchlist in Microsoft Sentinel
Begin by logging into Microsoft Sentinel and navigating to the Watchlist section. Create a new Watchlist with the desired name, preferably in the format YYYY/MM/DD to represent dates.
When creating the watchlist, you typically upload a CSV file. However, in some instances, the CSV file, which is an Excel format, may not recognize dates in the "YYYY/MM/DD" format. In such cases, you can upload the CSV file to create the watchlist and then manually adjust the dates to ensure they are in the correct format of "YYYY/MM/DD".
Content of the Watchlist should look like this –
Define Logic App Conditions:
Access Microsoft Logic Apps, where you'll orchestrate the automation flow. Start by creating a new Logic App and choose the trigger that suits your scenario. For instance, you might want to start with the Microsoft Sentinel Trigger.
Add the action – “Run query and list results”. This connector will query your Azure Monitor Logs across Log Analytics workspace, to list or visualize results.
Condition
After the trigger, add a condition that checks whether the current date matches any date in the Watchlist created in Sentinel.
formatDateTime(utcNow(), 'yyyy/MM/dd') | Is equal to | Holidaydate (This is an output from the previous steps ‘Run query and list results’. |
The format of DateTime should be again ‘'yyyy/MM/dd'. As we already define the date in watchlist in the same format.
If the current date matches a date in the Watchlist, it proceeds with executing the playbook or the required actions.
That’s all. Here in this blog, we just defined the condition. After this condition any action can be configured. We used this playbook for sending email-based notifications generated on the public holiday. Below is the snippet of the condition –
Disclaimer
The views expressed in this blog post are solely my own and do not represent those of my employer or any clients. The views and opinions expressed in this blog post are based on references from Microsoft articles. Assistance from ChatGPT is taken for formatting the wordings of the blog.
Comments