Introduction

Microsoft Sentinel, in addition to being a Security Information and Event Management (SIEM) system, is also a platform for Security Orchestration, Automation, and Response (SOAR). One of its primary purposes is to automate any recurring and predictable enrichment, response, and remediation tasks that are the responsibility of your Security Operations Center and personnel (SOC/SecOps)

You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel in Microsoft Azure. You're preparing to onboard Sentinel workspaces into Microsoft Defender, and you need to understand any differences with Automation rules and Playbooks. You identified an analytical rule that generates incidents that are considered Benign Positive. You would like to implement automation that would automatically close these incidents after generation.

By the end of this module, you are able to use automation rules in Microsoft Sentinel in Azure and the Defender portal to automated incident management.

After completing this module, you'll be able to:

• Explain automation options in Microsoft Sentinel
• Create automation rules in Microsoft Sentinel in Azure and the Defender portal
• Create playbooks in Microsoft Sentinel in Azure and the Defender portal